When the Breach Never Happened
Picture this: a company's communications team arrives at work to find a published news story claiming the organization has suffered a significant data breach. The reporting is specific, technically plausible, and detailed enough to seem credible. Yet no systems were ever touched. No data was exfiltrated. A large language model fabricated the entire story, inventing technical specifics from scratch. Before the company could even orient itself, a journalist at a reputable publication had picked up the story and reached out for comment. Within hours, executives were mobilizing crisis communications resources to address an event that existed only in the output of an AI system.
A second incident illustrates a subtly different but equally disruptive dynamic. A company had, years earlier, suffered a genuine data breach that received substantial media coverage at the time. The incident was fully investigated, remediated, and closed. Then the outlet that originally reported on it launched a website redesign. Old articles received new URLs and updated timestamps. Search engines re-indexed that content as fresh reporting. AI-powered news aggregators interpreted the re-indexed signal as a developing story and flagged it accordingly. The company soon found itself fielding media and stakeholder inquiries about an incident that had been resolved long before.
A third case adds yet another layer of complexity. A cybersecurity publication ran an article about a business email compromise attack that cost a UK company close to a billion pounds. The piece quoted a well-known security researcher by name. In reality, he had never spoken to the publication. The quotes were AI-generated, attributed to him with full confidence, and published as fact.
Editor's note: The authors withheld full specifics about the incidents because complete disclosure could cause harm, but CyberScoop confirmed with the authors that the incidents did in fact take place.
A Foundational Assumption That No Longer Holds
Taken together, these three incidents reveal a threat category that most organizations have not yet prepared for. AI has acquired the capacity to fabricate convincing security incidents from nothing—complete with technical detail, named sources, and enough surface credibility to trigger full-scale crisis responses. Organizations that treat this as a distant or theoretical problem risk discovering very quickly how fast AI-generated fiction can become a real-world operational emergency.
Traditional cyber crisis response has always rested on a straightforward premise: something real happens, and then you respond. That premise is eroding. AI systems now generate, amplify, and validate claims before security teams have confirmed anything. Once a narrative enters the information ecosystem, it can be absorbed into threat intelligence feeds, risk-scoring platforms, and automated decision-making workflows. Fiction becomes signal.
For security teams, this represents a new class of false positive—not a noisy alert triggered by a misconfigured tool, but a fully formed external narrative that appears credible. A hallucinated breach can set off internal investigations, executive escalation, and defensive actions. Significant time and resources get diverted toward disproving something that never occurred.
How Fabricated Narratives Expand the Attack Surface
The implications extend beyond wasted resources. Fabricated breach narratives can actively shape real attacker behavior. Threat actors can weaponize false incident claims as pretext. Phishing emails that reference a supposedly "known incident" become considerably more convincing. Impersonation of IT staff or incident response teams becomes more effective when employees have already been primed by external reporting. The narrative itself becomes part of the attack surface.
Open source intelligence pipelines are increasingly automated. If those pipelines ingest false information, downstream systems act on it. That includes SIEM enrichment, third-party risk scoring, and in some environments, automated containment decisions. Security teams therefore need visibility not only into what is happening internally, but also into how their organization is being represented externally—across AI-generated content, news aggregators, and automated intelligence tools.
This kind of external narrative monitoring is not traditional threat intelligence, but it behaves like it. Early detection changes outcomes significantly.
What Security Teams Need to Do Differently
Security professionals are accustomed to monitoring for indicators of compromise. They now need to build capacity to monitor for what might be called indicators of narrative. The practical steps this requires include:
- Integrating external narrative monitoring into OSINT pipelines and threat intelligence workflows
- Establishing tighter coordination with communications teams so that technical reality and external perception can be managed in parallel when they diverge
- Treating AI auditing as a formal security control—systematically testing how AI systems describe the organization, its security posture, and any alleged incidents
- Ensuring that accurate, authoritative information exists in sources that AI systems prioritize when constructing narratives
AI auditing in particular represents one of the most effective controls available in this new environment. By regularly probing what machines effectively "believe" about an organization before those beliefs propagate into tooling, attacker behavior, or media coverage, security teams can identify and correct false narratives early.
The Pressure on Communications Teams
For communications professionals, the challenge is that the timeline has collapsed entirely. The first signal of an alleged breach may not come from the Security Operations Center. It may arrive via a journalist's inquiry, a customer complaint, or an automated monitoring alert. Silence is no longer a neutral posture. Where a narrative exists, AI systems will fill informational gaps with whatever is available—reinforcing inaccuracies with each successive iteration.
Responses in this environment need to be designed for machine consumption as well as human audiences. That means clear, declarative language, verifiable facts, and structured statements that can be parsed and reused by automated systems. The strategic objective is to establish a competitive presence in the information supply chain—ensuring that accurate signals outcompete fabricated ones.
Preparation is critical. This means having pre-approved language ready to deploy quickly, establishing coordination protocols with legal and security teams before an incident surfaces, and running tabletop exercises that include AI-fabricated narrative scenarios alongside conventional breach scenarios.
Shared Stakes and a Feedback Loop to Break
Security and communications teams are now operating in the same information environment whether they have acknowledged that convergence or not. A hallucinated breach can trigger genuine operational disruption: vendor relationships may be paused, connections to third-party systems severed, regulators may take interest, and markets may react—none of which requires an actual compromise to have occurred.
This dynamic creates a dangerous feedback loop. External narratives drive internal actions. Internal actions, when visible, reinforce external narratives further. Breaking that loop demands speed, coordination, and clarity from both functions simultaneously.
A Shift Toward Narrative Response
What these cases collectively demand is a shift in organizational mindset—from incident response to narrative response. Security teams must treat every externally surfaced alert as potentially fabricated until verified. Communications teams must prepare for narratives that form independently of what actually happened inside the organization. Both must operate with a clear-eyed understanding that perception alone can trigger consequences that are entirely real.
In this environment, the organizational ability to detect and respond to false narratives matters as much as the ability to detect and respond to actual breaches. The two capabilities now belong in the same strategic framework.
This op-ed was authored by Mary Catherine Sullivan, who holds a Ph.D. in political science from Vanderbilt University and serves as Senior Director of Data Science for Digital & Insights within FTI Consulting's Strategic Communications segment, and Brett Callow, a senior advisor in Cybersecurity and Data Privacy Communications at FTI Consulting with more than two decades of cybersecurity policy experience. Callow has been involved in high-profile ransomware incidents and has participated in panels at the Office of the Director of National Intelligence and the Aspen Institute, and has served on the Advisory Board of the Royal United Services Institute's Ransomware Harms project.
Source: CyberScoop