On March 24, 2026, the SANS Institute presented their annual Top 5 Most Dangerous New Attack Techniques at the Moscone Center. For the first time in the keynote's history, every single technique carried an AI dimension.

As SANS President Ed Skoudis put it: "We would be lying if we said attacks didn't involve AI. That is just where we are."

The findings validate what we have been building toward since MnemoShare's inception: legacy security models — static credentials, monolithic architectures, manual response — cannot survive in a world where attackers operate at machine speed. The implications for file transfer infrastructure are immediate and concrete.

What SANS Found

The five techniques presented paint a picture of a threat landscape that has fundamentally shifted:

1. AI-Generated Zero Days Are No Longer Scarce

Joshua Wright, SANS Faculty Fellow, demonstrated that AI has eliminated the economic barrier to zero-day development. What once cost millions and required elite skill is now accessible to anyone with an LLM. Organizations face hundreds of AI-generated exploits weekly rather than one or two.

The Verizon 2024 DBIR found that half of critical vulnerabilities remain unpatched 55 days after fixes become available. When AI can discover and weaponize vulnerabilities faster than organizations can patch them, every exposed service becomes a target — including the SFTP servers and MFT appliances that most organizations have not thought about in years.

As researcher Nicholas Carlini noted: "Future LLMs will likely be better than any of us at identifying vulnerabilities and building exploits."

2. Supply Chain Attacks Have Doubled

Third-party involvement in breaches doubled to 30%. Over 454,000 malicious packages were published to open-source registries in 2025 alone — a 75% increase. Wright cited the example of 7-Zip containing 300 unique dependencies, any one of which could compromise the entire chain.

This is directly relevant to file transfer. Legacy MFT platforms are monolithic appliances built on sprawling dependency trees. When MOVEit was compromised through a SQL injection (CVE-2023-34362), it was not because Progress Software was careless — it was because a single vulnerability in a monolithic architecture gave attackers access to everything: credentials, file storage, and audit logs simultaneously.

3. Attack Speed Has Compressed to Hours

Rob T. Lee, SANS Chief AI Officer, presented the most striking data point: AI-driven attack workflows can compress the path from initial intrusion to domain administrator compromise to eight minutes. Public vulnerability disclosure to weaponized deployment now happens within 24 hours.

Eight minutes. That is the window defenders have.

If your file transfer credentials are SSH keys that last for months, service account passwords that rotate quarterly, or API tokens that never expire — eight minutes is more than enough time to extract them all.

4. Defenders Must Match Attacker Speed

Lee demonstrated Protocol SIFT — the SANS forensics platform embedded with AI — completing a complex multi-week intrusion investigation in 14 minutes and 27 seconds. Work that typically requires three days of expert analysis was done in under 15 minutes.

The lesson is not that AI replaces human judgment — Heather Barnhart's presentation on forensics made clear that "the human is the decision point" — but that defenders who do not leverage AI for detection and response will be overwhelmed by attackers who do.

What This Means for File Transfer

The SANS findings describe a world where:

Vulnerabilities in your infrastructure will be found by AI before your security team knows they exist

The time from discovery to exploitation is measured in hours, not weeks

Static credentials are not just a compliance gap — they are an open invitation to AI-assisted lateral movement

Monolithic architectures create single points of compromise that AI-powered attackers can exploit at scale

Legacy file transfer — SFTP servers, MFT appliances from vendors like MOVEit, GoAnywhere, Kiteworks, and GlobalScape — was designed for a world where attackers were humans working at human speed. That world is over.

The Credential Problem Is Now Critical

Consider what the SANS findings mean for SSH key infrastructure:

Before AI-powered attacks: An attacker who obtained an SSH key needed skill, time, and knowledge to exploit it. Manual reconnaissance, manual lateral movement, manual data exfiltration. The time from compromise to damage was measured in days or weeks.

After AI-powered attacks: An attacker with an SSH key and an AI assistant can enumerate every system that key accesses, identify the most valuable data, and exfiltrate it — all within the eight-minute window SANS documented. The AI handles the reconnaissance, the lateral movement planning, and the data identification. The attacker just clicks.

This is why the SANS presentation referenced "script kiddies" being supercharged. The skill barrier that once limited the damage from credential theft has been removed by AI. A stolen SSH key in the hands of a novice with an uncensored LLM is now as dangerous as a stolen SSH key in the hands of an APT group.

Ephemeral Credentials Are the Answer

MnemoShare was built for exactly this threat model:

60-minute access tokens instead of permanent SSH keys. Even if an AI-powered attacker obtains a credential, it expires before a sustained campaign can be executed. The blast radius shrinks from months to minutes.

Identity-bound access instead of key-based trust. Possessing a key is no longer equivalent to being authorized. Every access requires verified identity through your enterprise SSO with enforced MFA.

Hardware-backed mTLS for the highest-assurance flows. Private keys generated inside YubiKey, TPM 2.0, or Secure Enclave hardware cannot be stolen via software — they never exist outside the hardware module. AI cannot exfiltrate what does not exist in software.

Rotation with reuse detection. If an attacker steals a refresh token and the legitimate user continues working, the stolen token's use triggers automatic revocation of the entire token family. Credential theft is detected and contained without human intervention.

Architecture Matters More Than Ever

The SANS supply chain findings reinforce why monolithic MFT architectures are untenable. A single vulnerability in MOVEit or GoAnywhere gives attackers access to credentials, file storage, and audit logs simultaneously. When AI can find these vulnerabilities faster than vendors can patch them, the monolithic blast radius is not just a theoretical risk — it is an expected outcome.

MnemoShare's Kubernetes-native architecture isolates the control plane, data plane, and evidence pipeline. A vulnerability in one component does not compromise the others. Application-layer encryption with customer-controlled keys means that even complete platform compromise yields only ciphertext. Audit logs exported to WORM storage cannot be tampered with by compromised administrators or AI-assisted attackers.

The Cost Equation Has Changed

Organizations spending $30,000 to $100,000 per year on legacy MFT platforms are paying for infrastructure that was designed for a threat landscape that no longer exists. The SANS findings make the return on migration concrete:

Reduced breach exposure: Ephemeral credentials limit blast radius to minutes instead of months

Eliminated credential management overhead: No SSH keys to rotate, no service accounts to audit, no API tokens to track

Evidence-grade audit trails: Immutable, WORM-exported logs that survive the AI-assisted attacks SANS described

Modern architecture: Kubernetes-native deployment that can be patched without downtime — closing the 55-day patching gap Verizon identified

The decision is straightforward: continue paying premium prices for 30-year-old technology that AI-powered attackers can defeat in eight minutes, or migrate to infrastructure designed for the threat landscape SANS just documented.

Taking Action

The SANS Top 5 is not a prediction — it is a description of attacks happening now. Organizations that treat this as future risk will be the ones explaining to regulators why they were still using permanent SSH keys when AI-assisted attackers came through.

Three steps to start:

Audit your credential exposure. How many SSH keys, service account passwords, and API tokens provide access to your file transfer infrastructure? How many have been rotated in the last 90 days?

Assess your blast radius. If a single credential is compromised, how much data is accessible? How long before you would detect it?

Evaluate modern alternatives. Compare MnemoShare's security architecture against your current platform. Request a demo to see ephemeral credentials, hardware mTLS, and evidence-grade audit logging in action.

The SANS Institute and MnemoShare arrived at the same conclusion independently: the security models we built 30 years ago cannot survive AI-powered threats. The difference is that SANS is documenting the problem. We built the solution.

Explore MnemoShare's security architecture | View pricing | Request a demo

SANS Top 5 Attack Techniques All Use AI — What This Means for File Transfer