THE SHORT VERSION

Any AI assistant that reads the open web has just inherited a new attack surface: the pages it retrieves. An attacker no longer has to break into your network. They publish a page that ranks, your AI pulls it in, and it quotes the lie back to you as fact. The web is filling with AI-written text that quotes other AI text, so this only gets easier to abuse. Treat retrieved text like user input: do not trust it until you check where it came from, prefer first-hand sources, and control which feeds your AI reads.

A live test: the advisory is one voice in a crowd

I ran this today, June 14. I searched a plain defender question, “how to remediate Akira ransomware step by step”, and looked at what came back. First the honest caveat: rankings move by engine, region, and day, so treat this as a snapshot, not a law. On Google the official CISA advisory ranks near the top, around second. In my run it sat fourth.

That the advisory ranks at all is the good news. The problem is what sits next to it. The joint CISA and FBI advisory #StopRansomware: Akira (AA24-109A) [1], first published April 2024 and updated November 2025, was one source among seven. The rest were removal-guide farms, recovery-service vendors, and marketing pages, and most of them never pointed back to the advisory at all.

# open-web search, 2026-06-13  (a snapshot; rankings move by engine, region, day)
# query: "how to remediate Akira ransomware step by step"

 source                  what it is                cites the advisory?
 cisa.gov  AA24-109A     the official advisory     this IS the source
 pcrisk.com              SEO removal guide         no
 underdefense.com        recovery-service vendor   no
 cybelangel.com          vendor blog               yes, in a product pitch
 sentinelone.com         vendor marketing page     no (cites no sources)
 helpransomware.com      recovery-service vendor   not checked
 beforecrypt.com         recovery-service vendor   not checked

 the advisory is present, but it is one trusted source in a pile of commercial pages.
 your AI does not have to pick it, and you cannot see which one it used.

The advisory is in the mix, which is the good news. The bad news is everything around it: templated removal guides and recovery-service vendors, most of which never cite it. Your assistant blends these into one answer, and you cannot see which source it leaned on.

Here is the part that matters for defense. You are not choosing the source; the model is, from a list where the trustworthy advisory and the marketing pages sit side by side, unlabeled. Anyone who can publish a page that ranks earns a seat at that table. AI widens the gap further, by filling the web with pages that quote each other until no human stands behind any of them.

How much of the web is AI-written

Nobody has a clean number for this, and anyone who quotes a single figure is usually selling the panic. Here is what the measurements actually say.

The most-quoted guess is Europol’s 2022 Facing Reality? report, which said as much as 90% of online content may be AI-made by 2026 [2]. Treat that as a high guess, not a measurement. The real measurements are smaller. Originality.ai put AI text in Google search results at about 19% as of January 2025 [3], and a separate Graphite study found that the count of new AI-written articles passed human-written ones in late 2024 [4].

The other side matters just as much. In October 2025, Axios reported a study finding AI writing had not taken over human-written content [5] across the web overall. So the honest three-to-five-year read is not “90% by Tuesday.” It is: a big and growing share, spread unevenly, and heaviest exactly where defenders search, in how-to pages, forum answers, and roundup blogs. The percentage is the wrong thing to watch. Whether you can still tell who wrote something is the right thing.

How a guess turns into a fact

Here is the chain, in four steps. A model makes up a believable detail. Someone publishes it without checking. A second model reads that page and repeats the detail, now with a link to it. A third model treats that link as proof. The guess is now a fact with a paper trail, and no person ever stood behind it.

This is the real-world version of what Shumailov and colleagues called model collapse in Nature in 2024 [6]: feed a model enough text that other models wrote, and it slowly gets worse and drifts away from reality. Their study was about training. The same loop runs faster and messier when a system answers live, pulling “fresh” web text into a reply with no idea who, or what, wrote it.

My own bet, and plenty of vendors will hate it: within two years, “cite your sources” will be close to useless as a sign of trust, because the sources will be AI-written too. The only thing left worth trusting is where something came from: who or what made it, and whether you can prove it. A link is just a pointer to someone else’s guess.

The new attack surface: the web your AI reads

Treat it as input you do not control. The moment your assistant, your SOC helper, or your in-house search bot reads from the open web, an attacker no longer has to break in. They just have to publish. Plant a few official-looking pages with the wrong fix, the wrong indicator, the wrong CVE detail, and let the bot pull them in. This trick is called retrieval poisoning, and the AI-quoting-AI loop is how it spreads: AI text is cheap, there is a lot of it, and it ranks well.

The harm is not abstract. It is a defender pasting an “official” fix that a model made up, during an incident when nobody has time to check the chain. A careful organization does not answer this by banning AI. That ship sailed, and it was never the threat. It answers by treating web text the way it already treats user input.

DEFENDER ACTION

This week, take one real answer your AI assistant gave during an investigation and open every source it used. How many are first-hand, the official advisory, the vendor’s own KB, the CVE record, versus removal-guide farms and marketing pages you cannot vouch for? For Akira the first-hand source is CISA AA24-109A at cisa.gov/stopransomware. Then check one concrete thing in your tool: can you pin or allow-list the domains you actually trust, cisa.gov, nvd.nist.gov, your vendors’ own KBs? If yes, add them today and re-run the same question. If the tool gives you no way to control where it reads, put that on your vendor checklist.

References

  1. CISA and FBI, #StopRansomware: Akira (AA24-109A), Apr 2024, updated Nov 2025. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

  2. Europol’s 90%-by-2026 projection, reported by Futurism

    https://futurism.com/the-byte/experts-90-online-content-ai-generated

  3. Originality.ai, AI content in Google search results

    https://originality.ai/ai-content-in-google-search-results

  4. Graphite, more articles now made by AI than humans

    https://graphite.io/five-percent/more-articles-are-now-created-by-ai-than-humans

  5. Axios, AI-written pages haven’t overwhelmed human content (Oct 2025) https://www.axios.com/2025/10/14/ai-generated-writing-humans

  6. Shumailov et al., AI models collapse when trained on recursively generated data, Nature 631 (2024) https://www.nature.com/articles/s41586-024-07566-y

All links checked June 14, 2026.

Weekly playbooks for the modern defender.

1  

Keep Reading

© 2026 defnze.
beehiivPowered by beehiiv