Defending at the Speed of AI

There was a time, not very long ago, when an annual pen test, decent firewall, and a folder of policies was a perfectly respectable answer to the question of whether your business was secure.

That time is over!

The attackers automated. The defenders, mostly, didn't. The result is a quiet but widening gap that very few businesses have noticed, and slightly fewer want to talk about.

In the fourth episode of the Arcane Link podcast, host Ruben Clarke sat down with Matt Lovell, co-founder of CloudGuard, to talk about what genuine defence looks like when attacks are happening faster than humans can think.

The full conversation is available on YouTube and all major podcast streaming platforms:

• Spotify

• Apple Podcasts

• Amazon Music

Building the Slow Way On Purpose

CloudGuard wasn't built quickly, and Matt doesn't seem to mind people pointing that out.

He's heard the "you should have grown faster" line plenty of times. His response is essentially that growing faster would have meant skipping the bit where you actually learn from your customers, and skipping that bit is how you end up with the kind of technical debt you spend the next decade apologising for.

You've got to get those foundations right. We can't go back if we scale the business out… we can't then retrospectively solve the problems we've created.

It's the security version of measure twice, cut once. Less catchy on a pitch deck. Considerably more useful in production.

The Demo Is Not the Product

Roughly every security vendor on the market is now AI enabled, which is impressive given how recently AI was something most of them had to Google.

Matt's advice for working out who actually is and who has just rebranded the dashboard is refreshingly low effort. Stop watching demos.

Don't accept the demo, because that's exactly what that's been set up to curate and deliver.

Demos are designed to land. Real environments are designed to break. The better question is not "show me what it can do" but "can it solve the specific problem I'm having, in my environment, right now", and if the response comes back in marketing language, you have your answer.

The Bit That Should Probably Worry You

Here is the uncomfortable part Matt is happy to say out loud. Attackers using AI are currently beating defenders using AI.

Two reasons, both depressingly simple.

The first is speed. Modern malware doesn't sit politely on a vulnerability waiting to be discovered. It morphs as it moves. Attack models can be retrained, diffused and recombined faster than defensive models can be hardened against them.

The second is what happens after they get in.

Once an attacker harvests a set of credentials, the average time before those credentials are weaponised is about fifteen seconds. Which isn't really enough time for anything human to happen, including reading this sentence.

So either your response is automated to match, or the attack has already progressed by the time anyone has noticed.

Where Humans Still Win

The obvious counter to "attackers are using AI" is "we should use AI too", which CloudGuard does, and is on the fifth generation of doing.

But Matt is precise about one thing. AI doesn't get the final say.

AI doesn't understand state or status and consequence and also time, and it can't correlate those two elements together.

Which is the polite way of saying AI is brilliant at speed and volume, and not yet trustworthy on judgement. It can spot the thing. It cannot reliably tell you whether the thing matters, in your specific business, on this specific day.

That is still a human job. The shape of the role is changing, less first responder, more reasoning layer, but humans are not being engineered out. They're being moved up the stack.

There's also a quieter problem. Data poisoning. It turns out you don't need to corrupt much of an AI's training data to nudge its decisions sideways, which is part of why CloudGuard has teamed up with Queen's University Belfast to work on it.

The Tick Box That Isn't a Plan

Matt is genuinely a fan of ISO 27001. He thinks every serious organisation should be implementing it. He just doesn't think the certificate, on its own, makes you safe.

The problem is what most businesses do after they pass. They put the framework in place, schedule the annual pen test, and quietly assume the rest of the year takes care of itself.

It doesn't.

If we are only testing periodically, annually, for example, with a penetration test, then 364 days are going to lapse between it.

364 days is plenty of time for entirely new attack categories to emerge, for last year's controls to drift out of relevance, and for the threat landscape to stop resembling the one you tested against. Certification is the floor, not the ceiling, and most of the work that keeps a business safe happens in between audits, not during them.

The Alert Fatigue Doom Loop

A lot of mid sized businesses try to build their own SOC by gluing enterprise tools together. The intent is admirable. The execution is where it tends to come apart.

The team running the SOC is usually also patching servers, doing the audit, answering tickets, and quietly trying to remember their own name. Then the alerts start arriving. And they don't stop.

If you are highly stressed and stretched and not automating, you are just firefighting in terms of the volumetrics and anything can get through at that point.

That is the trap in one sentence. The busier the team gets, the less time they have to fix the thing that would make them less busy. Attackers, who have known this for years, occasionally use loud noisy attacks as cover for the quiet one happening at the same time.

It is the security version of a magic trick. Look here, while I do something else over there.

The Deepfake Problem, and the Suspiciously Low Tech Fix

Matt has been making deepfakes of himself for about two years now, including a fairly unsettling one that ended up on the BBC. His main complaint about the experience was that the team didn't make the fake version of him a bit better looking.

Joking aside, the technology is moving quickly. Audio is already excellent. Video is catching up. The visual and audio cues we've always used to verify who's on the other end of a call are getting less reliable by the month.

The proper fix, things like data provenance and content authentication, is real but slow. In the meantime, the most effective defence is so simple it feels like cheating.

Safe words.

Matt told a story about a charity dealing with a flood of impersonation calls, mostly aimed at elderly relatives. His advice was to push families to agree on a safe word, ideally something easy to remember. The follow up was telling. The phone, apparently, tends to go dead the moment anyone challenges.

The same trick works in business. Agree a word, a phrase, a question only the real person would know. The attacker is running a script. Step outside the script and the script collapses. Don't be offended when people start doing this to you. They're not being rude. They're managing risk.

The New Frontier Nobody Noticed Yet

The latest twist is one most businesses haven't quite registered. Attackers are now hiding instructions inside emails using white text on a white background. Invisible to a human reader. Perfectly legible to the AI summarisation tool sitting inside the inbox.

You open the email, see nothing odd, glance at the AI summary, and trust it. The AI summary, having dutifully read the hidden instruction, has quietly told you something the actual email did not say.

As Matt put it, with admirable understatement, your CEO is probably not asking you to nip down to the Apple Store and buy a load of iTunes vouchers. But the AI summary might think they are.

The convenience layer we have all rather happily added between ourselves and our inboxes is now being weaponised against us. Sense checking the AI is no longer a nice to have.

Meet Ansel

All of this, the speed gap, the human judgement bottleneck, the alert fatigue, eventually crystallised into Ansel. CloudGuard's autonomous SOC capability and, if Matt's tone is anything to go by, the thing he's most quietly proud of.

The headline number is that Ansel can handle around 18,500 incidents per second, which is roughly 18,500 more than any human analyst is going to manage on a good day.

But Matt is careful about how he frames it. Ansel doesn't replace anyone. It absorbs the volume humans were never going to handle, so the humans can do the bit AI still can't, which is the thinking.

It took six years to build. Matt still describes it as the beginning of the journey, which says something useful about what good security work actually looks like over time.

The Guardian Culture

CloudGuard has 100% customer retention, which is rare in any industry and genuinely unheard of in security.

When asked what comes next, Matt didn't talk about scaling or revenue. He talked about culture, customer outcomes, and the partnerships with universities like Manchester Metropolitan and Queen's Belfast. Which is unusual to hear from the founder of a fast growing security business, and probably explains why nobody leaves.

Key Takeaways from This Conversation

• Foundations Compound: The shortcut you take in year one becomes the technical debt you are still paying down in year five. Build slowly enough to build properly.

• Interrogate the AI, Don't Watch the Demo: If a vendor can't answer specific questions about your specific environment, the technology probably can't either.

• Automate the Volume, Govern the Decision: AI handles speed and scale. Humans handle context and consequence. Neither is optional.

• Certification is the Floor: ISO 27001 is the starting point, not the finish line. The work that keeps you safe happens in the 364 days between audits.

• Safe Words Beat Deepfakes: A simple agreed phrase neutralises a category of attack that no amount of technology has caught up with yet.

• Sense Check the AI Summary: The convenience layer between you and your inbox can be weaponised. Read the original.

Why We Are Doing This?

Arcane Link exists to lift the lid on the human side of security, to have the conversations that normally stay off camera, and to remind people that you are allowed to be pragmatic, curious, and occasionally unsure.

We are not here to scare anyone.

We are here to help businesses understand the why, so the how becomes manageable.

If Episode 004 resonates and you are looking for a consultancy that prefers light touch systems over paperwork marathons, you already know where to find us.

If the gap between your current security setup and what attackers can now do is starting to feel a bit uncomfortable, CloudGuard are well worth a conversation. Automation first, human governed, and built on six years of doing it properly.