Agentic AI Lets Attackers Automate Entire Cyber Campaigns

The shift from assistant to operator

For three years, artificial intelligence has functioned as a writing aid for cyber attackers—drafting phishing emails, suggesting exploits, generating malicious code. The operator still had to execute each step. That constraint has now fallen away.

Agentic AI systems take an objective and execute the full attack chain autonomously. They gather intelligence, craft personalized messages, manage multi-turn conversations, select exploits, and adapt to live environments without human intervention at each decision point. This transformation is reshaping offensive cyber operations faster than defensive controls can adapt, according to research presented by SANS Technology Institute.

The change cuts two ways: it grants real capability to attackers who previously lacked technical skill, and it accelerates the pace of operations for those who were already proficient.

Why it matters

Defensive strategies built around detecting mass-produced attacks—clumsy grammar, recycled templates, identical messages—are losing their signal. When every phishing email is fluent, contextually grounded, and unique, infrastructure-level defenses like sender reputation and authentication become the last reliable layer. Organizations that fail to test their defenses against agentic tooling are operating on untested assumptions about what will hold under real attack conditions.

Entry-level threats now carry expert-level tools

Historically, low-skill attackers were limited by their inability to write exploits or conduct sophisticated reconnaissance. Agentic systems remove that barrier entirely. An attacker's capability is now bounded by the AI model they select, not by their own expertise.

This creates what security researchers are calling "script kiddie as a service"—a flood of competent attacks from previously unskilled actors. Because many novice attackers use similar models in similar ways, their methods converge into recognizable patterns. That behavioral monoculture offers defenders a narrow advantage: standardized attack chains become predictable, even as their volume increases.

For experienced practitioners, the benefit is speed rather than skill. An agent trained on established tradecraft can execute parallel campaigns, compressing weeks of work into hours.

Autonomous social engineering erases detection signals

One operational example: an attacker deploys an agent to scrape LinkedIn profiles, press releases, and conference recordings to build a target dossier. A second agent uses that intelligence to generate personalized messages, manage replies, and sustain a conversation that incrementally advances toward compromise—all without human oversight.

The danger is not velocity alone. It is the elimination of the linguistic and structural tells that phishing defenses have relied upon for years. Each message arrives fluent, singular, and grounded in verifiable facts about the recipient.

The same automation is extending to exploitation. Frontier models are learning to chain tool calls, self-correct against live environments, and retrieve known vulnerabilities from databases. The federal government has already intervened, forcing models like Anthropic's Claude 3.5 off the market over capability concerns. Agents now perform reconnaissance, assess likely exposures, retrieve matching exploits, and report back: I believe this will work. Shall I run it?

The judgment problem

Agents speak with unbroken authority regardless of accuracy. They are optimized to complete tasks and produce answers that appear correct, not to verify truth. When tied to vulnerability databases, they surface plausibly related information without confirming version numbers, configurations, or actual exposure.

This is why the SANS Secure AI Blueprint separates offensive work into a distinct track called "Utilize AI," alongside Protect AI and Govern AI. Utilize is where theory meets proof—the only track that produces evidence of whether policies and defenses hold under real attack conditions. An organization does not know which controls will survive contact until someone turns agentic tooling against its own systems.

The technical execution of offensive operations is increasingly automated. What remains irreducible is human judgment: the ability to distinguish a confident fabrication from a true vulnerability, and to withhold action until certainty is reached.

The details in this article were first reported by Foster Nethercott, author of the SANS SEC535 course on offensive AI, in a piece published on The Hacker News.