More than six in ten security professionals expect ransomware to be a high or critical threat in 2026, according to research. Just 30 percent say they are very prepared to defend against it, says Mike Riemer, SVP at the security platform Ivanti.
AI-driven attackers are squeezing that 33-point shortfall even further, because those attackers have figured out how to reverse-engineer a vendor patch in under 72 hours.
The 72-hour figure is earning a lot of headlines right now, and rightfully so.
Security teams under pressure
The tight timeline is problematic on its own, but itโs made much more daunting by the state of security teams in the current environment. To put it succinctly, theyโre maxed out. Beyond maxed out.
Forty-three percent of security professionals report high levels of stress because of their work. Seventy-nine percent say that stress takes a real toll on their physical and mental health. And while only one in four organisations describes its IT and security talent shortage as critical โ the majority say the shortage is moderate but manageable โ the teams that are short-staffed are often the ones running incident response at the worst moments.
Plus, โmoderate but manageableโ implies that they can sustain the present load but are presumably ill-equipped to handle any unpleasant surprises. And the evolution of AI-driven threats has delivered, and will continue to deliver, a lot of unpleasant surprises.
Even where the budget and the intent are there, the human capacity to respond at the pace attackers operate at is being rationed. Tickets queue and alerts get triaged less carefully than they should. Investigations that should take an afternoon stretch across days because the people who would lead them are already on something else. Add an AI-accelerated exploit timeline on top of that, and what gets dropped is not always what should be dropped.
How a three-day exploit window impacts operations
When a vendor publishes a patch, attackers now have a working roadmap. AI tooling makes the reverse engineering work faster, more systematic and accessible to a wider population of threat actors than was true even a year ago.
Three days is not an arbitrary figure. It is roughly the window between public patch release and the appearance of working exploit code in the wild for a serious flaw. Inside that window, security teams need to assess the patch, prioritise it against everything else competing for attention, schedule deployment, manage change control and roll out the update. All without breaking something downstream.
For a fully staffed team, that timeline is tight. For a team with open headcount or thatโs already overtasked, it is rarely realistic. The patch is applied late, not out of incompetence, but because there are simply not enough people to apply it any sooner.
How automation can helpย
Nearly two-thirds of IT professionals predict AI and automation will improve overall IT service quality. Clearly, the practitioners closest to the work see the value.
Automation is helpful when the work is repetitive, well-defined and high-volume. Patch deployment to known fleets, initial triage of low-fidelity alerts, compliance checks, identity provisioning and deprovisioning โ all these consume hours of skilled engineer time for outcomes that are mostly procedural.
What automation does not do is replace the judgement call about whether a particular vulnerability is being actively exploited against a particular asset that matters to the business. That is still a human decision and it still requires a human with context, time and enough sleep to make the decision well.
Automation will not fill the missing roles if thereโs open headcount, but it can take enough repetitive work off the existing team that the work only humans can do still gets done.
Layered security is how to survive
Just shy of half of organisations rate synthetic digital content as a high or critical industry threat. Only 27 per cent say they are very prepared to defend against it โ another major shortfall. A layered approach to security exists for exactly this kind of environment. One control fails or is bypassed and the next one catches it. A user clicks a deepfake phishing link and the endpoint catches the payload. The endpoint misses it and lateral movement detection flags the anomaly. Lateral movement is missed and segmentation limits what an attacker can reach.
None of that is theoretical and none of it requires perfect execution from a perfect team. It requires layers that compensate for each other so that one bad day, one missed alert or one departing engineer does not create an open door.
Where to invest
When listening to the people entrenched in this problem, the trends are easy to spot: AI is shortening the time defenders have to act. The team meant to act is, in too many cases, smaller and more tired than it was last year. Those trends wonโt reverse on their own.
Three things keep this from getting worse: Automation that takes repetitive work off skilled engineers, so they can apply judgement where it matters. Layered defences that mean a single failure does not cascade. And serious, sustained investment in people โ paying competitively, building career paths inside security and treating retention as a security control in its own right. It would be a miss to expect the 72-hour window to lengthen. And, of course, the teams arenโt going to grow on their own. Instead, invest in strategies that allow the team to spend their time on the decisions only they can make.
