Skip to content
Chimera readability score 77 out of 100, Expert reading level.

Recent incidents show attackers moving beyond LLM-written phishing lures to using AI across attack chains. Security teams must sharpen playbooks in response.
Enterprises have worked for years to improve detection and response times in the face of increasingly sophisticated attacks that relied on manual hacking and living-of-the-land techniques. AI is now threatening to undo those efforts.
An increasing number of threat actors are automating all phases of attacks, including lateral movement by using LLM-powered agents, severely reducing the time from initial access to deep environment compromises.
“The real shift is speed, scale, and orchestration: familiar cloud attack techniques were executed faster and across more surfaces than defenders could comfortably contain,” wrote researchers from security firm Sygnia last week in a report about an AI-assisted cloud environment compromise they investigated.
Sygnia’s report came on the heels of research from Sysdig about a cyber intrusion and extortion campaign conducted end to end by an autonomous AI agent. Actions undertaken by the agent included harvesting credentials, mapping internal services, and establishing persistence.
What both incidents show is that AI attacks have graduated beyond LLM-written malware scripts and phishing lures to handling all stages of attack chains, including parts that previously required human reasoning and hands-on command execution adapted to the environment.
Last month researchers from the University of Toronto revealed that they managed to create an AI-powered self-replicating worm capable of autonomously finding and exploiting weaknesses in dozens of simulated systems. The researchers achieved this by leveraging an open-weight AI model and building an attack harness to keep it on track.
While it may not be surprising to security experts that this level of AI-assisted attack automation is already happening in the wild, it’s very unlikely that many companies have had time to adapt their defenses.
“What this exposes is a truth that all security personnel must come to terms with: Most breaches won’t hinge on advanced AI, but on unpatched systems, exposed services, and weak identity controls,” Gidi Cohen, CEO and co-founder of AI security startup Bonfy.ai, tells CSO. “AI just makes those gaps impossible to ignore. The organizations that will struggle aren’t the ones lacking AI defenses; they’re the ones still relying on human-speed security in a machine-speed threat environment.”
No need for zero-days
As aptly demonstrated by the U of Toronto study, AI agents don’t need sophisticated zero-day vulnerabilities to break into environments, because many environments have systems and applications with known flaws and generic weaknesses.
The attack documented by Sysdig, which its researchers dubbed JadePuffer, exploited a year-old vulnerability (CVE-2025-3248) in Langflow, ironically a tool for building AI agents. In the new attack documented by Sygnia, attackers exploited a weakness in a web application that enabled them to find a stored AWS key. From there they quickly made their way through the victim’s cloud environment with the help of AI automation.
“The threat actor was not exploiting a single misconfiguration; they were chaining weaknesses across application services, AWS resources, source-control repositories, CI/CD workflows, runtime components, and data stores, while rapidly executing credential discovery, secrets harvesting, cloud enumeration, deployment-pipeline abuse, runtime modification, database access, and operational disruption,” the researchers said.
As with the JadePuffer case, the attackers documented by Sygnia were focused on extorting money from the victim. To achieve this, they compromised as many AWS instances as possible, exfiltrated data but also set up multiple persistence points in the AWS environment. The goal was to put pressure on the victim by demonstrating that despite recovery efforts they still had access to the environment.
Speed is the new game
Once sophisticated attackers break into an environment they often spend weeks or even months slowly moving to other systems. This is in part because it takes time for a human team to gain a thorough understanding of the environment and to find where the most valuable systems are.
This activity is also often trial-and-error: The attackers perform reconnaissance to discover the network’s topology, find exploitable weaknesses in additional systems, and search them for stored credentials that could provide access to more targets, all while using existing OS tools or common system administration techniques that won’t trip malware and intrusion detection systems.
Active threat hunting is one way to counter such techniques that are designed to evade automated detection. When threat hunting, human analysts inspect the organization’s network and systems manually for signs of compromises that might have been missed by tools. This is a slow but effective defensive technique — but only if attackers operate with the same time constraints.
“Traditional incident response often relies on the assumption that attacker progression will generate enough observable signals for defenders to investigate and contain activity before access materially expands across the environment,” Sygnia’s researchers wrote in their report. “The observed attack pattern challenged this assumption. Forensic traces showed rapid, repeated activity consistent with automated or AI-assisted workflows for credential harvesting, permission analysis, vulnerability discovery, and attack-path mapping, allowing the intrusion to progress across multiple stages in a compressed time frame.”
And it wasn’t a case of simple automated scripts going through an attack playbook either, but workstreams that showed clear signs of environment adaptation. Every new access was rapidly assessed and resulted in actions tailored for that specific system, whether an EC2 instance, S3 bucket, SQL database, or a CI/CD runner on GitHub.
Prevention is back in the spotlight
The obvious answer to AI-assisted attacks is AI-assisted defense. But simply the presence of AI-powered features in detection and response products is not a guarantee for thwarting such fast and adaptive attacks. Organizations must ensure all these tools and workflows are well integrated into a coordinated process across their different teams.
Moreover, these attacks show the value of defense-in-depth actions such as continuous validation of configurations, fast patch deployment, frequent secrets rotation, network segmentation, IP-based access control rules, implementing the principle of least privilege for credentials, restricting administrative privileges, enabling multi-factor authentication, and isolating cloud workloads.
Sygnia also recommends building automated response playbooks that can be quickly adjusted and deployed when potential signs of compromise are detected.
“The skill floor for running a ransomware operation dropped to the cost of running an agent,” Dray Agha, senior manager of tactical response at security firm Huntress, tells CSO. “Very mediocre cyber criminals can now ‘level up’ their impact from AI. That should worry defenders more than any single new technique, as it means more attackers, more often, against more of the long tail of unpatched, exposed infrastructure.”

AI-powered breaches provide wake — Arc Codex