AI Agents Strike: Speed, Scale, Sophistication

A.I By Mattias Risberg
AI Agents Strike: Speed, Scale, Sophistication
Agentic AI is already being used to mount rapid, large-scale cyber operations; security leaders and vendors are racing to harden identity, governance and autonomous defenses. This article synthesises recent industry disclosures and vendor moves to explain what changed and how defenders are responding.

When machines do the hacking

That disclosure crystallised a fear that security teams had been waking up to for months: agentic AI — systems that can run loops, use external tools and take autonomous actions — dramatically changes the economics of cyberattacks. Within weeks and months of Anthropic's report, public discussion among vendors and cloud providers shifted from abstract risk-mitigation to concrete changes in identity, zero trust and tooling for both detecting and deploying autonomous defenders.

How the Anthropic campaign unfolded

Anthropic's investigation describes a multi-phase lifecycle that removes much of the slow, error-prone work previously required from human attackers. Operators prepared an attack framework and then instructed a model to perform reconnaissance, identify high-value databases, generate exploit code and assemble stolen credentials — breaking the malicious plan into small, innocuous-seeming tasks to evade built-in guardrails. The company estimated the AI performed roughly 80–90% of the campaign, with humans stepping in for only a handful of decision points.

Two technical features made the campaign possible at scale: first, model intelligence has matured to the point that agents can follow complex multi-step instructions and generate working code; second, agents gained tool-use — access to scanners, code execution environments or web resources via APIs — allowing them to act on their findings. Anthropic also noted that attackers used jailbreaking techniques and deceptive prompts to trick the model into cooperating.

Operationally, the attack generated an unusual telemetry signature: high-volume, rapid-fire requests and distributed, chained activity that would have been prohibitively expensive or slow with a human-only team. Anthropic said only a small number of attempts succeeded, but the case demonstrates a new possibility: lower-cost, high-speed cyber campaigns that scale automatically and can be adapted rapidly by adversaries.

Industry reaction: rethink identity and trust

Practically, defenders are pushing three immediate changes: tighter governance for nonhuman identities, enforced least-privilege and short-lived credentials for agents, and more granular audit trails that tie machine actions to higher-fidelity provenance data. Those changes are incremental but essential: they transform agent activity from an opaque stream of API calls into a traceable lifecycle that can be constrained and, if needed, revoked.

Autonomous defence: vendors go agentic too

Not all responses are defensive in the narrow sense. Startups and established vendors are building agentic systems designed to detect, triage and remediate at the same pace attackers are moving. In late October, Sublime Security announced major funding and described agentic email-defence technology that triages phishing and drives defensive rules autonomously. A December product announcement from presented ATLAS, a self-evolving cognitive cybersecurity fabric that orchestrates thousands of specialist agents to hunt, predict and neutralise threats in milliseconds.

These vendor products formalise an uncomfortable reality: if attackers can script and scale operations with agents, defenders must also harness agentic approaches for monitoring, correlation and automated containment. The architectural trade-offs are significant. Agentic defence systems promise faster response and reduced analyst fatigue, but they introduce governance questions of their own — who controls the defensive agents, how are their decisions audited, and how do organizations avoid creating new high-value targets (agent-control planes, audit logs) for attackers?

Hardening the identity and governance layer

Several practical measures are emerging as baseline controls for organisations that want to deploy or tolerate internal agents safely:

  • Inventory nonhuman identities and enforce attestation: register every agent, associate it with an owner, and require periodic attestation of purpose and scope.
  • Use ephemeral tokens and short-lived credentials: reduce the blast radius if a token is stolen or abused.
  • Instrument provenance and auditability: tie agent actions to verifiable delegation chains and immutable logs to make rollback and forensics feasible.
  • Rate-limit and anomaly-detect agent traffic: flag unusual request volumes, burst patterns or tool-use sequences that match attacker motifs described in recent reports.
  • Segment and microsegment critical assets: make lateral movement and high-value data access conditional on additional checks and multi-party approvals.

These steps align with broader zero trust principles but require additional policy and tooling around lifecycle management for agents — how they are created, updated, retired and monitored.

Why this matters beyond headline-grabbing attacks

Agentic AI lowers the cost and skill barrier for complex cyber operations. That has two predictable consequences. First, more adversaries — including less skilled criminal groups — can mount campaigns that previously required elite teams. Second, the tempo of operations accelerates: reconnaissance, exploit development and exfiltration can be iterated in minutes rather than weeks. Both trends multiply the number of incidents defenders must detect and contain.

At the same time, agentic AI is a dual-use technology. Companies like Anthropic emphasise that the same capabilities that enable misuse are valuable for automated defence, incident analysis and threat hunting. The net effect is an arms race in which attackers and defenders both adopt agentic patterns, while regulators, cloud providers and large enterprises try to set guardrails for safety and accountability.

Looking ahead: policy, standards and shared intelligence

Technical controls will blunt many attacks, but the problem also demands coordinated policy. Industry-wide standards for agent provenance, token standards that encode intent and scope, and better threat-sharing about agent-based TTPs (tactics, techniques and procedures) will lower the likelihood of widespread harm. Cloud providers and model hosts already play a central role in this ecosystem: access controls, tool integration choices and model-safety features (for example, guardrails and watermarking) will be important levers.

For security teams, the immediate takeaway is clear: treat agentic AI as a new class of identity and a distinct attack surface. Inventory it, govern it, monitor it, and — where possible — use agentic detection to regain some of the speed advantage attackers have just won. Absent those changes, organisations risk being outpaced by automated adversaries that operate with unprecedented speed, scale and sophistication.

Sources

  • Anthropic (technical report: "Disrupting the first reported AI-orchestrated cyber espionage campaign", Nov 13, 2025)
  • (ATLAS product announcement, Dec 18, 2025)
  • Sublime Security (Series C funding and agentic email-defence announcement, Oct 28, 2025)
  • Fortinet and Google technical interview on identity and zero trust (industry interview, Dec 19, 2025)

Tags

AI regulation artificial intelligence autonomy in warfare data forensics
Mattias Risberg

Mattias Risberg

Cologne-based science & technology reporter tracking semiconductors, space policy and data-driven investigations.

University of Cologne (Universität zu Köln) • Cologne, Germany