Why Cyber Ranges Are the Next Step in the AI Arms Race

A cyberattack can be quantified across three variables: speed, volume, and sophistication. How fast are attacks occurring, how many of them are there, and how sophisticated are they?

The biggest cybersecurity challenge that federal agencies will likely face in the future is that artificial intelligence will serve as an accelerant to all these variables.

The speed of a cyberattack can be measured via the term breakout time, a term coined by CrowdStrike. It refers to how long it takes an adversary, after breaching a system, to move laterally. In 2018, the fastest average breakout time was 18 minutes and 49 seconds, achieved by Russian nation-state hackers. In 2023, a breakout time of 2 minutes and 7 seconds was observed. 

AI is pushing breakout time speeds closer and closer to zero. 

Similarly, the number of phishing attacks is increasing, as AI writes and sends malicious messages faster than humans can. It also improves faster than any human could, essentially by applying the scientific method: Try something, see if it works, learn from it, and apply what it learned to the next iteration. That’s improving the quality of not only phishing attacks but all initial access tactics, as well as lateral movement and privilege escalation attacks, too.

As a human, I have a limitation on what I can conceive of. Artificial intelligence? No. The only limitations are algorithmic capability and computing power. AI is a force-multiplying accelerator. It will take everything that we are doing, and it will accelerate it faster than anything that we can comprehend or have experienced in the past.

An AI Arms Race

Because adversaries are using AI to improve their attacks, cyber defenders need to use it to improve their defenses as well. Rivera said the future state of cybersecurity is one where all security functions and all IT functions are joint hybrid human-AI. Because how do you defend against a breakout time near zero? You must predict it before it happens. Deterrence tends to become the answer during an arms race.

That’s where cyber ranges come in. With a powerful enough capability, you can simulate faster than the adversary can attack. Cyber ranges simulate the three layers of a system — the operating systems and network; the data, applications and security logging tools inside the operating systems; and the users — to create a “what-if” machine.

“What is the future? You could argue that the future is a predictable series of quantized outcomes. What did Google just do with weather prediction? They made the most accurate 10-day weather forecast in human history. And they did it with artificial intelligence. Why were they able to do that, whereas all other human methods in the past were not able to do that? I would argue that the reason for that is they could quantize lots of different outcomes, test the outcomes, figure out which one is the most likely, apply statistical significance to certain ones, and then they get better and better.”

Be Predictive, Not Reactive

It’s not enough to just simulate an environment. That simulation must assess potential future scenarios. Just like a soldier wants to know how many bad guys are in a room and how they are armed before entering it, a chief information security officer wants to know what tomorrow’s malware and hands-on keyboard capabilities will look like. Just like a soldier wants to know how weapon systems will perform in every environment, a CISO wants to know how cyber tools will perform against attacks. That’s why testing on a cyber range is important.

Most large enterprises are investing in serious cybersecurity tools and disciplines, like anti-virus and endpoint detection and response (AV/EDR), cloud security, zero trust, disaster recovery preparedness, and the like. How effective is their AV/EDR system at detecting and responding to threats? Will the company’s cloud security posture stand up to modern-day criminal and nation-state threats? Does their organization’s zero-trust strategy work? What happens if the primary data center fails? What’s the failover solution? 

When they invest in cybersecurity tools like that, they need to know how they will function. Testing in the production environment is a no-go; there’s too much risk of breaking something important. Cyber ranges empowered by AI will enable enterprises to see how their tools work before real-world events. And they’ll enable them to do so faster, with more volume and sophistication than their adversaries, which will lead the United States to a place where more powerful AI algorithms and faster computational power are what will provide the deterrence in an AI arms race.

China just came out with DeepSeek, a model that allegedly is of the same performance capability as even the U.S. leading models like OpenAI. Some call it AI’s Sputnik moment. It came very unexpectedly.

We’re headed into this arms race where you want the most powerful computational capability that can simulate in advance what is likely to happen. And if you have a powerful enough computational capability, and if you can simulate the threats faster than your opponents, this will give you a strategic edge over them that may potentially erode the adversary’s first-mover advantage.

To read more about how cyber range provides organizations the upper hand in offensive AI testing, check out the recent ebook from SimSpace, Carahsoft, and the Federal News Network: How to Derive Offensive Benefits From AI-Cyber Convergence.