Cybersecurity Enters a Proactive Phase as Agentic AI Redefines Defense Strategy

The security industry built its defenses around a simple assumption: tools would detect attacks fast enough for humans to respond. That assumption is breaking down. Autonomous AI can operate for days without human oversight, executing attacks faster than any security operations center can react. By the time an alert fires, the breach has already happened.

Shantanu Bhattacharya has spent 25 years watching these shifts unfold. As the Founder of the Australian cybersecurity consultancy Cyber Cure and a published RSA Conference innovator, Bhattacharya has advised government agencies across multiple countries and built security architecture at enterprise scale for Siemens. He warns that the playbook that worked five years ago is now a liability.

"If a tool raises a red flag, the attacker is already on my device. We now need to be proactive threat hunters, identifying and neutralizing vulnerabilities before an attack executes rather than recovering from one," says Bhattacharya. The catalyst is the leap from generative AI to agentic AI. At AWS re:Invent, Amazon announced that agentic AI systems can run autonomously for extended periods without manual intervention. That capability cuts both ways. Defenders can automate monitoring, but attackers can automate reconnaissance, exploitation, and lateral movement at a pace that overwhelms human response.

• The perimeter is gone: The shift to remote work in 2020 dissolved the traditional network perimeter. Employees accessing corporate systems from home meant the old model of securing office boundaries became irrelevant overnight. "When everybody is working from their homes, the perimeter is not there. So what do you trust? You can't trust anything," Bhattacharya explains. "I can have my device appear with the IP address and MAC address of your laptop and sit in your network as if I were you."

• All about identity: Zero trust has become the default framework, but Bhattacharya argues most implementations don't go far enough. Validating a username and password is insufficient when attackers can steal credentials through phishing. True zero trust requires verifying three elements: user identity, device identity, and software identity. "If I steal your credentials, I still can't use your systems because I don't have your device and software instance," he says.

The technical evolution comes alongside a fundamental shift in how organizations view the CISO role. Boards and executives now face personal liability for data breaches, an accountability that changes the conversation entirely.

• Business translation: Security leaders can no longer speak only in technical terms. "Cybersecurity needs to be explained in business context. If it's not, you're talking about tools, which is not ideal with CXOs," Bhattacharya notes. The ability to connect cyber risks to enterprise risks gives CISOs a seat at the board table.

• Prioritization over perfection: Even trillion-dollar companies cannot fund every security measure. Bhattacharya emphasizes that prioritization based on measurable business impact is the only viable strategy. "Limited budget is true not only for small organizations. It's also true for large organizations. You need a cybersecurity strategy that gives measurable progress," he explains.

Looking ahead, Bhattacharya identifies APIs as the next critical vulnerability. AI tools are becoming adept at discovering API interfaces and either overwhelming them with requests or finding exploitable weaknesses. Waiting for alerts to fire, he concludes, is no longer a viable strategy. "Many business leaders say they won't get attacked, that their competitors will. But once they get attacked, it's too late to implement cybersecurity." The only defense is getting there first.