AI is a tool. It can be turned against you.
As artificial intelligence reshapes the foundations of modern commerce, three major cybersecurity firms have issued a collective warning this spring: the same tools companies are racing to adopt have become prime targets for an escalating wave of attacks. The 121 percent surge in DDoS incidents throughout 2025 is not merely a statistic — it is a signal that the gap between technological ambition and strategic preparedness has grown dangerously wide. Organizations that treat AI security as a technical footnote rather than a boardroom imperative are, in the oldest of human patterns, building fortresses with unguarded gates.
- DDoS attacks surged 121% in 2025, with AI-driven enterprises absorbing repeated, targeted strikes that exposed how unprepared most organizations truly are.
- A dangerous misconception is spreading through boardrooms: companies believe that adopting AI is itself a defensive act, when in reality it introduces new and complex vulnerabilities.
- Security teams are being handed a business crisis and told to treat it as a technical ticket — a mismatch that leaves financial, regulatory, and reputational damage unaddressed.
- The most exposed organizations are those that have never mapped their third-party dependencies or validated the integrity of the data their AI systems rely upon.
- The firms point toward a narrow but navigable path: embedding AI risk management into strategic decision-making before the next breach forces the conversation.
This spring, Batuta, Cloudflare, and Sophos released their 2026 threat assessments with a message aimed squarely at regional leadership: artificial intelligence has become both a target and a weapon, and most organizations are prepared for neither.
The numbers demand attention. DDoS attacks — the blunt-force method of collapsing a network through sheer volume — rose 121 percent in 2025, with AI-focused companies absorbing repeated hits throughout the year. But the researchers argue the deeper problem is not the attacks themselves. It is the false confidence that AI adoption confers protection. It does not. A tool is only as secure as the care taken in building, monitoring, and defending it.
Blake Darché of Cloudflare identified a second critical error: companies delegate AI security to IT departments and consider the matter resolved. When an AI system is compromised, however, the consequences ripple outward — into financial results, regulatory compliance, and brand credibility. What begins as a technical incident becomes a business crisis.
The firms describe a third and perhaps most consequential gap: the failure to integrate AI risk into overall business strategy. The organizations best positioned to weather this environment are those already weaving security into procurement decisions, treating data integrity as foundational, stress-testing models before deployment, and auditing third-party supply chains before a breach makes the audit urgent.
The conclusion is unambiguous: surviving the next wave of AI-driven attacks requires board-level attention, not a ticket in the IT queue. The cost of delay is measured in millions.
Three major cybersecurity firms—Batuta, Cloudflare, and Sophos—released their 2026 threat assessments this spring with a warning that cuts across every boardroom in the region: artificial intelligence has become both a target and a weapon, and most companies are not ready for either.
The numbers are stark. Distributed denial-of-service attacks, the blunt-force method of overwhelming a network until it collapses, jumped 121 percent in 2025. Companies that had built their operations around AI systems were hit repeatedly throughout the year. This was not a marginal trend. This was the shape of the threat landscape now.
Yet the real problem, according to the researchers, runs deeper than attack statistics. Many organizations have made a fundamental mistake: they believe that adopting artificial intelligence is itself a form of protection. It is not. AI is a tool. Like any tool, it can be used well or poorly, and it can be turned against you. The security posture of an AI system depends entirely on how carefully it is built, monitored, and defended. Adoption alone guarantees nothing.
Blake Darché, who leads threat intelligence for Cloudflare's security division, articulated the second critical error in how companies approach this challenge. Most organizations treat AI security as a technology department problem. They assign it to the IT team, expect a solution, and move on. This is backwards. When an AI system is compromised—when it is manipulated or exploited—the damage spreads far beyond the servers and code. Financial results suffer. Regulatory obligations go unmet. The brand loses credibility with customers and partners. The breach becomes a business crisis, not a technical incident.
The firms identified a third vulnerability that may be the most consequential: the failure to integrate AI risk management into overall business strategy. Organizations that are actually prepared for this environment do something different. They weave security considerations into how they make decisions about which AI tools to adopt and how to deploy them. They treat data integrity as a foundational requirement, not an afterthought. They test their models rigorously before putting them into production. They audit the third-party vendors and services they depend on, mapping out where their supply chain could be compromised, and they do this work before a breach forces their hand.
The implication is clear: the companies that will survive the next wave of AI-driven attacks are those that have already begun treating this as a business problem requiring board-level attention, not a technical problem to be solved by the security team alone. The cost of waiting is measured in millions.
Notable Quotes
When AI systems are manipulated or exploited, the impact extends far beyond the security team—affecting financial results, regulatory compliance, and brand trust.— Blake Darché, Cloudflare
The Hearth Conversation Another angle on the story
Why are AI-focused companies being targeted so heavily right now? Is it because they're easier to break into?
Not necessarily easier to break into—they're targeted because they're valuable. If you compromise an AI system, you don't just get data. You get control over the decision-making engine itself. You can poison the model, manipulate its outputs, or use it to attack other systems. The payoff is much bigger than a traditional breach.
So the 121 percent jump in DDoS attacks—is that because attackers have gotten smarter, or because there are just more targets now?
Both. More companies are building AI systems, so there are more targets. But attackers are also using AI to automate and scale their own operations. They're running attacks faster, adapting them in real time. It's an arms race, and the defenders are falling behind.
The report says companies are treating this as an IT problem. Why is that so dangerous?
Because when something goes wrong, it's not just the servers that fail. Your revenue gets hit. You face lawsuits. Your customers lose trust. If the IT team is the only one thinking about this, the business side is blind to the real exposure. By the time executives understand what happened, it's too late.
What does it actually look like when a company gets this right?
They ask hard questions before they adopt a new AI tool. Where is the data coming from? Who has access to it? What happens if this model gets poisoned? They validate everything. They map their dependencies. They treat it like a business decision, not a technology purchase.
And the companies that don't do that?
They'll learn the hard way. The attacks are coming. The only question is whether they'll be ready.