Applied artificial intelligence is a double-edged sword in cybersecurity: it helps defend, but makes it easier for attackers to bypass protections. A real-world demonstration confirmed that signatures alone are no longer enough, because they can be quickly "repainted." What matters is code behavior and the systems' ability to respond in time.
How the tests were run
In the demonstration, a large battery of tests was run against ransomware and malware masquerading as ransomware. It included five known samples to verify signatures and 406 multi-stage behavioral scenarios. Configured, market-available premium solutions were tested; among them was Defender, other names were not disclosed. The goal was singular: to verify whether they can protect the endpoint against a real attack progression.
The result was sobering: no solution was one hundred percent. "Penetration" was counted when the attack made it all the way to the final step – infection, data collection, privilege escalation, and file encryption. There was considerable variability across individual cases: from approximately 1 % up to 88 % penetration, in another scenario around 32 %. In some places signatures failed; elsewhere dozens of behavioral scenarios went through – but a single successful run on the network is enough to cause serious damage.
What this means for practice
Even a small percentage of intrusions is far too much in the context of ransomware. Organizations must increase visibility, continuously tune detection policies, and set up a rapid response to suspicious behavior. A combination of signatures and behavioral monitoring, along with regular testing and configuration adjustments, is essential today. Otherwise even sophisticated tools can miss the mark the moment an attacker decides to "repaint" the code.
