Hackers have always run the gamut—from the college kid in his parents’ basement to the nation-state in a sophisticated bunker. There has always been a gap between what an individual hacker could accomplish and what a well-funded nation-state could achieve. AI, however, is rapidly closing that gap, making the “college kid” far more dangerous than ever before.
Lakeidra Smith, Founder and CEO of The Cyber Consultant, LLC, agrees this isn’t a new threat—just a familiar one evolving in new ways.
“The idea of the ‘plug-and-play hacker’ isn’t new. Cybersecurity has dealt with versions of this problem for years. We used to call them ‘script kiddies’: low-skill attackers using prebuilt tools they didn’t fully understand. The difference now is scale, speed, accessibility, and realism,” Smith tells SmarterMSP.com.
Lower barriers, higher risk
What AI has changed, Smith explains, is the barrier to entry.
“Today’s attackers don’t necessarily need deep technical knowledge—or even strong communication skills—to generate convincing phishing emails, automate reconnaissance, mimic executive communication styles, write malicious scripts, or launch credential attacks. What once required moderate technical ability can now be accomplished with consumer-grade AI tools and criminal marketplaces that function almost like legitimate SaaS ecosystems.”
James Sheridan, CEO of Sheridan Technologies, reinforces the economic shift.
“Cybercrime has been productized. A person with modest skills can rent phishing infrastructure, buy stolen credentials, use commodity ransomware tooling, scan for known vulnerabilities, and follow playbooks or develop tools that used to require much more technical knowledge.”
Microsoft, he notes, has described phishing-as-a-service kits available for as little as $50 per month. “That is the real economic problem for SMBs—the cost to attack has collapsed.”
Why SMBs are prime targets
That economic shift makes SMBs especially attractive targets.
“Many have the same exposure as larger companies, but without the same security maturity,” Sheridan says. “They have Microsoft 365, VPNs, remote management tools, websites, payment systems, CRMs, cloud storage, and third-party vendors, but often lack strong MFA enforcement, asset visibility, logging, patch discipline, tested backups, and clear incident response ownership.”
For a part-time attacker, that’s enough. “They are not trying to defeat a hardened enterprise. They are looking for the easiest unlocked door.”
Smith adds, “These attackers may not be highly skilled individually, but they no longer have to be. The infrastructure, tooling, and even ‘customer support’ already exist. Cybercrime has become operationalized.”
Opportunistic vs. organized threats
So how does the part-time hacker differ from a nation-state or organized crime group? Jennifer Williams, Managing Director at Secarma, draws the distinction clearly. “Small-fry hackers tend to be opportunistic. They look for weak passwords, exposed services, old software, and obvious misconfigurations. Nation-state or organized crime groups are usually more targeted and patient, with better resources and clearer objectives.”
Sheridan agrees: “The difference is usually intent, patience, and resources. A nation-state may care about stealth, persistence, supply chain access, espionage, or strategic disruption. Organized cybercrime groups operate more like businesses, with specialization around access brokers, ransomware operators, negotiators, and data extortion. The part-time hacker is typically more opportunistic—noisier, less patient, and more tool-dependent.”
Still, he notes, “to the victim, the distinction may not matter much if payroll is down, customer data is exposed, or operations are frozen.”
Williams highlights the reality for SMBs: “The more immediate risk is not a cinematic cyberattack—it’s a known weakness left open long enough for someone with basic tools to exploit.”
Focus on the fundamentals
The good news: defending against opportunistic attackers doesn’t require exotic solutions.
Williams says the fix “often starts with fundamentals: patching, MFA, secure configuration, access control, and regular vulnerability scanning. The priority for CISOs and MSPs is to remove the easy wins attackers rely on, because opportunistic hackers usually move on when a target stops being simple.”
Sheridan’s recommended controls align closely: phishing-resistant MFA, strong identity hygiene, least privilege, patching internet-facing systems, locking down RMM tools, endpoint detection, immutable backups, tested recovery, email security, and basic network segmentation. He also points to CISA’s guidance for MSPs, emphasizing MFA enforcement on MSP accounts and disabling unused accounts.
“Those basics are exactly where a lot of real compromises begin,” he says.
On AI as a defensive tool, Sheridan urges realistic expectations.
“AI can help defenders, but it should not be treated like magic. I would use AI to review legacy code, summarize logs, surface anomalies, prioritize vulnerabilities, generate detection logic, and help smaller teams move faster. But human judgment still has to own architecture, risk decisions, and verification.”
After all, the same AI that helps defenders can also help attackers.
Sheridan’s final advice is straightforward: “The part-time hacker is dangerous because the economics now favor volume. They can afford to fail repeatedly until they find a soft target. SMBs and MSPs need to make themselves expensive to attack, noisy to probe, and fast to recover. That doesn’t require perfect security—but it does require discipline around the basics and much better visibility into the systems they already depend on.”
Photo: PeopleImages / Shutterstock
