TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Coveware

Patch management goes from hard, to ludicrous in the agentic AI era

Bill Siegel · 5 days ago · Read original ↗

ATT&CK techniques detected

11 predictions
T1486Data Encrypted for Impact
94%
“##5 median ransom payment $ 300, 750 - 7 % from q4 2025 the 15 % increase in average payments to $ 680, 081 highlights the continued success of sophisticated groups targeting large enterprises with data - exfiltration - only incidents. conversely, the 7 % dip in median payments t…”
T1486Data Encrypted for Impact
91%
“accelerate impact so containment needs coordination and clear executive decision paths. finally, defense evasion remained a core enabling tactic ( 52 % ). a lower rank does not mean it ’ s less important ; it often reflects what can be observed, especially when evasion succeeds. …”
T1486Data Encrypted for Impact
73%
“apps / connected apps, impossible travel / new geographies and devices, unusual mfa reset or enrollment patterns, and anomalous support activity. finally, software vulnerability exploitation remains a lower - frequency but high - consequence path and continues an upward drift, pa…”
T1657Financial Theft
54%
“by mainly data - theft focused actors. in quarters where opportunistic raas groups have controlled the highest market share, we see commensurate decreases in median company size. read more from the frontlines of cyber extortion.”
T1486Data Encrypted for Impact
52%
“not remove the need to patch. as it relates to ransomware, the probability of a true systemic extortion event occurring has increased dramatically. wannacry and notpetya are reminders of how quickly vulnerability - driven disruption can go systematic. mythos - class capabilities …”
T1486Data Encrypted for Impact
50%
“strategy. inc, akira and qilin remain the most active encryption - focused groups, while “ lone wolf ” operators and brands such as shinyhunters account for a meaningful share of overall extortion activity. where shinyhunters - and lone wolf - style campaigns skew toward data - e…”
T1071.001Web Protocols
47%
“to function as the primary leverage mechanism ( 73 % ), not merely a precursor to encryption. even when exfiltration appears “ lower ” in observed telemetry, it often reflects visibility limits or attacker speed rather than reduced intent. treat data theft as an executive risk is…”
T1657Financial Theft
44%
“strategy. inc, akira and qilin remain the most active encryption - focused groups, while “ lone wolf ” operators and brands such as shinyhunters account for a meaningful share of overall extortion activity. where shinyhunters - and lone wolf - style campaigns skew toward data - e…”
T1078.004Cloud Accounts
40%
““ remote access ” increasingly means saas + identity - backed pathways ( sso, oauth grants, connected apps, and administrative access ) rather than just legacy vpn / rdp. in practice, many intrusions no longer look like a break - in ; they look like legitimate logins followed by …”
T1528Steal Application Access Token
38%
““ remote access ” increasingly means saas + identity - backed pathways ( sso, oauth grants, connected apps, and administrative access ) rather than just legacy vpn / rdp. in practice, many intrusions no longer look like a break - in ; they look like legitimate logins followed by …”
T1078Valid Accounts
37%
“apps / connected apps, impossible travel / new geographies and devices, unusual mfa reset or enrollment patterns, and anomalous support activity. finally, software vulnerability exploitation remains a lower - frequency but high - consequence path and continues an upward drift, pa…”

Summary

The release of agentic AI is compressing the nature of patch management and how defenders must prepare for the future of cyber attacks. This is increasing pressure on patch velocity, compensating controls, and dependency visibility.