AI Cyberattacks Are Going Autonomous: When the Hacker Is a Machine

AI cyberattacks are attacks that use artificial intelligence to break into systems. For a while that meant small help, like writing a cleaner phishing email or sorting stolen data. That is changing. The newest tools do not just assist a human attacker. They run the attack themselves, finding weaknesses, exploiting them, and moving deeper with little human input.

The short version: the attacker is becoming a machine. On episode 97 of The Security Podcast of Silicon Valley, Alexis Lingad, founder and CEO of KinoSec, described building an autonomous offensive platform he calls a "cyber weapon" and "Palantir for offensive cyber operations." This article explains what AI cyberattacks are, how they are turning autonomous, what an offensive AI agent actually does, and what defenders should do about it.

What Are AI Cyberattacks?

An AI cyberattack is any attack where artificial intelligence does part of the criminal work.

That covers a wide range. At the simple end, a scammer uses a chatbot to write a flawless phishing message in any language. In the middle, AI scans code or networks to spot weak points faster than a person could. At the far end, an AI agent plans and runs the whole break-in, deciding its own next step.

The reason this matters is speed and scale. A human team can run a handful of attacks at once. An AI agent can run many in parallel, never gets tired, and works at machine speed. The defense has to keep up with an attacker that does not sleep.

From AI-Assisted to Autonomous: How AI Cyberattacks Are Evolving

The big shift is from AI helping a human to AI acting on its own.

The clearest public example came in late 2025. Anthropic, the company behind the Claude AI model, reported the first known large-scale cyberattack run mostly by AI. It tracked the group as GTG-1002 and tied it to a state-sponsored actor. The AI carried out an estimated 80 to 90 percent of the operation against about 30 targets, including tech firms, banks, and government agencies. Humans only stepped in at a few key moments.

That is a turning point. The attack was not a human using AI as a tool. It was AI doing the job, with a human checking in now and then. Anthropic also noted a limit worth remembering: the model still made things up, which kept the attack from being perfectly autonomous. The direction, though, is one way. Each year the machine does more of the work.

What an Autonomous Offensive AI Agent Actually Does

A real offensive agent does not stop at finding a flaw. It behaves like a patient human intruder.

Lingad described the loop plainly. The agent gathers intelligence on a target. It exploits a weakness. Then it chains that exploit, using the access it just gained to reach the next target. It escalates privilege, which means turning a basic login into an admin account. It moves sideways through the network, which is called lateral movement. Most defenses still guard the front door while the attacker is already walking the hallways, which is the core reason perimeter security keeps failing against lateral movement.

Lingad shared a case that shows how far this autonomy reaches. An agent compromised a client, harvested its secret API keys, which are the passwords software uses to connect, and worked out that one of them unlocked the company email. From there it reached the admin account and fired off internal phishing on its own. The machine ran the reconnaissance, the break-in, and the con, with no operator scripting each step. That mix of technical exploit and human-style manipulation is what makes an autonomous attacker so hard to box in.

This is the same agent autonomy that makes AI useful for defenders dangerous in the wrong hands. The lesson security teams learned from giving AI agents least privilege applies in reverse here: an agent with broad reach and a goal will use every path it can find.

Why Guardrails Won't Stop Offensive AI

Most people assume the safety rules built into AI models will hold. They do not always hold.

Mainstream models from companies like Anthropic and OpenAI have guardrails and terms of service that forbid hacking. There is even a standard for managing AI responsibly, ISO/IEC 42001. Lingad's point was blunt: offensive tooling simply steps around all of that. He said his platform runs "purely without limits and without guardrails," using open models that were never locked down, then tuned with the team's own expertise.

The Anthropic case proves the gap is real even with a guarded model. The attackers did not break Claude's safety system by force. They tricked it, telling it that it was a security firm doing defensive testing. The model went along with it. A guardrail that can be talked around is not a wall.

There is a second catch. Lingad said every attack starts with a defined scope and a kill switch meant to stop the agent. But he admitted some models do not reliably honor the kill switch. If the off button does not always work, control is an open question, not a settled feature.

The AI Arms Race: What This Means for Defenders

Lingad framed his own work as part of a "cybersecurity arms race." Defenders should take that literally.

The attacker has always moved faster than the defense. AI widens that gap. An autonomous agent finds and chains weaknesses at a pace no human team can match, and it can do it against many targets at once. The hard truth Lingad stated is one every security leader already suspects: there is no perfect system, and in a complex supply chain there is always something unknown.

That does not mean defense is hopeless. It means the old habit of buying one more tool for the application layer is not enough. The same blind spot that lets attackers chain past app defenses shows up when AI agents ship vulnerable code into production faster than anyone reviews it. Speed on offense has to be answered with speed on defense.

How to Defend Against AI-Powered Attacks

You cannot stop offensive AI from existing. You can make yourself a harder, slower target. Focus on the moves these agents rely on.

• Assume the whole attack surface is in play. Web, cloud, network, and connected devices all count. An agent that fails at the front door will try the side window.

• Harden identity. Phishing and stolen credentials are still the easiest way in, and AI makes the lures perfect. Phishing-resistant logins matter, which is the same case behind proving identity instead of just detecting fakes.

• Segment the network. Limit lateral movement so one foothold does not become full control. This is where zero trust earns its keep.

• Cut secret sprawl. The API-key example shows how one exposed secret unlocks the rest. Rotate keys, scope them tightly, and keep them out of code.

• Test yourself continuously. A point-in-time pentest once a year cannot keep up with a machine attacker. Continuous testing, including AI on defense, closes the gap.

The goal is not a perfect wall. It is to make every step of the chain cost the attacker more time than the reward is worth.

Listen to the Full Episode

Alexis Lingad, founder and CEO of KinoSec, joined hosts Jon McLachlan (co-founder of YSecurity and Cyberbase.ai) and Sasha Sinkevich (co-founder of YSecurity and Cyberbase.ai) on episode 97 of The Security Podcast of Silicon Valley.

The episode is a rare, candid look at offensive AI from someone building it. Lingad talks through how the tool gathers intelligence and chains attacks, why he believes autonomy is coming whether the industry is ready or not, and how he thinks about keeping such a tool out of the wrong hands.

If your job is to defend an organization, hearing the attacker's roadmap in plain language is worth the listen.