The threat intelligence landscape has shifted dramatically — and most enterprises are dangerously behind. As adversaries abandon traditional dark web forums for Telegram, weaponize AI to compress multi-day attack chains into hours, and silently harvest credentials from devices that never touch a corporate firewall, the old model of perimeter defense is not just inadequate — it is obsolete.
Mandar Patil, Executive Vice President at threat intelligence firm Cyble, has a front-row view of this accelerating crisis. In a candid conversation with CISO Forum, he pulls no punches: from the catastrophically underestimated stealer log ecosystem, to the boardroom numbers that finally silence the “cost center” argument, to why a fully patched, fully trained organization can still be breached — and what that tells us about the deeper architectural failure at the heart of enterprise security today.
Executive Vice President
Cyble
CISO Forum: Cyble monitors the Deep, Dark, and Surface Web simultaneously — what does the threat signal look like today compared to 18 months ago, and what’s driving that shift?
Mandar Patil: The volume of threat signals has grown significantly, but more importantly, the nature of threats has shifted from opportunistic to targeted. Cyble is seeing a sharp rise in Initial Access Broker activity, stealer log listings, and ransomware group communications on Telegram as actors migrate away from traditional dark web forums. AI is now being used to generate synthetic breach data, polluting threat feeds, and creating alert fatigue. The biggest shift isn’t the noise, it’s how deliberate adversaries have become about evading detection.
CISO Forum: Agentic AI can now autonomously execute multi-step attacks. How fundamentally does that change enterprise defense architecture and are most security teams even aware of the gap?
Mandar Patil: Agentic AI compresses multi-step attack timelines from days to hours, which fundamentally breaks detection playbooks built around human-speed threats. SOC workflows, SIEM correlation rules, and IR processes all assume dwell time that no longer holds. Most security teams are aware of AI as a defensive tool, but severely underestimate it as an offensive capability multiplier. The architecture gap is real, and most enterprises won’t address it until they experience an AI-accelerated breach directly.
CISO Forum: You’re sitting on vast dark web intelligence. What’s the most underestimated threat vector that enterprises keep ignoring until it’s too late?
Mandar Patil: Stealer log ecosystems are the most consistently underestimated vector Cyble sees in dark web intelligence. Infostealers like Redline and Raccoon silently harvest credentials, session tokens, and browser data from personal or contractor devices, often entirely outside corporate security controls. By the time the data surfaces on dark web markets, it’s already actionable, and enterprises have no idea of the exposure. The reason it keeps being ignored is simple: it doesn’t trigger any internal alert, so it never feels urgent until an account takeover or breach makes it obvious.
CISO Forum: Supply chain attacks are getting more sophisticated. At what point in a vendor’s integration does an enterprise’s security perimeter effectively become meaningless?
Mandar Patil: The enterprise security perimeter effectively becomes meaningless the moment a vendor’s software or agent is granted persistent access to internal systems or data. At that point, the vendor’s security posture, patching cadence, employee hygiene, and third-party dependencies become your attack surface by proxy. Cyble sees supply chain compromise increasingly happening not at the code level but at the credential and identity level, where a vendor’s access tokens are stolen and used legitimately. Most enterprises don’t audit third-party access deeply enough or frequently enough to catch this before damage is done.
CISO Forum: CISOs are still fighting the “cost center” label in boardrooms. What’s the most compelling hard-number business case you’ve seen that finally changed that conversation?
Mandar Patil: The most compelling cases Cyble has seen involve quantifying the cost of a specific near-miss on an exposed credential set found on dark web monitoring that, had it been exploited, would have meant regulatory fines, breach notification costs, and customer churn. When a CISO can point to a real event and say, “this would have cost us $14M, and we caught it because of this investment,” the conversation shifts from cost center to risk mitigation. The hard number that resonates most in boardrooms is always an avoided cost tied to a credible, company-specific scenario, not industry averages. Generic breach cost statistics don’t move boards; specific near-miss dollar values do.
CISO Forum: AI-driven fraud is scaling faster than traditional fraud detection can respond. Where exactly is the detection model breaking down data lag, feature blindness, or something else?
Mandar Patil: The core breakdown is that data lag fraud detection models are trained on historical patterns, but AI-generated fraud is synthetic and doesn’t resemble prior attack signatures. Feature blindness is the second problem: models optimized for known fraud typologies miss novel vectors, such as deepfake-assisted identity fraud or AI-generated phishing that passes behavioral checks. The feedback loop between detection and retraining is too slow relative to the speed at which adversarial AI is iterating. Enterprises need to shift from purely pattern-based detection toward anomaly-first models that flag deviation from baseline rather than matching known fraud signatures.
CISO Forum: If an enterprise has done everything right patched, monitored, trained staff — and still gets breached, what does that tell you about the deeper structural problem in how we architect digital resilience today?
Mandar Patil: It shows that the perimeter-and-patch security architecture was never designed for the threat environment we’re actually in. The deeper structural problem is that most enterprises build resilience around preventing breaches rather than assuming breaches and engineering for rapid detection, containment, and recovery. A well-patched, well-trained organization that still gets breached almost always has a gap in visibility, something Cyble consistently sees as unmonitored third-party access, shadow IT, or exposed credentials that never surfaced internally. Digital resilience today has to be built on the assumption of compromise, not on its prevention.
