Rubrik’s Dev Rishi: AI attacks can reach full breakout in 27 seconds
If defenders cannot detect and escalate fast enough, resilience must start before the attack fully lands.

Dev Rishi, GM of AI at Rubrik, says frontier AI can enable autonomous attacks that move from initial access to full system breakout in as little as 27 seconds. That forces security teams to shift from human-in-the-loop response to AI-enabled cyber resilience that restores systems in hours, not days.
The speed gap is the story, and Rubrik’s Dev Rishi wants security leaders to treat it like a deadline, not a trend. Rishi points to frontier AI models that can enable autonomous attacks moving from initial access to full system breakout in as little as 27 seconds. In that world, the classic security assumption falls apart: that there is time for humans to detect, escalate, and respond between a breach starting and damage showing up.
The implication is blunt. “Everything that relied on process or human-in-the-loop intervention is no longer going to be able to execute at the speed of the attacks,” Rishi says. If attacks are happening in 27 seconds, recovery needs to be “just as quickly.” In other words, incident response cannot be the main character. Cyber resilience has to be designed as a capability that continuously keeps clean recovery states ready, maps critical data and identity dependencies, and automates restoration so operations can come back in hours, not days.
Here’s why this is more than a staffing problem. For decades, enterprise security was built around deterministic logic: static access controls, known signature detection, and deterministic behavioral policies. Those approaches work best when software behaves predictably, because the system is basically checking each individual access request: is this permission allowed? But AI agents do not necessarily follow the same paths every time. They can pursue the same objective through many different routes, and they can increasingly circumvent static guardrails by finding alternative routes when one path is blocked. That means the old question, “Is this specific action permitted?” becomes insufficient.
Rishi’s alternative framing is context. The deeper issue, he says, is that conventional security logic checks permissions action-by-action, but it cannot evaluate whether a sequence of permitted actions across multiple applications forms a data leak, a destructive operation, or an attack. You need a system that can understand context, and that means using AI to look at what an agent is doing and assess whether the behavior indicates risk, like “what you're doing might be a risk of leaking sensitive data externally.” This matters because the attack surface is now partly the sequence, not just the step.
Another twist is how AI blurs “internal” and “external” threats. Historically, enterprises treated external threats as fast and multifaceted, while internal threats were bounded by what a single human actor could accomplish before detection. AI agents change that constraint. They can operate inside enterprise environments, access multiple systems simultaneously, and move at speeds no human employee can match. When an agent makes a mistake, such as a hallucination, misread instruction, or unintended data transfer, the resulting damage can look operationally identical to a malicious insider attack. And if an external attacker compromises an internal agent, they inherit the agent’s full access profile across every connected application.
So the security requirement shifts again: runtime guardrails that enforce organizational policies consistently across agents. Rishi argues for an “AI-native guardian layer” that monitors agent behavior semantically, understands intent across actions, and can block or terminate a misbehaving agent at machine speed. The key is what happens right after the stop: trigger recovery immediately. That is the bridge between prevention and restoration, and it is exactly the bridge that the 27-second gap threatens to snap.
There’s also a strategic reframe underneath all this. Rishi points out that frontier AI models, including those capable of discovering and operationalizing zero-day vulnerabilities autonomously, are changing the economics of attacks. That pushes security leadership toward two assumptions: attacks are inevitable, not exceptional; and investment in resilience and rapid recovery should be treated as strategically as investment in prevention. In that framing, recovery stops being a post-incident chore and becomes a deliberate capability that is designed, tested, and continuously validated.
To do that at machine speed, the article argues against a common temptation: using massive frontier models for everything. True cyber resilience is described as a two-sided coin, requiring both real-time intelligent enforcement and automated recovery. But using heavy frontier models to monitor every agent action creates crippling latency overhead and exorbitant computing costs. If the guardian slows down operations or costs as much as what it monitors, it is not viable. The proposed solution is “fast, small, and cheap” AI, which leads to small language models (SLMs). Rubrik’s approach, anchored by its acquisition of Predibase, is to build the frontline defense layer on small models optimized for speed and efficiency.
Why SLMs specifically? Because they can semantically evaluate agent behavior at machine speed at a fraction of the cost, acting as a real-time checkpoint. Then they connect enforcement to recovery in one workflow. If the system observes an agent taking a destructive action such as deleting a database, corrupting a critical file, or exfiltrating sensitive data, the small model detects it immediately, halts the damage, identifies the most recent clean snapshot from before the incident, and initiates recovery automatically.
This all lands on a broader implication for boards and CISOs: resilience is moving upstream into architecture. As AI compresses the gap between attack and impact, recovery becomes an engineering requirement rather than an after-the-fact operational activity. Rubrik’s view is that security can no longer stop at detection. It needs coordinated resilience across observability, identity context, enforcement, and recovery so the organization shortens the gap between detecting something went wrong and restoring what was affected, before the cost of that gap compounds.
This story's Key Insights and Take-aways are locked.
Create a free account to unlock Executive Actions for one credit.
Register to UnlockAlways free for Executives Club members. Join the Club
More in Technology

OpenAI replaces Advanced Voice Mode with full-duplex GPT-Live, rolling out to all tiers today
Two voice models, GPT-Live-1 and GPT-Live-1 mini, let ChatGPT listen and speak at once, plus stream longer reasoning.

Jensen Huang says Nvidia engineers prefer building agents over writing Python code
The Nvidia CEO argues AI is reshaping software work into agent design, not job replacement.

Zhipu AI and Iluvatar CoreX jump after HK$31.4B accelerated bookbuild secondary placements
Two recently-listed names use separate secondary share sales to fund hardware and research, and investors bid up the stock anyway.
