Data Privacy

We use cookies and limited services to operate this website. Click "Accept" to consent in accordance with our Privacy Policy.

Accept
Back

Why Cyber Insurers Should Require Pre-Attack Prevention: Before AI Attackers Make It Non-Negotiable

Malanta Research Team
Nir Amsel
Blogs
26 Mar 2026
Why Cyber Insurers Should Require Pre-Attack Prevention: Before AI Attackers Make It Non-Negotiable
Contents
Example H2

This is a div block with a Webflow interaction that will be triggered when the heading is in the view.

Example H3

Malanta.ai Pre-Attack Prevention research highlights in collaboration with Howden Insurance Brokers Limited

The rise of AI-orchestrated cyber attacks is no longer theoretical. New research (including Malanta research into attack infrastructure and AI-orchestrated campaigns) shows that autonomous AI agents are already conducting the majority of attack operations in real campaigns, and that the infrastructure behind these attacks is being built at industrial scale, often before traditional security tools ever see a single indicator of compromise. For cyber insurers, that creates both a risk problem and an opportunity: pre-attack prevention is the control that sits in the same time window as the threat. Encouraging businesses to prioritise pre-attack prevention will assist with risk selection and loss ratios, and those businesses can be rewarded with materially reduced premiums and/or better policy terms.

Here’s what the evidence says and why it should shape your underwriting strategy.

The Headline: AI Attackers Are Operational

In late 2025, Anthropic disclosed the first publicly documented large-scale AI-orchestrated cyber espionage campaign. In that campaign:

  • An AI agent executed roughly 80–90% of the attack tasks: reconnaissance, vulnerability scanning, exploit development, credential harvesting, lateral movement, and data exfiltration.
  • Humans were involved in only a handful of strategic decisions.
  • Targets spanned approximately 30 organizations across financial services, technology, chemicals, and government.

So we’re not talking about “AI-assisted” in a narrow sense. We’re talking about AI as the primary operator of the attack lifecycle. That compresses timelines from weeks to hours and makes “detect and respond” insufficient when the attack can complete before many teams ever see a clear IoC.

That means traditional security postures, focused on detection and response, are increasingly misaligned with how the most advanced, and soon more common, attacks actually run.

Attack Infrastructure Is Staged Before You See It

Malanta research into attack infrastructure clusters, linked sets of domains, certificates, hosting, and accounts used to run phishing, malware, and fraud, paints a stark picture:

  • A single cluster can contain dozens of domains, tens of SSL certificates, and multiple social and developer accounts, all set up in advance.
  • About 82% of domains in these clusters had not triggered any security vendor detection at the time of analysis.
  • There is an average 72-day window from domain registration to overtly malicious use. That’s the window where pre-attack visibility and disruption can still change the outcome.

82% of cluster domains had not triggeredvendor detection at time of analysis (Malanta research)

So the “attack” that both businesses and insurers worry about often starts long before the first phishing email or malware sample. It starts when someone registers domains, obtains certificates, and spins up accounts and repositories.

Those who only look at IoCs are looking at the tail of the process. Pre-attack prevention looks at the setup phase, the same phase where this infrastructure is built and where it can still be found and disrupted.

GenAI Has Supercharged Malicious Resource Creation

Malanta research shows that the creation of malicious and dual-use resources has exploded in lockstep with the maturity of generative AI:

  • Malicious GitHub repositories grew from approximately 6,500 in 2022 to approximately 110,000 in 2024, a roughly 1,600% increase in two years.
  • The inflection point is 2023–2024, and the same type of acceleration appears on GitLab and Bitbucket.

This points to systematic use of AI-assisted tooling to create attack infrastructure at scale.

GitHub malicious repositories: GenAIinflection (Malanta research)

Implications for businesses and insurers include:

  • Democratization: Sophisticated, large-scale attack setups are no longer the preserve of nation-states. Cybercrime groups can achieve similar scale with GenAI-assisted workflows.
  • Volume and diversity: More attackers, more infrastructure, more campaigns. Underwriting that assumes “business as usual” in threat volume is likely underestimating exposure.

The Control That Matches the Threat: Pre-Attack Prevention

If most of the risk is in the setup of attack infrastructure, domains, certificates, accounts, and repositories, and if 82% of that infrastructure is still “dark” to traditional security when it is being staged, then the only control that operates in the same phase as the adversary is pre-attack prevention.

  • What it is: Detection and disruption of attack infrastructure before first contact with the target, for example before the first phishing email or malware delivery. It uses Indicators of Pre-Attack (IoPAs), such as registration patterns, certificate issuance, and repository/account linkability, rather than waiting for Indicators of Compromise (IoCs).
  • Why it matters for underwriting: Organizations that can identify and disrupt this infrastructure in the setup window represent a different risk profile than those that only rely on detecting attacks after they start. A metric like Mean Time to Preempt (MTTP) is as relevant as MTTD and MTTR.

Including pre-attack prevention, such as Malanta’s capability to discover and disrupt staged attack infrastructure, as a requirement or strong positive factor in cyber insurance does three things:

  • Improves risk selection by favoring insureds who reduce exposure in the phase where most of today’s infrastructure risk lives.
  • Aligns coverage with the way AI attackers actually operate: early, automated, and infrastructure-heavy.
  • Signals to the market that insurers understand the shift from “detect and respond” to “preempt where possible,” which will increasingly be the standard for resilient organizations.

What You Can Do Now

For underwriting

  • Discuss pre-attack prevention as part of your underwriting process.
  • Consider whether you can offer applicants IoPA monitoring and/or pre-attack disruption services as part of your offering.
  • Treat MTTP, or an equivalent measure, as a meaningful metric alongside MTTD and MTTR.
  • Offer clear premium reductions for organizations with validated pre-attack capabilities.

For product and policy

  • Review definitions such as “security breach” or “cyber incident” to ensure they do not exclude AI-orchestrated and autonomous operations.
  • Continue to monitor the systemic risk posed by AI-orchestrated campaigns that can hit many organizations at once, and ensure reinsurance and portfolio limits reflect that risk.

For businesses

  • Treat pre-attack prevention as a core element of good cyber hygiene, not an optional add-on.
  • Partner with providers, such as Malanta, that specialize in pre-attack visibility and disruption so you can reference and, where appropriate, require proven solutions.
  • Make sure insurers are aware that you use these capabilities when purchasing insurance.

Bottom Line

AI-orchestrated attacks are already here, and the infrastructure that supports them is being built at scale, often before traditional security sees anything. Cyber insurers that require or strongly incentivize pre-attack prevention, solutions that find and disrupt this infrastructure in the setup phase, will be better positioned to select and price risk and to encourage the kind of defense that actually matches the threat.

The window to make this a standard part of cyber insurance is now; waiting until AI attackers are the norm will make it a necessity rather than a differentiator.

Full research available here: Link

About Malanta

Malanta is the Pre-Attack Prevention Platform. It detects, validates, and dismantles adversary infrastructure during the setup phase, enabling security teams to measure avoided risk through Mean Time to Preempt and campaign-level disruption metrics.


About Howden

Howden is a leading global insurance intermediary group with employee ownership at its heart. Founded in 1994, it provides insurance, reinsurance and underwriting services and solutions to clients ranging from private individuals to the largest multinational companies.The Group operates in 57 countries in Europe, the USA, Africa, Asia, the Middle East, Latin America, Australia and New Zealand, employs over 24,000 people and manages premiums totalling over $50 billion on behalf of its clients.Further information can be found at www.howdengroup.com and www.howdengroupholdings.com.

Share this post
FacebookLinkedInX (Twitter)

Related Posts

view all
Breaking-news item on Malanta's seed funding. It states that the Israeli cybersecurity company developed the world's first Al-based pre-attack prevention platform and can neutralize attacker infrastructure in the preparation stage.

Breaking-news item on Malanta's seed funding. It states that the Israeli cybersecurity company developed the world's first Al-based pre-attack prevention platform and can neutralize attacker infrastructure in the preparation stage.

Hebrew report on Malanta's emergence from stealth and its predictive-intelligence technology for early threat detection

Hebrew report on Malanta's emergence from stealth and its predictive-intelligence technology for early threat detection