Singapore – New findings from ExtraHop suggest that enterprises remain vulnerable to increasingly evasive cyber threats, with many attacks going undetected for extended periods despite growing investment in AI-powered security tools.
ExtraHop’s latest analysis found that the rapid adoption of AI has expanded the attack surface for organisations, creating new opportunities for cybercriminals while adding complexity to security operations. At the same time, security teams continue to face challenges in identifying hidden threats, reducing dwell times, and managing growing volumes of alerts.
The report also found that security operations centres (SOCs) remain heavily reliant on manual processes. Despite increasing adoption of AI-driven security tools, many organisations continue to take a largely reactive approach to threat detection and response.
Among Singapore respondents, 32% identified AI agents, agentic infrastructure, and generative AI applications as the biggest cybersecurity risks facing their organisations. Concerns around AI-related threats were reflected in the findings, with 85% reporting security incidents, data exposures, or near misses linked to AI systems.
The most commonly cited AI-related incidents included third-party vendor or supply chain breaches involving integrated AI systems (41%), compromised AI identities and session theft (40%), shadow AI exposure (33%), AI-enhanced external attacks (32%), and agentic or API logic failures (30%).
The report also highlighted the growing presence of advanced threat actors in enterprise environments. In Singapore, the most frequently detected groups were the North Korea-linked threat actor Lazarus Group and ransomware group RansomHub. Other commonly detected actors included Midnight Blizzard, ALPHV, and APT41.
Detection delays remain a significant challenge. According to the report, ransomware attackers maintained access to enterprise networks for nearly two and a half weeks on average before being discovered.
Nearly half (47%) of organisations said threats were only detected after data had already been stolen, up sharply from 15% a year earlier. Meanwhile, 16% said they did not realise they had been compromised until they received a ransom demand, compared to just 1% in the previous year.
Respondents attributed delayed detection and investigation of critical alerts to several factors, including attackers using encrypted channels to evade detection (42%), alert fatigue causing warnings to be deprioritised (38%), malicious activity blending into legitimate workflows (37%), adversaries using valid high-privilege credentials (33%), and the absence of established behavioural baselines to identify anomalies (27%).
The findings also showed that ransomware payments remain widespread. While the average payment among Singapore organisations fell to US$2.6m from US$3.2m in 2025, the proportion of victims paying ransoms increased to 84%, up from 76% previously. Average downtime per incident was reported at 26 hours.
Despite increased adoption of AI-powered security technologies, respondents reported continued reliance on manual intervention throughout the threat response process. Manual involvement was required in detection (41%), alert triage (39%), investigation (49%), and response (48%).
As a result, SOC analysts spend only 41% of their time on proactive activities such as threat hunting and detection engineering, with the majority of their workload dedicated to reactive triage and manual investigation tasks.
The report also found that AI tools can contribute to operational challenges. Nearly one-third (30%) of respondents said AI-generated alerts had produced false positives that negatively affected investigation timelines.
“When you look at the big picture of modern cyber risk, the thread connecting every major challenge, from missed detections and prolonged dwell times to AI false positives, is a fundamental lack of situational awareness, or ground truth,” said Raja Mukerji, Co-founder and Chief Scientist, ExtraHop.
He added, “As threat actors leverage AI to scale their operations, defenders are countering with automated operations that don’t have the context required to make definitive decisions. The network bridges this critical gap, revealing exactly how threats are moving and communicating so security teams have the full picture. Until we enrich our security tooling and AI agents with deep, real-time network context, attackers will continue to have the upper hand.”
