The 72-Minute Gap: What the Breaches, the Vendors, and the Messaging Are Actually Telling Us

I look at the intersection of business, technology, and messaging regularly through three lenses: how organizations are running their operations and security programs, how vendors and innovations are reshaping the market, and how language influences the decisions that executives and practitioners actually make. Taken together, these three angles reveal where the real gaps — and the real opportunities — live. This time, the focus is cybersecurity — and the signals are hard to ignore.

How Fast Are AI-Driven Cyberattacks — and Can Security Programs Keep Up?

The short answer: attackers are operating in minutes, and most defenders are not. AI-driven cyberattacks now move from initial access to data exfiltration in as little as 72 minutes — a 4x acceleration over the prior year, according to the Unit 42 2026 Global Incident Response Report.¹ Meanwhile, only 6% of organizations have fully deployed agentic AI in their security operations, even though 92% say AI helps their teams review more events.² Reviewing events and responding at machine speed are fundamentally different capabilities. That gap is where breaches live.

February 2026 proved it. Japan Airlines disclosed unauthorized access to customer data spanning back to July 2024. Wynn Resorts lost government-issued IDs to ransomware. IDMerit — a company trusted to verify identities — leaked one billion records. The University of Mississippi Medical Center had to close clinics and cancel procedures.^3,4 Substack, Flickr, Crunchbase, and Malaysia Airlines all reported incidents in the same month.^4,5

The thread connecting these was not sophisticated tradecraft. It was credential reuse, ungoverned third-party access, and peripheral systems nobody was monitoring — gaps in visibility, not gaps in technology.⁴ Unit 42’s data makes it stark: 65% of initial access is now identity-driven, with social engineering, stolen credentials, and IAM misconfigurations as the primary entry points. Identity weaknesses played a role in nearly 90% of all incidents investigated.^1,6

And the institutional backstop is weakening. CISA has lost nearly 30% of its workforce since early 2025, dropping from about 3,400 to 2,400 staff.⁷ The CIRCIA final rule is delayed until May 2026. The Cybersecurity Information Sharing Act has expired.^8,9 For every CISO trying to build a program that connects detection to response to business continuity, the question to the board is direct: if the federal infrastructure we relied on is diminished, what is our plan?

But here is what makes this moment different from the last decade of “we are losing the arms race” headlines: some organizations are closing the gap, and closing it fast. In a recent conversation on the Redefining CyberSecurity podcast, industry analyst Richard Stiennon — former Gartner VP and founder of IT-Harvest — described a CISO at a large enterprise who has already eliminated the entire SOC team. Not downsized. Eliminated. Replaced by AI-driven SOC automation that triages 100% of alerts, builds cases, investigates threats, and executes containment — 24/7, at machine speed, for a fraction of the cost of a human-staffed operation.¹⁰

That is not a vendor pitch. It is an operational reality that changes the math for every security program still staffing a traditional SOC. If one organization can do it, the question for every other CISO becomes: what is the cost of not doing it? Stiennon framed it bluntly: if a 90-day proof of concept costs $15,000 and your SOC budget over that same period is a million dollars, every quarter you delay is a quarter of budget you do not get back.¹⁰

The workforce gap is 4.8 million globally.¹¹ The breach tempo is accelerating. The programs that close the 72-minute gap will not do it by hiring faster. They will do it by rethinking what humans are for and what machines should own.

Which Vendor Moves Are Actually Changing the Market?

Platform consolidation is accelerating — but the most disruptive shift may not be coming from the platform vendors at all. Every major cybersecurity vendor is telling the same story: consolidate with us, reduce complexity, get unified visibility. The question CISOs should be asking is whether the platform solves the operational problem they have today or sells them a vision while their program struggles with basics.

Palo Alto Networks posted $2.6 billion in Q2 revenue but missed Q3 earnings guidance, with shares dropping 7% on integration costs from its $25 billion CyberArk acquisition.¹² CrowdStrike told a different story — net new ARR up 73% year over year, extending Falcon through a single-agent architecture with targeted acquisitions of Seraphic Security and SGNL that avoid heavy integration overhead.¹³

The M&A signal is impossible to ignore. Google closed its $32 billion Wiz acquisition with EU approval.¹⁴ Cyera raised $400 million at a $9 billion valuation. Vectra acquired Netography to unify observability and detection.^9,15 The consolidation is real.

But underneath the platform wars, a different market is forming. IT-Harvest now tracks 375 AI security vendors, almost all founded since 2022. Of those, 58 are focused specifically on SOC automation — not SIEM vendors adding features, but purpose-built startups replacing the SOC staffing model entirely. Collectively, they have received over $1.3 billion in funding.¹⁶ Many of these companies launched in early 2025 and reached $1 million in ARR within months; by year-end, several had hit $3 million ARR — for a product category that barely existed 18 months earlier.¹⁰ Stiennon’s assessment is direct: by this time next year, tracking “AI Security” as a standalone category will no longer make sense because every vendor will be an AI security vendor.¹⁶

That is a market structure claim, not a feature claim. And it has implications beyond the SOC. Agentic AI — autonomous systems that make decisions without continuous human oversight — landed at the top of Gartner’s 2026 cybersecurity trends.¹⁷ Forrester predicts it will cause a public breach this year.¹⁸ That prediction already has a proof point: a vulnerability dubbed “ClawJacked” in OpenClaw showed that a malicious website could hijack a locally running AI agent through its core gateway, no plugins or user error required.¹⁹

Traditional identity and access management was never designed for machine actors that spin up dynamically, retain persistent credentials, and operate outside human governance lifecycles. Gartner data shows 57% of employees use personal GenAI for work, with 33% uploading sensitive data to unsanctioned tools.¹¹ Enterprise Management Associates calls this the “Triple Threat” — agentic risk, identity governance deficits, and a visibility gap most organizations have not begun to address.²⁰

The trust question is not abstract. As I explored with Stiennon on the podcast: if SOC automation tools are consuming your logs, your alerts, and your environment data, how much of that is flowing through public models? His answer is that most serious vendors are running models locally or using privacy-preserving approaches like federated learning with fully homomorphic encryption — keeping data encrypted even during processing. The privacy infrastructure is maturing alongside the automation capability.¹⁰ But the question every CISO should be asking their vendors right now is: where does my data go, and who else can see it?

How Is the Industry’s Own Language Getting in the Way?

When buzzwords replace operational specificity, organizations lose the ability to measure what matters. “Resilience” is the dominant frame across every major analyst report and vendor keynote right now. The WEF’s 2026 Global Cybersecurity Outlook is built around it.¹⁴ Gartner’s trends emphasize it.¹⁷ Forrester’s predictions assume it.¹⁸ The shift from “prevent everything” to “prepare for the inevitable” is healthy. But resilience without definition becomes a permission structure for mediocrity.

Resilience to what? Over what timeframe? If recovery takes three days and the attacker moved in 72 minutes, that is not resilience — it is damage control. Ask the patients in Mississippi whose procedures were canceled.³

The bigger messaging problem may be the gap between what the technology can now do and how the industry talks about it. Stiennon posted his SOC automation research on LinkedIn and described the response: half the comments defaulted to “but you need human in the loop” and “what about controls” — the conservative security reflexes that have defined the profession for decades.^10,21 That instinct is understandable. It is also increasingly expensive. AI model intelligence is growing by roughly 10x per year.¹⁰ The industry’s language — and its planning assumptions — are still linear. When the conversation is about whether to trust an autonomous system, and the system is doubling in capability every few months, the risk calculus changes faster than most governance frameworks can accommodate.

The board-CISO communication gap reinforces this. The IANS/Artico 2026 benchmark report found that 95% of CISOs deliver regular board updates, but only 30% of boards describe the relationship as strong and collaborative. Nearly half of directors say CISO reporting on evolving threats needs improvement.²² The WEF data reveals a parallel disconnect: CEOs rank fraud and phishing as their top concern while CISOs rank ransomware.¹⁴ When the board and the security leader are telling different stories about primary risk, the budget gets pulled in multiple directions without a clear operational anchor.

Meanwhile, the macro spending numbers keep climbing — $244.2 billion globally in 2026, up 13.3% — with managed services growing fastest at 11.1% because organizations cannot hire fast enough to run their own SOCs.¹¹ Cyber insurers are demanding evidence of specific controls before issuing policies, becoming an unofficial compliance mechanism.¹⁴ And in an industry spending a quarter of a trillion dollars this year, the hardest question is not whether we have enough technology. It is whether we are honest about the gap between the story we tell and the outcomes we deliver.

The language matters because it shapes what gets funded and what gets measured. When a vendor says “platform,” a buyer should hear: consolidate everything with me. When an analyst says “resilience,” a CISO should ask: resilient enough to do what in the first 72 minutes? When a security leader says “we need human in the loop,” press: for which decisions, at what speed, and at what cost? And when a policy maker says “back on mission,” press: with what resources?

Seventy-two minutes. That is the story your program needs to tell. Can it?

If this analysis is useful — whether you are a CISO evaluating your program, a vendor shaping go-to-market strategy, a product marketer cutting through noise, or an analyst mapping the landscape — I would welcome the conversation. This is what I do: connect the dots between business operations, the technology that serves them, and the market forces that shape both. Reach out at seanmartin.com.

References

1. Palo Alto Networks. (2026, Feb 17). Unit 42 report: AI and attack surface complexity fuel majority of breaches. Link
2. IT Pro. (2026, Mar 2). CISOs are keen on agentic AI, but not going all-in yet. Link
3. Advanced IT Technologies. (2026, Feb 25). February 2026 cybersecurity news roundup. Link
4. Cyber Management Alliance. (2026, Feb). February 2026: Recent cyber attacks, data breaches, ransomware attacks. Link
5. TechRadar. (2026, Feb). Substack data breach confirmed: user phone numbers, email addresses all stolen in attack. Link
6. CyberScoop. (2026, Feb 17). Unit 42: Nearly two-thirds of breaches now start with identity abuse. Link
7. Metaintro. (2026, Feb). CISA navigates job cuts and demoralized workforce. Link
8. Cybersecurity Dive. (2026, Jan). Acting CISA chief defends workforce cuts, declares agency ‘back on mission.’ Link
9. MSSP Alert. (2026). MSSP market news: AI security stacks, identity plays. Link
10. Martin, S. & Stiennon, R. (2026, Mar). SOC automation and the AI-driven future of cybersecurity defense. Redefining CyberSecurity Podcast. Article | Video | Audio
11. Software Strategies Blog. (2026, Feb 10). Top 6 cybersecurity trends from Gartner 2026 forecast. Link
12. CNBC. (2026, Feb 17). Palo Alto Networks Q2 2026 earnings. Link
13. 24/7 Wall St. (2026, Feb 24). Cybersecurity showdown: CrowdStrike vs Palo Alto. Link
14. World Economic Forum. (2026, Feb). Cyber threats to watch in 2026. Link
15. Vestbee. (2026, Feb). Cybersecurity market 2026. Link
16. Stiennon, R. (2026, Feb 17). Something big is happening in cybersecurity. The Security Industry (Substack). Link
17. Gartner. (2026, Feb 5). Top cybersecurity trends for 2026. Link
18. Infosecurity Magazine. (2025, Nov). Forrester: Agentic AI-powered breach will happen in 2026. Link
19. The Hacker News. (2026, Feb 28). ClawJacked flaw lets malicious sites hijack local OpenClaw AI agents via WebSocket. Link
20. Enterprise Management Associates. (2026). The Triple Threat of 2026. Link
21. Stiennon, R. (2026, Feb). LinkedIn post on SOC automation disruption. Link
22. PR Newswire. (2026, Mar 3). New report reveals key gaps in board-CISO strategic dialogue. Link

Sean Martin is a cybersecurity market analyst, content strategist, and advisor with 30+ years across engineering, product development, marketing, and media. Co-founder of ITSPmagazine and Studio C60, host of the Redefining CyberSecurity Podcast and the Music Evolves Podcast. Sean works with CISOs and security leaders, vendors and service providers, go-to-market and marketing teams, and analyst firms to connect technology operations and cybersecurity programs to business outcomes. Connect at seanmartin.com.

Subscribe to Lens Four — Where business, innovation, and messaging come into focus.

Topics Covered in This Analysis

Cybersecurity market analysis, AI-driven cyberattacks, 72-minute attack lifecycle, SOC automation, agentic AI in security operations, Unit 42 2026 Global Incident Response Report, identity-driven attacks, credential theft and IAM misconfigurations, CISA workforce reductions, cybersecurity spending 2026, platform consolidation, Palo Alto Networks earnings, CrowdStrike Falcon, Google Wiz acquisition, AI security vendors, SOC automation startups, IT-Harvest market data, Richard Stiennon, Guardians of the Machine Age, federated learning and homomorphic encryption, Gartner cybersecurity trends 2026, Forrester agentic AI predictions, ClawJacked vulnerability, Enterprise Management Associates Triple Threat, board-CISO communication gap, IANS Artico benchmark report, cybersecurity resilience, human in the loop debate, managed security services, cyber insurance controls, cybersecurity workforce gap, CISO strategy, security program effectiveness, vendor go-to-market strategy, cybersecurity messaging and language, Redefining CyberSecurity Podcast, Lens Four, Sean Martin.