Your Security Tools Are the Target Now: Why Detection-First Architectures Are Failing Against AI-Driven and Zero-Day Exploits

Your endpoint detection tooling can no longer be your last line of defense. For attackers, it is the first thing they target and impact.

ESET researchers catalogued nearly 90 EDR killers actively used in ransomware intrusions right now. The attack sequence is consistent: get in, blind or bypass the security tool, then run the encryptor. Detection never fires because it can no longer see what is happening.

Two Linux kernel vulnerabilities disclosed this month show exactly how attackers get in before detection has a chance to respond. With Linux kernel CVE reporting increasing from ~300 in 2023 and 3,529 in 2024 to 5,530 in 2025; this gives insight into the challenge across the broader operating system ecosystem.

Copy Fail (CVE-2026-31431) is a logic flaw in the kernel's cryptographic subsystem. A 732-byte Python script exploits it to gain full root access on every major Linux distribution shipped since 2017. The exploit leaves no trace on disk. The corrupted page is never written back, so file integrity tools comparing on-disk checksums find nothing wrong.

Dirty Frag (CVE-2026-43284) landed the same month: a second kernel flaw that lets an attacker escalate privileges even against systems already patched for Copy Fail. Two separate paths to full system control, both disclosed in the same 30-day window.

The outcome is ransomware, disruption, data breach, or all of them. Canvas went down on May 1, 2026 after a criminal actor hit Instructure with ransomware. The extortion demand went to the provider and to each affected institution separately, catching thousands of education organizations in a single attack.

The core problem is that detection was not designed for this.

Every capability in common use today, whether signatures, behavioral rules, indicators of compromise, or technique mapping, depends on prior knowledge. A signature only catches something already documented. A behavioral rule only fires on a pattern someone previously defined. Copy Fail's in-memory page corruption has no on-disk signature to match. An EDR killer that modifies kernel memory to undo detection hooks has no behavior written yet.

Google's Threat Intelligence Group confirmed this month that adversaries used AI to find a zero-day vulnerability, generate a novel exploit to bypass 2FA, and are developing attacks that run at industrial scale. Copy Fail itself was discovered using AI-assisted research. ESET noted that AI is suspected in developing some of the EDR killers now in active use. The same capability compressing discovery-to-exploitation time on the defense side is already accelerating attack variation on the other.

As AI lowers the cost of finding and weaponizing new vulnerabilities, the volume of novel, undocumented threats will grow faster than detection can keep up.

Attackers could chain together an AI-driven exploit to bypass 2FA and then use Copy Fail to privilege escalate and gain full control of systems and then create persistence and move undetected. We are in dangerous times.

Patching is not a near-term answer. Critical kernel CVEs typically take 30 to 60 days to move through enterprise change management and reach production systems. Smaller organizations typically take 90 to 180 days, or leave systems unpatched entirely. That gap between public disclosure and deployment is exactly when exploitation is most concentrated.

Runtime Integrity is the verification capability that asks a question detection was never designed to ask: is this system still in the state it was built to be in?

Copy Fail corrupts a kernel page in memory while leaving the on-disk file unchanged. Runtime Integrity catches any kernel modification that could result after gaining root from that exploit. An EDR killer modifies kernel memory to undo detection hooks. Runtime Integrity catches that too. A service hidden, a swapped module: all are changes in system state, visible regardless of the technique used, regardless of whether the attack is AI-generated.

A team with Runtime Integrity in place would know the moment Copy Fail modified their system or an EDR killer tampered with system functionality. The novelty of the attack does not matter to a control that does not ask what happened, only whether the system is still intact.

Detection closes the door after it recognizes the key used to open it. Runtime Integrity watches whether the door moved at all.