AI-powered cyberattacks are here, but the real threat is still people with a keyboard

CrowdStrike’s Adam Meyers says manual hacker attacks remain a massive problem for organizations, especially those primarily focused on protecting endpoints.

We may be in the age of AI-enhanced cyberattacks right now, but one thing is clear in 2025: You still can’t outsmart a hacker with a keyboard.

And crucially, threat actors are acutely aware of this fact, according to CrowdStrike’s Adam Meyers.

(Related: CrowdStrike’s Adam Meyers on China’s ‘Top Level’ Hacking Threats to MSPs)

Manual attacks have actually gained in popularity lately, said Meyers, senior vice president of adversary operations at CrowdStrike, during a media briefing this week.

“More adversaries are doing hands-on-keyboard attacks,” he said, referring to attacks that don’t rely on malware or another tool.

Instead, in hands-on-keyboard attacks, hackers interact directly with a compromised system the old-fashioned way. Who needs automation?

Organizations should take note, as the manual approach remains “very difficult for security tools to detect,” Meyers said.

The reason is simple: it is behavioral.

“It’s not malware or (an) exploit,” he said. “It’s literally someone using Microsoft Edge or PowerShell or Python or a Bash shell to interact with the system.”

Other factors are exacerbating the threat from the rise of hands-on-keyboard attacks. With the continued shift to cross-domain attacks—cyberattacks that don’t focus on just one type of device or environment—hand hacking tactics are becoming extremely difficult to counter.

Meyers pointed to the methods of Scattered Spider — a group of young hackers blamed for the highly disruptive 2023 attacks against casino operators MGM and Caesars Entertainment — as an example.

Their tactics included phishing to obtain credentials, exploiting credentials to compromise cloud environments, establishing a foothold on a virtual machine hosted in the cloud, and establishing persistence on an endpoint by creating a new user.

In other words, these attackers don’t sit still for long.

And for organizations with a traditional security approach focused on protecting endpoints, this is a huge risk.

“If you’re only looking at one of those things — if you’re only looking at the endpoint — you’re not going to see identity or activity in the cloud,” Meyers said. “And that means you lose an opportunity to prevent that threat actor from being successful.”

Also, “if you’re only focused on identity or the cloud, you won’t have that comprehensive visibility to understand what’s happening across the entire environment. And threat actors thrive on that.”