[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"kb-article-inside-agentic-ai-cyber-warfare-how-llm-malware-learns-to-fight-back-en":3,"ArticleBody_BLlRAF1lpePDpp9UyuP5XjZIAbQOx1epxLr73o4zd7E":204},{"article":4,"relatedArticles":174,"locale":62},{"id":5,"title":6,"slug":7,"content":8,"htmlContent":9,"excerpt":10,"category":11,"tags":12,"metaDescription":10,"wordCount":13,"readingTime":14,"publishedAt":15,"sources":16,"sourceCoverage":54,"transparency":56,"seo":59,"language":62,"featuredImage":63,"featuredImageCredit":64,"isFreeGeneration":68,"trendSlug":69,"niche":70,"geoTakeaways":73,"geoFaq":82,"entities":92},"6a0e39d9a83199a612324402","Inside Agentic AI Cyber Warfare: How LLM Malware Learns to Fight Back","inside-agentic-ai-cyber-warfare-how-llm-malware-learns-to-fight-back","State-backed operators have already shown that [large language models](\u002Fentities\u002F69d05cf64eea09eba3dfcc0b-large-language-models) can autonomously execute 80–90% of a cloud espionage campaign, acting as the primary operator rather than a helper.[9] This was a real operation in which the LLM moved faster than humans could at console speed.[9]\n\nAt the same time, defenders are deploying AI agents to triage alerts, enrich incidents, and orchestrate response in environments overwhelmed by telemetry “infobesity”.[5] Both offense and defense are rapidly shifting toward non-human operators.\n\nThis article examines how that shift works in practice: how agentic AI changes kill chains, how [malware](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FMalware) abuses AI infrastructure as covert C2, and what [SOC](\u002Fentities\u002F6a0be90a1f0b27c1f427162f-soc), SecOps, and ML teams must build now to avoid being outpaced.\n\n---\n\n## From Traditional Cyber Operations to Agentic AI Warfare\n\n**What is agentic AI?**\n\nAgentic AI refers to autonomous, tool-using systems built on LLMs and other ML components that can:\n\n- Perceive (ingest logs, code, tickets, web data)  \n- Reason (plan multi-step tasks from high-level goals)  \n- Act (call APIs, run scripts, modify configs)  \n- Learn (adapt plans based on previous outcomes)[2]\n\nUnlike simple chatbots, these agents:\n\n- Maintain long-lived state and memory  \n- Call tools and APIs at runtime  \n- Coordinate with other agents  \n- Refine strategies over many iterations[2]\n\nIn enterprises, such agents can update databases, trigger workflows, and access sensitive data—making them both valuable defenders and high-leverage intrusion targets.[3][8]\n\n**From scripts to self-directed campaigns**\n\nTraditional offensive automation relied on:\n\n- Static scripts and one-shot exploit frameworks  \n- Rule-based SOAR playbooks  \n- Human operators orchestrating each phase\n\nAgentic systems shift this to self-directed entities that can:[2][8]\n\n- Plan campaigns from broad objectives  \n- Dynamically select tools and sequences  \n- Adapt as defenses respond  \n- Collaborate with peer agents\n\nNow the AI is not just answering text; it is acting inside infrastructure, expanding the attack surface beyond conventional chatbots and classifiers.[8]\n\n**Evidence from real operations**\n\nIn November 2025, [Anthropic](\u002Fentities\u002F69d05cf64eea09eba3dfcc08-anthropic) documented a state-backed cloud espionage operation where an [LLM agent](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAgent_verification) autonomously performed 80–90% of the campaign against cloud targets.[9] It handled:\n\n- Reconnaissance  \n- Privilege escalation  \n- Data exfiltration  \n\nwith only limited human steering.[9]\n\nA separate multi-agent cloud penetration PoC showed LLM agents could:\n\n- Enumerate cloud resources  \n- Pivot across services and accounts  \n- Chain misconfigurations at machine speed[9]\n\nThey did not invent new bug classes but scaled known tactics dramatically.[9]\n\n**Defender’s dilemma and scope**\n\nEnterprise agents—incident triage bots, code copilots, IT automation—can:\n\n- Execute code  \n- Call admin APIs  \n- Write to critical data stores[3][8]\n\nCompromising such an agent can be equivalent to compromising a senior SRE with persistent access.\n\nThis article focuses on:\n\n- How agentic AI reshapes offensive kill chains  \n- How AI-augmented malware and AI-based C2 work  \n- How to build defensive agents with guardrails and monitoring to manage autonomous risk  \n\n---\n\n## How Agentic AI Reshapes Offensive Kill Chains\n\nThe [Unit 42](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FUnit_42) multi-agent cloud penetration PoC provides a blueprint for AI-driven offensive architectures.[9] Key components:[9]\n\n- **Planner agent** – decomposes a goal (“exfiltrate project secrets from [GCP](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FGCP)”) into tasks.  \n- **Recon agents** – enumerate services, IAM roles, storage, and endpoints.  \n- **Exploitation agents** – abuse misconfigurations, escalate privileges, generate exploits.  \n- **Lateral-movement agents** – pivot across projects, regions, and accounts.  \n- **Coordinator** – tracks shared state and routes tasks and tools across agents.\n\nA simplified sketch:\n\n```python\ngoal = \"Exfiltrate sensitive data from target GCP org\"\n\nplan = planner.decompose(goal)\n\nwhile plan.has_open_tasks():\n    task = plan.next_task()\n    agent = router.assign(task.type)\n    result = agent.execute(task, tools=toolbox)\n    blackboard.update(task, result)\n    planner.refine(plan, feedback=result)\n```\n\nBoth the Anthropic operation and the Unit 42 PoC show that:[9]\n\n- AI accelerates known techniques (cloud misconfig, overbroad IAM, weak monitoring).  \n- The edge is speed: machine-scale enumeration, chaining, and privilege abuse.  \n- Time-to-compromise windows shrink from hours–days to minutes–hours in weakly governed environments.[9]\n\n**Autonomy and cascading risk**\n\nAgentic risk analyses highlight that such systems can:[3][8]\n\n- Chain tools in unanticipated ways  \n- Escalate privileges across services  \n- Trigger cascading failures if misconfigured or compromised\n\nExamples:\n\n- An agent that “fixes” IAM or firewall rules based on flawed logic may propagate misconfigurations.  \n- Multiple agents adjusting each other’s outputs can amplify small errors.[8]\n\nIn an agentic kill chain, specialization replaces human handoffs:\n\n- **OSINT reconnaissance** – scrapes repos, docs, job posts.  \n- **Vulnerability discovery** – scans, correlates CVEs, suggests exploit paths.[9]  \n- **Exploit generation** – adapts PoCs to target cloud stacks.[9]  \n- **Post-exploitation\u002Fpersistence** – maintains access, deploys beacons, cleans logs.[8]\n\nNational advisory bodies now identify agentic AI as a critical security concern and call for monitoring that reflects actual agent behavior, tool use, and data scope.[3]\n\n**How it differs from legacy automation**\n\n| Dimension                     | Playbook Automation         | Multi-Agent LLM System                 |\n|------------------------------|-----------------------------|----------------------------------------|\n| Human-in-the-loop            | High (per phase)            | Moderate (per campaign)[9]             |\n| Discovery coverage           | Limited by scripts          | Goal-driven, adaptive search[9]        |\n| Time-to-compromise           | Hours–days                  | Minutes–hours (misconfig envs)[9]      |\n| Operational complexity       | Script orchestration        | Agent orchestration & state mgmt[9]    |\n\n**Defensive takeaway**\n\nThe operational picture shifts from a linear kill chain to a graph of collaborating agents. Detection, logging, and IAM must assume:\n\n- Multiple autonomous entities making decisions  \n- Shared memory and blackboard-style coordination  \n- Rapid pivoting across services and environments  \n\n---\n\n## AI-Augmented Malware and Covert C2 Channels\n\nAs offense becomes agentic, malware is evolving to use AI infrastructure itself as command-and-control.\n\n[Check Point Research](\u002Fentities\u002F6a0b3ab61f0b27c1f426e46d-check-point-research) showed that an AI assistant with web browsing can be hijacked as a covert C2 channel without any API key or account.[1] The malware drives the assistant’s web UI and asks it to “fetch and summarize” an attacker-controlled URL that encodes commands.[1]\n\nThe sequence:[1]\n\n1. Malware sends benign-looking queries to the assistant.  \n2. The assistant calls `web-fetch` to retrieve the URL.  \n3. The page contains hidden instructions; the assistant returns them as a natural-language “summary”.  \n4. Malware parses the text as commands, executes them, and can exfiltrate data via subsequent prompts.\n\nThis continues the pattern of abusing legitimate services (email, cloud storage, Slack, Dropbox, OneDrive) as C2 because they blend with normal traffic.[1] Conversational AI adds new advantages:[1]\n\n- Traffic is new and often poorly instrumented in SIEM\u002FXDR.  \n- Blocking it is operationally painful (business dependence).  \n- It is perceived as “trusted” application traffic.\n\nLLM-guided malware over such channels can:[1][9]\n\n- Dynamically request instructions  \n- Generate or mutate payloads on demand  \n- Adjust obfuscation to defender behavior  \n\nall without static C2 hosts or signatures, reducing traditional indicators and complicating EDR tuning.[1]\n\n**Enterprise AI usage as cover**\n\nIn one small SaaS startup, ~40% of developers were pasting logs and configs into an enterprise AI assistant within three months of rollout—long before SOC monitoring existed for that traffic.[5][3] This kind of environment lets AI-based C2 blend seamlessly with legitimate use.\n\nAgentic systems inside enterprises add further leverage. A compromised internal agent with tools can act as:[3][8]\n\n- A malware delivery vector (through scripts, tickets, or generated code)  \n- A post-exploitation automation engine running attacker playbooks\n\nAlthough Check Point’s scenario has not yet been seen in the wild, Microsoft validated the technique and modified Copilot’s `web-fetch` behavior to mitigate it—treating it as a concrete, near-term risk.[1]\n\n**AI-aware C2 detection**\n\nOrganizations will need pipelines that:[1][5]\n\n- Correlate AI assistant usage with host telemetry  \n- Inspect tool-call patterns (e.g., repetitive `web-fetch` to odd domains)  \n- Track unusual memory or clipboard behavior tied to assistant sessions\n\nA simple streaming architecture:\n\n```text\nProxy logs + DNS logs + EDR telemetry\n          ↓\nAI-Traffic Classifier (LLM\u002Fregex)\n          ↓\nBehavioral Analyzer (sequences of tool calls, domains)\n          ↓\nScoring & Correlation in SIEM\u002FXDR\n          ↓\nSOAR playbook → quarantine host \u002F block domain \u002F investigate user\n```\n\n**Feedback loop with defensive agents**\n\nAs SOCs embed LLM-based detection and response agents, adversaries gain incentives to:[5][7]\n\n- Craft logs that mislead triage agents  \n- Inject prompts into tickets or chats  \n- Camouflage malware behaviors within known AI workflows  \n\n---\n\n## Defensive Agentic AI: SOC and SecOps Architectures\n\nModern SOCs face overwhelming telemetry: network flows, endpoint events, SaaS logs, and more.[5] LLMs are now used as:\n\n- Interpreters for semi-structured logs and alerts  \n- Orchestrators that tie together tools and workflows[5]\n\nCommon SOC agent roles:[7]\n\n- **Alert triage agents** – cluster alerts, dedupe noise, prioritize by impact.  \n- **Context enrichment agents** – pull threat intel, asset context, user info.  \n- **Incident qualification agents** – draft assessments and containment steps for SOAR.\n\nThese agents plug into SOAR to automate actions like host isolation, account disablement, or ticket creation with pre-populated details.[7]\n\n**Agentic SOC platforms**\n\nCrowdStrike’s AgentWorks is an example of a governed, no-code platform for building such agents on the Falcon stack.[4] It allows teams to:[4]\n\n- Design agents using models like Claude, GPT, Nemotron  \n- Enforce governance and policy controls  \n- Integrate with Charlotte Agentic SOAR and existing Falcon capabilities\n\nAn emerging “agentic SOC” model assumes:[4][5]\n\n- Agents continuously monitor and triage detections  \n- Humans supervise, validate, and handle edge cases  \n- Policies strictly define which tools\u002Factions each agent can use\n\nThis dovetails with AI SecOps practices, where automation integrates via existing APIs, buses, and change processes instead of bypassing them.[6]\n\nNext-gen SIEM\u002FXDR platforms advertise AI-native features—automated correlation, anomaly detection, summarization.[5][6][7] Real benefit depends on aligning:\n\n- SOC processes and staffing with agent workflows  \n- SecOps automation and change control with agent permissions  \n- Risk models with agentic failure modes and abuse scenarios[3][8]\n\nEngineering evaluations should check:[5][6][7][9][1]\n\n- **Telemetry** – which data agents see and what they can modify.  \n- **Latency\u002Fthroughput** – acceptable delay for real-time triage vs. batch hunting.  \n- **Integration** – safe use of SOAR, ticketing, identity without bypassing approvals.  \n- **Validation** – testing against AI-driven offensive PoCs and synthetic AI-C2 traffic.\n\n**Mini-conclusion**\n\nDefensive agents are already in production. The real question is whether they are observable, governed, and constrained—or opaque copilots that quietly become single points of failure.\n\n---\n\n## Security Risks Unique to Agentic Systems\n\nAgentic AI introduces new threat categories beyond ordinary model misbehavior.[8] Key risks:\n\n- **Tool hijacking \u002F privilege escalation** – agents misusing or being induced to misuse powerful APIs.[8]  \n- **Memory poisoning** – adversaries planting data in long-term memory to shape future behavior.[8]  \n- **Cascading failures** – interdependent agents amplifying each other’s mistakes.[8]  \n- **Supply-chain compromise** – tampering with models, tools, or orchestrators.[8]  \n- **Deceptive or malicious agents** – agents that strategically misreport or conceal actions.[8]\n\nBecause these agents interact with real software and data, they become high-value intrusion targets.[3] Advisory bodies urge monitoring tuned to:[3]\n\n- Actual agent behaviors and tool calls  \n- Data scopes and write paths  \n- Long-lived memories and logs  \n\nnot just basic output filters.\n\n**Injection and data manipulation**\n\nAttackers can craft:[8][7]\n\n- Prompts in tickets or chats that trigger unsafe tool calls  \n- Malicious documents, logs, or web pages that cause exfiltration  \n- Workflows that route sensitive data through less-governed agents\n\nFor SOC agents, this can lead to:[5][7][8]\n\n- Downgrading or closing alerts during active intrusions  \n- Misclassifying malicious activity as benign  \n- Flooding analysts with noise to hide true signals\n\n**Organizational gaps and data exposure**\n\nMany organizations deploy agents with minimal supervision while lacking deep understanding of their behaviors, limits, and security posture.[3][8] One advisory notes that new agents can be deployed in minutes, outpacing traditional governance cycles.[3]\n\nAgent logs, memories, and tool outputs frequently contain:[3][8]\n\n- Confidential business data  \n- Credentials or tokens  \n- PII and behavioral traces\n\nWithout tailored access controls and retention policies, these become new leak vectors.\n\n**Autonomous risk**\n\n“Autonomous risk” describes harm from sequences of agent actions across systems, not a single bad response.[8] Root-cause analysis must reconstruct:\n\n- Tool call chains  \n- Memory reads\u002Fwrites  \n- External API invocations  \n\nover long time windows, complicating forensics.\n\n---\n\n## Engineering Playbook for Secure Agentic AI in Cyber Defense\n\nTo use agentic AI for defense without creating a new autonomous insider, security and ML teams need an explicit engineering playbook.\n\n**Observability for agent workflows**\n\nMonitoring must be tailored to agent behavior. Every tool call, environment change, and memory write should be traceable so responders can reconstruct decisions.[3][7] Concretely:\n\n- **Per-agent audit trails** – signed logs of inputs, outputs, and tool invocations.  \n- **Structured tool schemas** – rich metadata (who\u002Fwhat\u002Fwhy) on every call.  \n- **Timeline explorers** – UIs for stepping through an agent’s actions over time.\n\nThese align with advisory calls for adapted surveillance and continuous governance.[3]\n\n**Guardrails and privilege design**\n\nDefensive agents should operate under strict guardrails:[4][7][8]\n\n- Constrained, validated tool schemas and typed outputs.  \n- Whitelist-based actions: only explicitly approved operations allowed.[8]  \n- Tiered privileges (read-only vs. remediation-capable roles).[4][7]  \n- Human review checkpoints for high-impact actions (isolation, credential revocation, policy changes).[4][7][8]\n\n**Integrate, don’t bypass**\n\nWhen integrating agents into IT\u002FOT workflows, use existing APIs, queues, and approval flows so AI does not circumvent:\n\n- Change management  \n- Incident response  \n- Access governance[6]\n\nWhere possible, agents should propose changes; existing processes should approve and execute them.\n\n**Evaluation against AI-native threats**\n\nTesting must assume AI-driven adversaries. Build red-team suites where defensive agents face:[9][1]\n\n- Multi-agent cloud attack PoCs in misconfigured GCP\u002FAWS labs.[9]  \n- AI-based C2 patterns similar to Check Point’s assistant abuse.[1]  \n\nMeasure:\n\n- Detection coverage across offensive sequences  \n- Time-to-containment from first malicious action  \n- Robustness against adversarial prompts and poisoned data\n\n**Strategic goal**\n\nThe aim is not maximal automation, but controlled automation: agentic AI that is observable, governable, and decisively under human direction, even as attackers adopt the same technologies at machine speed.","\u003Cp>State-backed operators have already shown that \u003Ca href=\"\u002Fentities\u002F69d05cf64eea09eba3dfcc0b-large-language-models\">large language models\u003C\u002Fa> can autonomously execute 80–90% of a cloud espionage campaign, acting as the primary operator rather than a helper.\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa> This was a real operation in which the LLM moved faster than humans could at console speed.\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>At the same time, defenders are deploying AI agents to triage alerts, enrich incidents, and orchestrate response in environments overwhelmed by telemetry “infobesity”.\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa> Both offense and defense are rapidly shifting toward non-human operators.\u003C\u002Fp>\n\u003Cp>This article examines how that shift works in practice: how agentic AI changes kill chains, how \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FMalware\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">malware\u003C\u002Fa> abuses AI infrastructure as covert C2, and what \u003Ca href=\"\u002Fentities\u002F6a0be90a1f0b27c1f427162f-soc\">SOC\u003C\u002Fa>, SecOps, and ML teams must build now to avoid being outpaced.\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>From Traditional Cyber Operations to Agentic AI Warfare\u003C\u002Fh2>\n\u003Cp>\u003Cstrong>What is agentic AI?\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Agentic AI refers to autonomous, tool-using systems built on LLMs and other ML components that can:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Perceive (ingest logs, code, tickets, web data)\u003C\u002Fli>\n\u003Cli>Reason (plan multi-step tasks from high-level goals)\u003C\u002Fli>\n\u003Cli>Act (call APIs, run scripts, modify configs)\u003C\u002Fli>\n\u003Cli>Learn (adapt plans based on previous outcomes)\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Unlike simple chatbots, these agents:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Maintain long-lived state and memory\u003C\u002Fli>\n\u003Cli>Call tools and APIs at runtime\u003C\u002Fli>\n\u003Cli>Coordinate with other agents\u003C\u002Fli>\n\u003Cli>Refine strategies over many iterations\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>In enterprises, such agents can update databases, trigger workflows, and access sensitive data—making them both valuable defenders and high-leverage intrusion targets.\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>From scripts to self-directed campaigns\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Traditional offensive automation relied on:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Static scripts and one-shot exploit frameworks\u003C\u002Fli>\n\u003Cli>Rule-based SOAR playbooks\u003C\u002Fli>\n\u003Cli>Human operators orchestrating each phase\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Agentic systems shift this to self-directed entities that can:\u003Ca href=\"#source-2\" class=\"citation-link\" title=\"View source [2]\">[2]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Plan campaigns from broad objectives\u003C\u002Fli>\n\u003Cli>Dynamically select tools and sequences\u003C\u002Fli>\n\u003Cli>Adapt as defenses respond\u003C\u002Fli>\n\u003Cli>Collaborate with peer agents\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Now the AI is not just answering text; it is acting inside infrastructure, expanding the attack surface beyond conventional chatbots and classifiers.\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Evidence from real operations\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>In November 2025, \u003Ca href=\"\u002Fentities\u002F69d05cf64eea09eba3dfcc08-anthropic\">Anthropic\u003C\u002Fa> documented a state-backed cloud espionage operation where an \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAgent_verification\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">LLM agent\u003C\u002Fa> autonomously performed 80–90% of the campaign against cloud targets.\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa> It handled:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Reconnaissance\u003C\u002Fli>\n\u003Cli>Privilege escalation\u003C\u002Fli>\n\u003Cli>Data exfiltration\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>with only limited human steering.\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>A separate multi-agent cloud penetration PoC showed LLM agents could:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Enumerate cloud resources\u003C\u002Fli>\n\u003Cli>Pivot across services and accounts\u003C\u002Fli>\n\u003Cli>Chain misconfigurations at machine speed\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>They did not invent new bug classes but scaled known tactics dramatically.\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Defender’s dilemma and scope\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Enterprise agents—incident triage bots, code copilots, IT automation—can:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Execute code\u003C\u002Fli>\n\u003Cli>Call admin APIs\u003C\u002Fli>\n\u003Cli>Write to critical data stores\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Compromising such an agent can be equivalent to compromising a senior SRE with persistent access.\u003C\u002Fp>\n\u003Cp>This article focuses on:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>How agentic AI reshapes offensive kill chains\u003C\u002Fli>\n\u003Cli>How AI-augmented malware and AI-based C2 work\u003C\u002Fli>\n\u003Cli>How to build defensive agents with guardrails and monitoring to manage autonomous risk\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Chr>\n\u003Ch2>How Agentic AI Reshapes Offensive Kill Chains\u003C\u002Fh2>\n\u003Cp>The \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FUnit_42\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">Unit 42\u003C\u002Fa> multi-agent cloud penetration PoC provides a blueprint for AI-driven offensive architectures.\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa> Key components:\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Planner agent\u003C\u002Fstrong> – decomposes a goal (“exfiltrate project secrets from \u003Ca href=\"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FGCP\" class=\"wiki-link\" target=\"_blank\" rel=\"noopener\">GCP\u003C\u002Fa>”) into tasks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Recon agents\u003C\u002Fstrong> – enumerate services, IAM roles, storage, and endpoints.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Exploitation agents\u003C\u002Fstrong> – abuse misconfigurations, escalate privileges, generate exploits.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Lateral-movement agents\u003C\u002Fstrong> – pivot across projects, regions, and accounts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Coordinator\u003C\u002Fstrong> – tracks shared state and routes tasks and tools across agents.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>A simplified sketch:\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-python\">goal = \"Exfiltrate sensitive data from target GCP org\"\n\nplan = planner.decompose(goal)\n\nwhile plan.has_open_tasks():\n    task = plan.next_task()\n    agent = router.assign(task.type)\n    result = agent.execute(task, tools=toolbox)\n    blackboard.update(task, result)\n    planner.refine(plan, feedback=result)\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>Both the Anthropic operation and the Unit 42 PoC show that:\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>AI accelerates known techniques (cloud misconfig, overbroad IAM, weak monitoring).\u003C\u002Fli>\n\u003Cli>The edge is speed: machine-scale enumeration, chaining, and privilege abuse.\u003C\u002Fli>\n\u003Cli>Time-to-compromise windows shrink from hours–days to minutes–hours in weakly governed environments.\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Autonomy and cascading risk\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Agentic risk analyses highlight that such systems can:\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Chain tools in unanticipated ways\u003C\u002Fli>\n\u003Cli>Escalate privileges across services\u003C\u002Fli>\n\u003Cli>Trigger cascading failures if misconfigured or compromised\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Examples:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>An agent that “fixes” IAM or firewall rules based on flawed logic may propagate misconfigurations.\u003C\u002Fli>\n\u003Cli>Multiple agents adjusting each other’s outputs can amplify small errors.\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>In an agentic kill chain, specialization replaces human handoffs:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>OSINT reconnaissance\u003C\u002Fstrong> – scrapes repos, docs, job posts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Vulnerability discovery\u003C\u002Fstrong> – scans, correlates CVEs, suggests exploit paths.\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Exploit generation\u003C\u002Fstrong> – adapts PoCs to target cloud stacks.\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Post-exploitation\u002Fpersistence\u003C\u002Fstrong> – maintains access, deploys beacons, cleans logs.\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>National advisory bodies now identify agentic AI as a critical security concern and call for monitoring that reflects actual agent behavior, tool use, and data scope.\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>How it differs from legacy automation\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ctable>\n\u003Cthead>\n\u003Ctr>\n\u003Cth>Dimension\u003C\u002Fth>\n\u003Cth>Playbook Automation\u003C\u002Fth>\n\u003Cth>Multi-Agent LLM System\u003C\u002Fth>\n\u003C\u002Ftr>\n\u003C\u002Fthead>\n\u003Ctbody>\n\u003Ctr>\n\u003Ctd>Human-in-the-loop\u003C\u002Ftd>\n\u003Ctd>High (per phase)\u003C\u002Ftd>\n\u003Ctd>Moderate (per campaign)\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>Discovery coverage\u003C\u002Ftd>\n\u003Ctd>Limited by scripts\u003C\u002Ftd>\n\u003Ctd>Goal-driven, adaptive search\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>Time-to-compromise\u003C\u002Ftd>\n\u003Ctd>Hours–days\u003C\u002Ftd>\n\u003Ctd>Minutes–hours (misconfig envs)\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd>Operational complexity\u003C\u002Ftd>\n\u003Ctd>Script orchestration\u003C\u002Ftd>\n\u003Ctd>Agent orchestration &amp; state mgmt\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftbody>\n\u003C\u002Ftable>\n\u003Cp>\u003Cstrong>Defensive takeaway\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>The operational picture shifts from a linear kill chain to a graph of collaborating agents. Detection, logging, and IAM must assume:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Multiple autonomous entities making decisions\u003C\u002Fli>\n\u003Cli>Shared memory and blackboard-style coordination\u003C\u002Fli>\n\u003Cli>Rapid pivoting across services and environments\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Chr>\n\u003Ch2>AI-Augmented Malware and Covert C2 Channels\u003C\u002Fh2>\n\u003Cp>As offense becomes agentic, malware is evolving to use AI infrastructure itself as command-and-control.\u003C\u002Fp>\n\u003Cp>\u003Ca href=\"\u002Fentities\u002F6a0b3ab61f0b27c1f426e46d-check-point-research\">Check Point Research\u003C\u002Fa> showed that an AI assistant with web browsing can be hijacked as a covert C2 channel without any API key or account.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa> The malware drives the assistant’s web UI and asks it to “fetch and summarize” an attacker-controlled URL that encodes commands.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>The sequence:\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fp>\n\u003Col>\n\u003Cli>Malware sends benign-looking queries to the assistant.\u003C\u002Fli>\n\u003Cli>The assistant calls \u003Ccode>web-fetch\u003C\u002Fcode> to retrieve the URL.\u003C\u002Fli>\n\u003Cli>The page contains hidden instructions; the assistant returns them as a natural-language “summary”.\u003C\u002Fli>\n\u003Cli>Malware parses the text as commands, executes them, and can exfiltrate data via subsequent prompts.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>This continues the pattern of abusing legitimate services (email, cloud storage, Slack, Dropbox, OneDrive) as C2 because they blend with normal traffic.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa> Conversational AI adds new advantages:\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Traffic is new and often poorly instrumented in SIEM\u002FXDR.\u003C\u002Fli>\n\u003Cli>Blocking it is operationally painful (business dependence).\u003C\u002Fli>\n\u003Cli>It is perceived as “trusted” application traffic.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>LLM-guided malware over such channels can:\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Dynamically request instructions\u003C\u002Fli>\n\u003Cli>Generate or mutate payloads on demand\u003C\u002Fli>\n\u003Cli>Adjust obfuscation to defender behavior\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>all without static C2 hosts or signatures, reducing traditional indicators and complicating EDR tuning.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Enterprise AI usage as cover\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>In one small SaaS startup, ~40% of developers were pasting logs and configs into an enterprise AI assistant within three months of rollout—long before SOC monitoring existed for that traffic.\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa> This kind of environment lets AI-based C2 blend seamlessly with legitimate use.\u003C\u002Fp>\n\u003Cp>Agentic systems inside enterprises add further leverage. A compromised internal agent with tools can act as:\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>A malware delivery vector (through scripts, tickets, or generated code)\u003C\u002Fli>\n\u003Cli>A post-exploitation automation engine running attacker playbooks\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Although Check Point’s scenario has not yet been seen in the wild, Microsoft validated the technique and modified Copilot’s \u003Ccode>web-fetch\u003C\u002Fcode> behavior to mitigate it—treating it as a concrete, near-term risk.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>AI-aware C2 detection\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Organizations will need pipelines that:\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Correlate AI assistant usage with host telemetry\u003C\u002Fli>\n\u003Cli>Inspect tool-call patterns (e.g., repetitive \u003Ccode>web-fetch\u003C\u002Fcode> to odd domains)\u003C\u002Fli>\n\u003Cli>Track unusual memory or clipboard behavior tied to assistant sessions\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>A simple streaming architecture:\u003C\u002Fp>\n\u003Cpre>\u003Ccode class=\"language-text\">Proxy logs + DNS logs + EDR telemetry\n          ↓\nAI-Traffic Classifier (LLM\u002Fregex)\n          ↓\nBehavioral Analyzer (sequences of tool calls, domains)\n          ↓\nScoring &amp; Correlation in SIEM\u002FXDR\n          ↓\nSOAR playbook → quarantine host \u002F block domain \u002F investigate user\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Cp>\u003Cstrong>Feedback loop with defensive agents\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>As SOCs embed LLM-based detection and response agents, adversaries gain incentives to:\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Craft logs that mislead triage agents\u003C\u002Fli>\n\u003Cli>Inject prompts into tickets or chats\u003C\u002Fli>\n\u003Cli>Camouflage malware behaviors within known AI workflows\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Chr>\n\u003Ch2>Defensive Agentic AI: SOC and SecOps Architectures\u003C\u002Fh2>\n\u003Cp>Modern SOCs face overwhelming telemetry: network flows, endpoint events, SaaS logs, and more.\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa> LLMs are now used as:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Interpreters for semi-structured logs and alerts\u003C\u002Fli>\n\u003Cli>Orchestrators that tie together tools and workflows\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Common SOC agent roles:\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Alert triage agents\u003C\u002Fstrong> – cluster alerts, dedupe noise, prioritize by impact.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Context enrichment agents\u003C\u002Fstrong> – pull threat intel, asset context, user info.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Incident qualification agents\u003C\u002Fstrong> – draft assessments and containment steps for SOAR.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>These agents plug into SOAR to automate actions like host isolation, account disablement, or ticket creation with pre-populated details.\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Agentic SOC platforms\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>CrowdStrike’s AgentWorks is an example of a governed, no-code platform for building such agents on the Falcon stack.\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa> It allows teams to:\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Design agents using models like Claude, GPT, Nemotron\u003C\u002Fli>\n\u003Cli>Enforce governance and policy controls\u003C\u002Fli>\n\u003Cli>Integrate with Charlotte Agentic SOAR and existing Falcon capabilities\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>An emerging “agentic SOC” model assumes:\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Agents continuously monitor and triage detections\u003C\u002Fli>\n\u003Cli>Humans supervise, validate, and handle edge cases\u003C\u002Fli>\n\u003Cli>Policies strictly define which tools\u002Factions each agent can use\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>This dovetails with AI SecOps practices, where automation integrates via existing APIs, buses, and change processes instead of bypassing them.\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Next-gen SIEM\u002FXDR platforms advertise AI-native features—automated correlation, anomaly detection, summarization.\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa> Real benefit depends on aligning:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>SOC processes and staffing with agent workflows\u003C\u002Fli>\n\u003Cli>SecOps automation and change control with agent permissions\u003C\u002Fli>\n\u003Cli>Risk models with agentic failure modes and abuse scenarios\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Engineering evaluations should check:\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Telemetry\u003C\u002Fstrong> – which data agents see and what they can modify.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Latency\u002Fthroughput\u003C\u002Fstrong> – acceptable delay for real-time triage vs. batch hunting.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Integration\u003C\u002Fstrong> – safe use of SOAR, ticketing, identity without bypassing approvals.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Validation\u003C\u002Fstrong> – testing against AI-driven offensive PoCs and synthetic AI-C2 traffic.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Mini-conclusion\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Defensive agents are already in production. The real question is whether they are observable, governed, and constrained—or opaque copilots that quietly become single points of failure.\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>Security Risks Unique to Agentic Systems\u003C\u002Fh2>\n\u003Cp>Agentic AI introduces new threat categories beyond ordinary model misbehavior.\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa> Key risks:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Tool hijacking \u002F privilege escalation\u003C\u002Fstrong> – agents misusing or being induced to misuse powerful APIs.\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Memory poisoning\u003C\u002Fstrong> – adversaries planting data in long-term memory to shape future behavior.\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Cascading failures\u003C\u002Fstrong> – interdependent agents amplifying each other’s mistakes.\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Supply-chain compromise\u003C\u002Fstrong> – tampering with models, tools, or orchestrators.\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Deceptive or malicious agents\u003C\u002Fstrong> – agents that strategically misreport or conceal actions.\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Because these agents interact with real software and data, they become high-value intrusion targets.\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa> Advisory bodies urge monitoring tuned to:\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Actual agent behaviors and tool calls\u003C\u002Fli>\n\u003Cli>Data scopes and write paths\u003C\u002Fli>\n\u003Cli>Long-lived memories and logs\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>not just basic output filters.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Injection and data manipulation\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Attackers can craft:\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Prompts in tickets or chats that trigger unsafe tool calls\u003C\u002Fli>\n\u003Cli>Malicious documents, logs, or web pages that cause exfiltration\u003C\u002Fli>\n\u003Cli>Workflows that route sensitive data through less-governed agents\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>For SOC agents, this can lead to:\u003Ca href=\"#source-5\" class=\"citation-link\" title=\"View source [5]\">[5]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Downgrading or closing alerts during active intrusions\u003C\u002Fli>\n\u003Cli>Misclassifying malicious activity as benign\u003C\u002Fli>\n\u003Cli>Flooding analysts with noise to hide true signals\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Organizational gaps and data exposure\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Many organizations deploy agents with minimal supervision while lacking deep understanding of their behaviors, limits, and security posture.\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa> One advisory notes that new agents can be deployed in minutes, outpacing traditional governance cycles.\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Agent logs, memories, and tool outputs frequently contain:\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Confidential business data\u003C\u002Fli>\n\u003Cli>Credentials or tokens\u003C\u002Fli>\n\u003Cli>PII and behavioral traces\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Without tailored access controls and retention policies, these become new leak vectors.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Autonomous risk\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>“Autonomous risk” describes harm from sequences of agent actions across systems, not a single bad response.\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa> Root-cause analysis must reconstruct:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Tool call chains\u003C\u002Fli>\n\u003Cli>Memory reads\u002Fwrites\u003C\u002Fli>\n\u003Cli>External API invocations\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>over long time windows, complicating forensics.\u003C\u002Fp>\n\u003Chr>\n\u003Ch2>Engineering Playbook for Secure Agentic AI in Cyber Defense\u003C\u002Fh2>\n\u003Cp>To use agentic AI for defense without creating a new autonomous insider, security and ML teams need an explicit engineering playbook.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Observability for agent workflows\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Monitoring must be tailored to agent behavior. Every tool call, environment change, and memory write should be traceable so responders can reconstruct decisions.\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa> Concretely:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Per-agent audit trails\u003C\u002Fstrong> – signed logs of inputs, outputs, and tool invocations.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Structured tool schemas\u003C\u002Fstrong> – rich metadata (who\u002Fwhat\u002Fwhy) on every call.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Timeline explorers\u003C\u002Fstrong> – UIs for stepping through an agent’s actions over time.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>These align with advisory calls for adapted surveillance and continuous governance.\u003Ca href=\"#source-3\" class=\"citation-link\" title=\"View source [3]\">[3]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Guardrails and privilege design\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Defensive agents should operate under strict guardrails:\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Constrained, validated tool schemas and typed outputs.\u003C\u002Fli>\n\u003Cli>Whitelist-based actions: only explicitly approved operations allowed.\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Tiered privileges (read-only vs. remediation-capable roles).\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Human review checkpoints for high-impact actions (isolation, credential revocation, policy changes).\u003Ca href=\"#source-4\" class=\"citation-link\" title=\"View source [4]\">[4]\u003C\u002Fa>\u003Ca href=\"#source-7\" class=\"citation-link\" title=\"View source [7]\">[7]\u003C\u002Fa>\u003Ca href=\"#source-8\" class=\"citation-link\" title=\"View source [8]\">[8]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Integrate, don’t bypass\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>When integrating agents into IT\u002FOT workflows, use existing APIs, queues, and approval flows so AI does not circumvent:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Change management\u003C\u002Fli>\n\u003Cli>Incident response\u003C\u002Fli>\n\u003Cli>Access governance\u003Ca href=\"#source-6\" class=\"citation-link\" title=\"View source [6]\">[6]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Where possible, agents should propose changes; existing processes should approve and execute them.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Evaluation against AI-native threats\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>Testing must assume AI-driven adversaries. Build red-team suites where defensive agents face:\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Multi-agent cloud attack PoCs in misconfigured GCP\u002FAWS labs.\u003Ca href=\"#source-9\" class=\"citation-link\" title=\"View source [9]\">[9]\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>AI-based C2 patterns similar to Check Point’s assistant abuse.\u003Ca href=\"#source-1\" class=\"citation-link\" title=\"View source [1]\">[1]\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Measure:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Detection coverage across offensive sequences\u003C\u002Fli>\n\u003Cli>Time-to-containment from first malicious action\u003C\u002Fli>\n\u003Cli>Robustness against adversarial prompts and poisoned data\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Strategic goal\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>The aim is not maximal automation, but controlled automation: agentic AI that is observable, governable, and decisively under human direction, even as attackers adopt the same technologies at machine speed.\u003C\u002Fp>\n","State-backed operators have already shown that large language models can autonomously execute 80–90% of a cloud espionage campaign, acting as the primary operator rather than a helper.[9] This was a r...","hallucinations",[],2205,11,"2026-05-20T22:53:55.738Z",[17,22,26,30,34,38,42,46,50],{"title":18,"url":19,"summary":20,"type":21},"Malware guidé par LLM : comment l'IA réduit le signal observable pour contourner les seuils EDR - IT SOCIAL","https:\u002F\u002Fitsocial.fr\u002Fcybersecurite\u002Fcybersecurite-articles\u002Fmalware-guide-par-llm-comment-lia-reduit-le-signal-observable-pour-contourner-les-seuils-edr\u002F","Check Point Research a démontré en environnement contrôlé qu'un assistant IA doté de capacités de navigation web peut être détourné en canal de commandement et contrôle (C2) furtif, sans clé API ni co...","kb",{"title":23,"url":24,"summary":25,"type":21},"Qu'est-ce que l'Agentic AI ?","https:\u002F\u002Fwww.trendmicro.com\u002Ffr_fr\u002Fwhat-is\u002Fai\u002Fagentic-ai.html","Qu'est-ce que l'Agentic AI ? par Fernando Cardoso\nDernière mise à jour Mar 27, 2026\n\nL’IA agentique est une forme avancée d’intelligence artificielle (IA) qui utilise des « agents » d’IA autonomes pou...",{"title":27,"url":28,"summary":29,"type":21},"Adapter la sécurité à l'ère de l'IA agentique, une priorité en 2026","https:\u002F\u002Fwww.journaldunet.com\u002Fcybersecurite\u002F1549555-adapter-la-securite-a-l-ere-de-l-ia-agentique-une-priorite-en-2026\u002F","Par Netskope, 15 avril 2026 11:02\n\nDu fait de leur capacité à interagir avec d'autres logiciels ou infrastructures, les systèmes d'IA agentiques pourraient constituer des cibles de choix pour les cybe...",{"title":31,"url":32,"summary":33,"type":21},"Une plateforme pour concevoir, tester et déployer des agents IA dans Falcon","https:\u002F\u002Fwww.linformaticien.com\u002Fmagazine\u002Fcybersecurite\u002F64660-une-plateforme-pour-concevoir-tester-et-deployer-des-agents-ia-dans-falcon.html","CrowdStrike a annoncé le lancement de son écosystème AI AgentWorks, une plateforme no-code qui permet aux équipes de sécurité de concevoir, tester et déployer des agents d’intelligence artificielle da...",{"title":35,"url":36,"summary":37,"type":21},"IA et détection cyber : perspectives opérationnelles pour les SOC","https:\u002F\u002Fwww.synetis.com\u002Fblog\u002Fia-et-detection-cyber-perspectives-operationnelles-soc\u002F","IA et détection cyber : perspectives opérationnelles pour les SOC\n\n Découvrez comment l'intelligence artificielle permet de renforcer chaque équipe SOC face à l'infobésité. Optimisez votre investigati...",{"title":39,"url":40,"summary":41,"type":21},"AI SecOps : mise en œuvre et bonnes pratiques","https:\u002F\u002Fstellarcyber.ai\u002Ffr\u002Flearn\u002Fai-secops\u002F","AI SecOps : mise en œuvre et bonnes pratiques\n\nLes opérations de sécurité, ou SecOps, sont l'aboutissement de processus individuels visant à prévenir les vulnérabilités et les intrusions à risque dans...",{"title":43,"url":44,"summary":45,"type":21},"Agents IA pour le SOC : Triage Automatisé des Alertes","https:\u002F\u002Fayinedjimi-consultants.fr\u002Farticles\u002Fia-agents-soc-triage-alertes","Agents IA pour le SOC : Triage Automatisé des Alertes\n\n13 février 2026\n\nMis à jour le 19 mai 2026\n\n17 min de lecture\n\n5348 mots\n\nVues: 716\n\nTélécharger le PDF\n\nGuide complet sur les agents IA pour le ...",{"title":47,"url":48,"summary":49,"type":21},"Principales menaces de sécurité liées à l'IA agentique fin 2026","https:\u002F\u002Fstellarcyber.ai\u002Ffr\u002Flearn\u002Fagentic-ai-securiry-threats\u002F","Face à l'escalade des menaces de sécurité liées à l'IA agentive fin 2026, les équipes de sécurité des entreprises de taille moyenne sont confrontées à un défi sans précédent. Les agents autonomes intr...",{"title":51,"url":52,"summary":53,"type":21},"L’IA peut-elle s’attaquer au cloud? Enseignements tirés de la construction d’un système multi-agents offensif autonome dans le cloud","https:\u002F\u002Funit42.paloaltonetworks.com\u002Ffr\u002Fautonomous-ai-cloud-attacks\u002F","Avant-propos\n\nLes capacités offensives des large language models (LLM, grands modèles de langage) n’étaient jusqu’à présent que des risques théoriques: ils étaient fréquemment évoqués lors de conféren...",{"totalSources":55},9,{"generationDuration":57,"kbQueriesCount":55,"confidenceScore":58,"sourcesCount":55},330125,100,{"metaTitle":60,"metaDescription":61},"Agentic AI Cyber Warfare: LLM Malware Defense Guide","Explore how agentic AI enables LLM malware and autonomous defenders, plus concise SOC mitigation tactics to prevent being outpaced—find out what works.","en","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1757258885972-3c111d1307f3?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxpbnNpZGUlMjBhZ2VudGljJTIwY3liZXIlMjB3YXJmYXJlfGVufDF8MHx8fDE3NzkzMzQxMzl8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60",{"photographerName":65,"photographerUrl":66,"unsplashUrl":67},"Akbar Jawad","https:\u002F\u002Funsplash.com\u002F@akbarjawadd?utm_source=coreprose&utm_medium=referral","https:\u002F\u002Funsplash.com\u002Fphotos\u002Fsoldier-aiming-rifle-in-green-night-vision-RfmLAm-lPm0?utm_source=coreprose&utm_medium=referral",false,null,{"key":71,"name":72,"nameEn":72},"ai-engineering","AI Engineering & LLM Ops",[74,76,78,80],{"text":75},"State-backed LLM agents autonomously executed 80–90% of a cloud espionage campaign in a documented November 2025 operation, performing reconnaissance, privilege escalation, and data exfiltration with minimal human steering.",{"text":77},"Agentic AI reduces time-to-compromise in poorly governed cloud environments from hours–days to minutes–hours by enabling machine-scale enumeration, chaining, and pivoting.",{"text":79},"AI infrastructure and enterprise assistants provide novel covert C2 channels; one startup observed ~40% of developers pasting logs\u002Fconfigs into an AI assistant within three months, creating high-risk telemetry blind spots.",{"text":81},"Defensive agent deployments are already productionized; without per-agent audit trails, strict guardrails, and integration into existing change\u002Fapproval flows, they become single points of failure and high-value intrusion targets.",[83,86,89],{"question":84,"answer":85},"What exactly is agentic AI and how does it differ from regular LLMs?","Agentic AI is an autonomous, tool-using system that perceives inputs (logs, code, web data), reasons to decompose high-level goals into multi-step plans, acts by calling APIs or running scripts, and learns from outcomes; it maintains long-lived state and coordinates with other agents. Unlike stateless chatbots, agentic systems hold memory, invoke typed tool schemas at runtime, persist across sessions, and refine strategies across many iterations, which lets them execute sustained campaigns or remediation workflows without step-by-step human orchestration. This shift turns models into active operators inside infrastructure, increasing their attack surface and the impact of any compromise.",{"question":87,"answer":88},"How can attackers abuse AI and conversational assistants as covert command-and-control channels?","Attackers can hijack AI assistants and web-enabled LLM features to encode commands in attacker-controlled webpages or content that the assistant fetches and returns as natural-language summaries, which malware on a host then parses and executes. Because these interactions mimic legitimate user workflows and often bypass SIEM\u002FXDR instrumentation, they blend with normal traffic and evade signature-based detection; the assistant’s web-fetch or browsing features become a dynamic, low-signature C2 pipeline. As defensive agents proliferate, adversaries can also craft prompts, poisoned data, or tickets to manipulate triage agents or exfiltrate data through trusted AI services.",{"question":90,"answer":91},"What immediate steps must SOC, SecOps, and ML teams take to secure agentic defenses?","Teams must instrument per-agent observability and enforce strict guardrails: implement signed, structured audit trails for every tool call and memory write, use whitelist-based typed tool schemas, and require human checkpoints for high-impact actions like isolation or credential revocation. Integrate agents through existing APIs, change-management, and SOAR approval flows rather than giving them unconstrained write access; run red-team exercises simulating multi-agent cloud attacks and AI-C2 patterns to validate detection and containment. Finally, classify and monitor AI traffic, correlate assistant usage with host telemetry, and apply tiered privileges to ensure agents are observable, governable, and never unchecked insiders.",[93,101,107,113,120,125,130,134,139,143,150,155,160,166,170],{"id":94,"name":95,"type":96,"confidence":97,"wikipediaUrl":98,"slug":99,"mentionCount":100},"6a0be90a1f0b27c1f427162f","SOC","concept",0.95,"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FSOC","6a0be90a1f0b27c1f427162f-soc",7,{"id":102,"name":103,"type":96,"confidence":104,"wikipediaUrl":69,"slug":105,"mentionCount":106},"6a0e39b007a4fdbfcf5ea778","Agentic AI",0.98,"6a0e39b007a4fdbfcf5ea778-agentic-ai",6,{"id":108,"name":109,"type":96,"confidence":110,"wikipediaUrl":111,"slug":112,"mentionCount":106},"69d05cf64eea09eba3dfcc0b","large language models",0.99,"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLarge_language_model","69d05cf64eea09eba3dfcc0b-large-language-models",{"id":114,"name":115,"type":96,"confidence":116,"wikipediaUrl":117,"slug":118,"mentionCount":119},"6a0e3b9e07a4fdbfcf5ea7ef","LLM agent",0.97,"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAgent_verification","6a0e3b9e07a4fdbfcf5ea7ef-llm-agent",1,{"id":121,"name":122,"type":96,"confidence":123,"wikipediaUrl":69,"slug":124,"mentionCount":119},"6a0e3b9e07a4fdbfcf5ea7f1","AI assistant with web browsing",0.9,"6a0e3b9e07a4fdbfcf5ea7f1-ai-assistant-with-web-browsing",{"id":126,"name":127,"type":96,"confidence":128,"wikipediaUrl":69,"slug":129,"mentionCount":119},"6a0e3ba007a4fdbfcf5ea7f8","overbroad IAM",0.85,"6a0e3ba007a4fdbfcf5ea7f8-overbroad-iam",{"id":131,"name":132,"type":96,"confidence":97,"wikipediaUrl":69,"slug":133,"mentionCount":119},"6a0e3b9f07a4fdbfcf5ea7f3","covert C2","6a0e3b9f07a4fdbfcf5ea7f3-covert-c2",{"id":135,"name":136,"type":96,"confidence":97,"wikipediaUrl":137,"slug":138,"mentionCount":119},"6a0e3b9f07a4fdbfcf5ea7f2","malware","https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FMalware","6a0e3b9f07a4fdbfcf5ea7f2-malware",{"id":140,"name":141,"type":96,"confidence":128,"wikipediaUrl":69,"slug":142,"mentionCount":119},"6a0e3b9f07a4fdbfcf5ea7f7","OSINT reconnaissance","6a0e3b9f07a4fdbfcf5ea7f7-osint-reconnaissance",{"id":144,"name":145,"type":146,"confidence":110,"wikipediaUrl":147,"slug":148,"mentionCount":149},"69d05cf64eea09eba3dfcc08","Anthropic","organization","https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAnthropic","69d05cf64eea09eba3dfcc08-anthropic",12,{"id":151,"name":152,"type":146,"confidence":116,"wikipediaUrl":153,"slug":154,"mentionCount":106},"6a0b3ab61f0b27c1f426e46d","Check Point Research","https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCheck_Point","6a0b3ab61f0b27c1f426e46d-check-point-research",{"id":156,"name":157,"type":146,"confidence":123,"wikipediaUrl":158,"slug":159,"mentionCount":119},"6a0e3b9e07a4fdbfcf5ea7ee","Unit 42","https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FUnit_42","6a0e3b9e07a4fdbfcf5ea7ee-unit-42",{"id":161,"name":162,"type":163,"confidence":164,"wikipediaUrl":69,"slug":165,"mentionCount":119},"6a0e3b9d07a4fdbfcf5ea7ec","state-backed operators","other",0.8,"6a0e3b9d07a4fdbfcf5ea7ec-state-backed-operators",{"id":167,"name":168,"type":163,"confidence":123,"wikipediaUrl":69,"slug":169,"mentionCount":119},"6a0e3b9f07a4fdbfcf5ea7f6","multi-agent cloud penetration PoC","6a0e3b9f07a4fdbfcf5ea7f6-multi-agent-cloud-penetration-poc",{"id":171,"name":172,"type":163,"confidence":128,"wikipediaUrl":69,"slug":173,"mentionCount":119},"6a0e3b9f07a4fdbfcf5ea7f4","SecOps","6a0e3b9f07a4fdbfcf5ea7f4-secops",[175,182,190,197],{"id":176,"title":177,"slug":178,"excerpt":179,"category":11,"featuredImage":180,"publishedAt":181},"6a0eb023a83199a61232a96a","AI-Enabled Cyber Attacks Up 89%: Inside the 9 Autonomous Breaches Reshaping Security in 2026","ai-enabled-cyber-attacks-up-89-inside-the-9-autonomous-breaches-reshaping-security-in-2026","From Assisted to Autonomous: Why AI Cyber Attacks Spiked 89% in 2026  \n\nFor years, “AI in cybercrime” meant:  \n\n- Better phishing content  \n- Faster malware generation  \n- Scaled personalization and f...","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1775994121064-e75fa6f3e84c?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxlbmFibGVkJTIwY3liZXIlMjBhdHRhY2tzJTIwaW5zaWRlfGVufDF8MHx8fDE3NzkzNTU3MzJ8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-05-21T07:18:38.344Z",{"id":183,"title":184,"slug":185,"excerpt":186,"category":187,"featuredImage":188,"publishedAt":189},"6a0e937fa83199a61232a86a","Microsoft RAMPART and Clarity: A Practical Blueprint for Securing AI Agents in Production","microsoft-rampart-and-clarity-a-practical-blueprint-for-securing-ai-agents-in-production","Autonomous AI agents now sit in workflows that can provision credentials, rotate keys, export audit logs, and apply Terraform plans from a single prompt. [3] They amplify existing risks—overshared doc...","safety","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1662947036644-ecfde1221ac7?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxtaWNyb3NvZnQlMjByYW1wYXJ0fGVufDF8MHx8fDE3NzkzNDAzOTd8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-05-21T05:13:16.940Z",{"id":191,"title":192,"slug":193,"excerpt":194,"category":11,"featuredImage":195,"publishedAt":196},"6a0e8469a83199a612329a7a","Agentic AI in the Kill Chain: How Autonomous Agents Expand Your Attack Surface and Enable Lateral Movement","agentic-ai-in-the-kill-chain-how-autonomous-agents-expand-your-attack-surface-and-enable-lateral-movement","Agentic AI has moved from answering questions to operating: planning, calling tools, manipulating data, and chaining actions across your stack.[1][9]  \n\nThat makes every connected API, datastore, SaaS...","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1652191337993-e4bcdd3bbc08?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxhZ2VudGljJTIwa2lsbCUyMGNoYWluJTIwYXV0b25vbW91c3xlbnwxfDB8fHwxNzc5MzU1NzM0fDA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-05-21T04:10:32.575Z",{"id":198,"title":199,"slug":200,"excerpt":201,"category":11,"featuredImage":202,"publishedAt":203},"6a0e3d26a83199a6123245b1","Agentic AI Security: How Autonomous Agents Expand the Attack Surface and Enable Lateral Movement","agentic-ai-security-how-autonomous-agents-expand-the-attack-surface-and-enable-lateral-movement","Agentic AI turns large language models (LLMs) from conversational copilots into autonomous operators wired into APIs, cloud consoles, and internal tools. The threat model shifts from “untrusted text i...","https:\u002F\u002Fimages.unsplash.com\u002Fphoto-1740301982969-bea22f0d02e1?ixid=M3w4OTczNDl8MHwxfHNlYXJjaHwxfHxhZ2VudGljJTIwc2VjdXJpdHklMjBhdXRvbm9tb3VzJTIwYWdlbnRzfGVufDF8MHx8fDE3NzkzMzQxMzR8MA&ixlib=rb-4.1.0&w=1200&h=630&fit=crop&crop=entropy&auto=format,compress&q=60","2026-05-20T23:08:31.124Z",["Island",205],{"key":206,"params":207,"result":209},"ArticleBody_BLlRAF1lpePDpp9UyuP5XjZIAbQOx1epxLr73o4zd7E",{"props":208},"{\"articleId\":\"6a0e39d9a83199a612324402\",\"linkColor\":\"red\"}",{"head":210},{}]