Australia's Commonwealth Bank developed its own agentic AI tools for threat hunting after vendor solutions proved too slow to address AI-powered attacks, reducing response times from days to minutes while tackling analyst burnout.
Australia's Commonwealth Bank has built its own agentic AI threat hunting tools after finding that commercial vendors cannot keep pace with emerging AI-powered cyber threats, according to Andrew Pade, the bank's General Manager of Cyber Defence Operations.
Speaking at Gartner's Security & Risk Management Summit in Sydney, Pade revealed that when he joined the bank six years ago, it logged 80 million daily threat signals. That figure has now exploded to 400 billion signals per week - a 5,000-fold increase that Pade directly attributes to AI's impact on both attack volume and sophistication.
The scale of this growth presents an existential challenge for cybersecurity teams. Traditional defenses cannot manage such volumes, and Pade expressed concern about the mental health impact on new graduates entering the field. Unlike his own career path that began on help desks, today's cybersecurity graduates walk into high-pressure environments where they face overwhelming threat volumes from day one.
"One of the things that really concerns me is taking that off the table," Pade said. "I wanted our first-level analysts to access the same knowledge our senior people have, in the fastest way. That was the tipping point: How do I take scale off the table, and how do I ensure all our agents are working in cyber in 20 years time instead of burning out?"
The bank's response was to develop proprietary agentic AI tools that can ingest threat intelligence from multiple sources, analyze it against the bank's own data, and identify risks across its complex infrastructure spanning legacy systems, on-premises infrastructure, SaaS applications, and cloud workloads.
This internal development became necessary because, as Pade explained, "infosec vendors can't keep up with emerging threats and the bank can't wait for a product." The bank previously required two days to assess emerging threats and prepare risk hypotheses. The new AI agent accomplishes this in 30 minutes and generates comprehensive reports.
Pade detailed how AI has transformed the attack landscape. His team investigated phishing emails and websites, finding identical code - sometimes with clear artifacts of AI coding tools - across multiple attacks. "The lure changed, but the backend was the same," he noted. This pattern indicates that attackers are using AI to rapidly generate variations of successful attack frameworks.
The bank developed a second agent specifically designed to identify indicators of compromise and produce rapid reports. This automation elevates infosec analysts from routine monitoring tasks to higher-level problem-solving roles.
However, AI adoption has created new challenges. When the bank used AI for red team security assessments, it discovered that human-authored red team reports include detailed evidence to satisfy legal requirements, while AI-generated documents may not consistently report the same threat twice. "AI is non-deterministic," Pade explained. "So we had to find a way to put deterministic points in a non-deterministic flow. It was a real mind shift for our red teams."
The bank now assigns deterministic outcomes to attacks, enabling its agents to make more repeatable predictions. Developing these tools required close collaboration between frontline security staff and data scientists. An initial attempt where security teams simply handed problems to data scientists "didn't solve the problem," Pade admitted.
"Throwing the problem over the fence and waiting for a solution was not the answer," he said. "They knew the AI, we knew the outcome. The people closest to your problem are best to solve it."
Pade emphasized that every organization must now grapple with how to integrate AI to eliminate monotonous tasks in cybersecurity operations. Given that AI enables cybercriminals to scale their attack volumes to new heights, organizations that fail to adopt similar automation will be overwhelmed.
"You will see attacks like we do, like it or not," he warned. "I would be asking your teams: 'How are we solving that problem?'"
The Commonwealth Bank's experience highlights a broader trend in cybersecurity: as AI transforms both offensive and defensive capabilities, organizations are finding that commercial solutions cannot keep pace with rapidly evolving threats. Building internal AI capabilities has become not just advantageous but necessary for survival in an environment where threat volumes have increased by orders of magnitude and traditional approaches have become obsolete.
Comments
Please log in or register to join the discussion