Cybersecurity concerns continue to arise, and businesses are putting in more and more resources in terms of defence. According to Conner Lines, who is the CTO at SixMap, a key threat to businesses is coming in the form of AI itself.
AI Becomes the New Offensive Accelerator
AI will not simply enhance security operations; it will transform offensive tradecraft in ways that put defenders at a structural disadvantage. Automated reconnaissance, agentic exploit chaining, and adaptive lateral movement will let attackers operate at a scale and speed no human red team could ever match. Lines predicts that by the end of 2026, AI-augmented intrusions will compress dwell time from weeks to days, creating incidents that unfold too quickly for traditional response cycles to contain.
The core issue is the asymmetry in how AI failures impact each side. For attackers, a faulty inference is irrelevant. A model misunderstanding a sequence, selecting a suboptimal exploit, or misclassifying an exposure simply means they try again. These can afford rapid, iterative experimentation with little to no human oversight.
For defenders, that same type of failure can be catastrophic. An AI system that incorrectly claims a vulnerability is remediated or suppresses a true positive alert introduces immediate operational risk. Defensive AI must therefore be constrained by validation, governance, and human review, which slows down decision making at the exact moment offense is accelerating.
Because offensive AI draws power from publicly accessible data and metadata, external exposures become its fuel. The only viable countermeasure is to ensure defenders operate from the same real-time, machine-readable map of their external identity surface. Visibility must be complete and continuously refreshed, not batched or manually curated. Without an accurate, up-to-date model of exposures, defenders cannot match machine-speed intrusion cycles—and in 2026, that velocity gap becomes the defining risk.
IPv6 Adoption Creates the Next Great Blind Spot
The exhaustion of IPv4 address space and mounting policy pressure will force a major operational pivot to IPv6 throughout 2026. For the U.S. public sector, the key driver is OMB Memorandum M-21-07, which directs federal agencies to ensure that at least 80 percent of IP-enabled assets are operating in IPv6-only environments by the end of fiscal year 2025 (September 30, 2025). As of October 2025, however, independent assessments note that no federal agency has publicly claimed full 80 percent IPv6-only compliance, suggesting that implementation has fallen well short of the mandate and setting the stage for a renewed push for modernization in 2026.
Global traffic data shows that this transition is already in motion. Cisco reports that IPv6 traffic on the Internet is now roughly at parity with IPv4 “by all measures.” Meanwhile, there is significant global adoption disparity with the U.S. far behind: countries like France, Germany, and India already see the majority (roughtly 70-80 percent) of user traffic to Google over IPv6, while the United States sits closer to the low-50 percent range.
This disparity amplifies the problem that IPv6 adoption is advancing faster than the visibility tooling required to secure it. Dual-stack environments effectively create a second, partially unmapped Internet-facing surface. IPv6 expands the theoretical address space from about 4.3 billion IPv4 addresses to roughly 3.4×10³⁸ IPv6 addresses, an increase of around 29 orders of magnitude—which makes brute-force address discovery by defenders completely impractical. Without accurate dual-stack mapping, organizations will inherit large pockets of unseen exposure that traditional IPv4-centric scanners never enumerate.
Lines thinks that in 2026, some of the most severe breaches will originate from assets that exist only in the IPv6 dimension of enterprise infrastructure: services brought online for modernization, compliance, or cost reasons, but never fully integrated into external attack-surface management. To close this gap, defenders will need continuous, machine-speed mapping across all ports and protocols for both IPv4 and IPv6, not periodic scans and partial inventories. Any visibility stack that fails to treat IPv6 as a first-class external exposure domain will be operating blind where attackers already have line of sight.
