Think Like an Attacker: AI-Ready CISO Playbook

Most security programs don’t fail because the team is lazy or undertrained. They fail because they defend what’s easy to measure instead of what’s likely to be attacked.

That’s the thread running through Etay Maor’s advice in Dark Reading’s “Heard It From a CISO” series: the defenders who win are the ones who can think like attackers. Maor—chief security strategist at Cato Networks and a professor teaching “Introduction to Hacking” (under a more university-friendly name)—makes a blunt point: checklists create a comforting sense of progress, but attackers aren’t grading you on compliance.

This post is part of our AI in Cybersecurity series, and it takes Maor’s “attacker mindset” and pushes it one step further: AI can simulate attacker behavior at scale—if you operationalize it correctly. Used well, AI doesn’t replace security fundamentals. It stress-tests them.

Thinking like an attacker beats checklist security

Thinking like an attacker means you start with the adversary’s easiest path to impact, not your tooling inventory.

Maor describes teaching nontechnical students to plan operations the way threat actors do: gather open-source intelligence (OSINT), craft social engineering, and chain small weaknesses into a big outcome. That’s the opposite of the “control-by-control” mentality that dominates a lot of governance.

Here’s the practical difference:

• Checklist mindset: “Do we have MFA? Do we have EDR? Do we have security awareness training?”
• Attacker mindset: “Where can I get credentials quickly? Who can I trick? What’s the fastest path from a single click to money or data?”

This matters because modern incidents are rarely one exploit. They’re sequences: reconnaissance → initial access → privilege escalation → lateral movement → exfiltration or extortion. If your program can’t see and interrupt the sequence, you’re defending parts instead of outcomes.

AI’s role: scaling the adversary’s view without becoming the adversary

AI fits naturally here because it’s good at pattern generation, simulation, and prioritization. You can use AI to:

• Enumerate probable attack paths based on asset inventory, exposure, identity posture, and known misconfigurations
• Generate realistic phishing and pretexting variations for internal testing (with strict guardrails)
• Cluster and summarize weak signals across logs into “what an attacker would do next” narratives

A simple rule I’ve found helpful: if a security activity doesn’t change an attacker’s decision-making, it’s probably theater. AI can help you test that ruthlessly.

Where AI helps you model attacker behavior (without guessing)

AI-based threat modeling works best when it’s grounded in your environment’s real data and constrained by real attacker tradecraft.

Maor’s career path—from early fraud and phishing research to leading teams of reverse engineers and pen testers—highlights something many enterprises still miss: threat intelligence and operations need translation, not just collection. You don’t need more feeds; you need fewer, better decisions.

Use AI for “attack path management,” not generic risk scores

A generic risk score sounds scientific and often isn’t actionable. Instead, apply AI to build ranked attack paths:

1. Identify externally reachable services, misconfigurations, and identity exposures
2. Map privileges and trust relationships (especially cloud IAM)
3. Model blast radius: “If this account is compromised, what can it touch?”
4. Rank paths by business impact (revenue systems, regulated data, operational disruption)

The output you want is plain language:

“A contractor account with weak conditional access can reach the finance SaaS admin panel through a shared group. Fix that group and rotate those tokens.”

That sentence is worth more than 20 dashboards.

Use AI to turn OSINT into a measurable control

Maor’s classroom OSINT example—where a student mapped relationships using public Venmo data—lands hard because it’s realistic. Attackers don’t start with your SIEM. They start with your people.

Make OSINT part of your defensive program:

• Track executive and employee exposure across social platforms and code repos
• Detect public breadcrumbs: org charts, tech stack hints, vendor names, travel patterns
• Identify “social graph” risks (who interacts with whom, and who has authority)

AI can help by summarizing what matters and highlighting anomalies—for example, sudden increases in public posts that mention a project codename or vendor rollout.

The point isn’t to police employees. It’s to reduce the free reconnaissance attackers get.

The “hard hat and yellow vest” lesson: AI won’t fix process holes

One of Maor’s most quotable lines is also one of the most operationally useful: “One of the best hacking tools is a hard hat and a yellow vest.”

That’s a reminder that security failures are often human and procedural. AI can strengthen detection, but it can’t compensate for:

• Weak visitor management
• Over-trusting uniforms, badges, or confident behavior
• Inconsistent identity proofing for help desk resets
• Uncontrolled access to network closets, laptops, or printers

Put AI where it actually reduces human error

If you want AI to improve outcomes, attach it to decisions humans routinely get wrong under pressure:

• Help desk: AI-assisted identity verification scripts, risk prompts, and “stop and escalate” triggers
• Email security: AI-driven detection of display-name spoofing, tone mismatch, reply-chain anomalies
• SOC triage: AI summarization that flags probable kill-chain stage and recommends next-best action

A strong AI security operations approach doesn’t just detect. It shapes behavior at the moment of decision.

Building an AI-ready defensive program: 4 moves that work

An attacker mindset is a strategy. To turn it into execution—especially with AI—you need a tight loop: simulate → measure → harden → verify.

1) Replace annual tabletop exercises with monthly “micro-simulations”

Annual exercises are too slow for how attacks evolve. Run monthly, scoped simulations:

• OAuth token theft in a key SaaS app
• Phishing that targets finance approval flows
• Cloud privilege escalation via misconfigured roles
• Vendor access abuse through remote management tools

AI can help draft scenarios and variations, but keep the evaluation human: did the team respond fast, escalate correctly, and cut off the attacker’s path?

2) Treat identity as the primary control plane

Most serious breaches still involve credentials—stolen, reused, guessed, or socially engineered. Make AI assist identity defense:

• Behavioral baselines for high-risk accounts (admins, finance, CI/CD)
• Detection for impossible travel and “new device + new geo + high privilege” combinations
• Automated tightening of conditional access when risk spikes

This is where “thinking like an attacker” is simple: attackers love identities because identities already have permissions.

3) Use AI to reduce alert load, not just classify alerts

If AI is only tagging alerts, you’re underusing it. The real win is collapsing 200 events into one incident narrative:

• What happened first?
• What changed (new token, new admin role, new forwarding rule)?
• What’s the likely next move?
• What containment action has the highest impact?

SOC teams don’t need more labels. They need fewer decisions.

4) Invest in translation: the CISO skill most teams underrate

Maor credits his growth partly to being able to translate complex technical stories into human-readable reports. That skill is underrated, and AI makes it more important—not less.

AI can draft, summarize, and visualize, but you still need a security leader who can say:

“This control reduces the probability of ransomware spreading from one site to all sites. That’s why it’s worth the downtime window.”

If you can’t explain the “why,” the org won’t fund the “how.”

People also ask: does AI make it easier to attack?

Yes—and pretending otherwise wastes time.

Attackers already use AI for:

• Faster phishing content generation
• Better language localization and tone matching
• Automating reconnaissance and target research
• Scaling social engineering attempts across many targets

The defensive response isn’t panic-buying tools. It’s adopting the same core principle Maor teaches: learn how attacks work, then design controls that break the chain.

A practical stance: assume every employee will see at least one AI-written, highly believable phishing attempt per quarter. Build detection and response accordingly.

A better way to get started (for teams and for careers)

Maor’s path into cybersecurity started with curiosity and hands-on experimentation—then formalized into degrees, research, and leadership. He also points out something that aligns with what many security leaders see: you don’t have to be ultra-technical to be valuable in cybersecurity.

For organizations adopting AI in cybersecurity, that’s good news. You need:

• Security engineers and analysts who can validate detections and tune models
• Policy and legal partners who understand incident impact and reporting obligations
• Communications leaders who can manage trust during an incident
• Fraud and risk teams who know attacker incentives

AI improves security programs fastest when the program is multidisciplinary—because attackers already are.

What to do next: turn “attacker mindset” into an AI roadmap

If you’re leading security in 2026 planning season, here’s a concrete next step: pick one critical business workflow and model how it breaks under attack. Finance approvals. Customer support identity resets. CI/CD releases. Remote access for vendors. Then use AI to simulate attacker behavior against that workflow and measure your response.

That’s the AI-in-cybersecurity story that actually produces results: fewer successful intrusions, faster containment, and clearer priorities.

If you’re evaluating AI security tools or building internally, focus your questions on outcomes:

• Can this product show me the most likely attack path to a high-value system?
• Will it reduce response time or just add a new queue?
• Does it produce incident narratives my team will trust?

Attackers don’t care that you’re “maturing.” They care whether they can get in, move, and cash out. Build the program that makes that hard—and use AI where it truly helps.