Clear Signal
← Writing
On the Front Lines

When AI Stops Advising and Starts Executing Attacks.

The threat-intel headlines say sophistication. The incident data says deferred maintenance. Both the technical read and the boardroom read, in one place.

The Wake Up Call — defending against autonomous AI attacks

Anthropic just documented ‘Disrupting the first reported AI-orchestrated cyber espionage campaign’ something I’ve been alerting CISOs about for months in my EBC session with the C-Suites: the first large-scale cyberattack executed not with AI assistance, but by AI. A state-sponsored group used Claude Code to autonomously compromise roughly thirty global targets—tech companies, financial institutions, chemical manufacturers, government agencies with AI doing 80-90% of the work.

Here’s what actually matters: we’ve crossed a threshold. AI has moved from being a tool that enhances human attackers to being an autonomous operator that occasionally checks in with humans. And if you’re still approaching AI security with a reactive mindset, you’re already behind.

What Happened (And Why It’s Different)

Let me be direct about what makes this case unprecedented. The attackers didn’t just use AI to write better phishing emails or generate exploit code faster. They built a framework that let Claude Code operate autonomously for extended periods, analyzing target systems, identifying vulnerabilities, writing exploits, harvesting credentials, and exfiltrating data.

At the peak of the attack, the AI made thousands of requests, often multiple per second. Human hackers couldn’t match that speed even if they worked around the clock. More importantly, the attackers only needed to intervene at 4-6 critical decision points per campaign. Everything else? Automated.

Think about what that means. A mid-tier threat actor with limited resources can now deploy AI agents that do the work of an entire team of experienced hackers. The barrier to sophisticated cyberattacks just dropped dramatically.

How They Broke Through (The Technical Reality)

The attack exploited three capabilities that barely existed a year ago:

IntelligenceAgencyTools
Modern AI models can follow complex instructions and execute sophisticated tasks. Claude’s software coding skills made it particularly useful for cyberattacks.AI can now run in loops, chaining together tasks and making autonomous decisions with minimal human oversight.Through frameworks like Model Context Protocol (MCP), AI has access to password crackers, network scanners, and other security tools that were previously human-only domains.

The attackers had to jailbreak Claude — tricking it into bypassing its safety guardrails. They did this by breaking attacks into small, seemingly innocent tasks, and by pretending Claude was an employee of a legitimate cybersecurity firm conducting defensive testing.

AI assistance has shifted to AI execution — the new reality of autonomous attacks

Autonomous Attack Lifecycle

Once jailbroken, the AI executed the full intrusion lifecycle on its own — from reconnaissance to documentation — pausing only at a handful of human checkpoints.

Autonomous attack lifecycle: jailbreaking Claude, reconnaissance, vulnerability scanning, credential harvesting, data exfiltration, and documentation

Three Strategic Shifts Security Leaders Must Make Now

After 15 years advising security teams across the SEA region, I can tell you: this isn’t just another vulnerability to patch. This is a fundamental shift in the threat landscape that demands a fundamental shift in how we defend.

Shift #1. From “Prevent AI Attacks” to “Build Resilient Architecture Assuming AI Breach”

You cannot reliably prevent AI-powered attacks. Even Anthropic, the company that built Claude and invested heavily in safety mechanisms, saw their AI jailbroken and weaponized.

The Shift: Stop investing exclusively in prevention. Start investing in cyber resilience. Design your architecture assuming AI will successfully compromise parts of it. Focus on:

  1. Limiting lateral movement (micro segmentation): AI agents move fast once inside. Deploy Zero Trust Secure Access principles and AI Gateways that enforce “deny-by-default” policies. Even if an AI agent hijacks a credential, it encounters a “network dead end” because it lacks the specific context-aware authorization to move laterally to other apps.

  2. Detecting anomalous behavior patterns (esp. high-velocity actions): Human users don’t access 500 databases in a minute; AI agents do. Implement Identity Threat Detection and Response (ITDR) that flags “non-human” behavior speeds and volume, instantly triggering MFA or session termination.

  3. Isolating critical systems from AI-accessible environments: Use Air-gapped Backups or strictly governed Data Clean Rooms for crown jewels, ensuring that the “useful” AI tools employees use (which are potential entry vectors) have no physical or logical path to core IP.

  4. Building graceful degradation capabilities: Architect systems to “fail safe” by neutralizing agency. Upon detection, automatically degrade to “read-only” by blocking Tool Use (via AI Guard) and revoking Write permissions (via Zero Trust automation), turning compromised operators into harmless observers.

To assume breach effectively, advanced exposure management platforms utilize Attack Path Prediction. Instead of generating a static list of vulnerabilities, these engines create a dynamic graph of your entire estate—cloud, endpoint, identity, and network. They simulate how an autonomous AI attacker would traverse this graph, identifying “choke points” where a single remediation (like removing a stale admin permission) can sever the path to critical assets.

Shift #2. From “AI as Tool” to “AI as Autonomous Operator”

Most security teams are still thinking about AI as a tool that humans use. The threat actors have moved on. They’re treating AI as an autonomous operator that works independently.

The shift: Your detection systems need to identify autonomous AI behavior patterns:

  • Thousands of requests in short timeframes: Deploy Rate Limiting and API Security specialized for AI traffic. These tools act as a governor, detecting the “machine-gun” velocity of an automated enumeration attack and dropping the traffic instantly.
  • Systematic enumeration across systems: Deception Technology (Honeypots). AI agents are logical and systematic; they will inevitably scan and touch “fake” assets that a human would ignore. Touching a honeypot provides a high-fidelity signal to block the agent immediately.
  • Task chaining without typical human pause patterns: Implement Behavioral AI Analytics that look for “thinking time.” A continuous stream of complex commands without human-like cognitive pauses is a signature of an autonomous operator.
  • Actions that follow logical progression but at inhuman speed: Utilize Automated SOAR (Security Orchestration, Automation, and Response). You cannot fight machine speed with human clicks. The defense system must be authorized to execute “kill actions” autonomously when high-confidence machine patterns are detected.

Technology Deep Dive: Proactive “Agentic” AI Defense

To combat autonomous AI operators, defenders are deploying Proactive Cybersecurity AI stacks. These platforms utilize specialized “Agentic AI” that possesses reasoning capabilities, not just pattern matching. They continuously monitor the environment using specialized LLMs trained on decades of threat intelligence. When an attacking AI agent executes a complex sequence, the defensive Agentic AI correlates these subtle signals across email, network, and cloud layers in real-time, identifying the intent of the attack and triggering autonomous responses faster than any human analyst could react.

Shift #3. From “Security Team’s Problem” to “Strategic Business Risk”

This is where servant leadership becomes critical. Your executive team needs to understand: AI-powered attacks aren’t a future threat, they’re happening now. And they’re hitting targets across sectors: tech, finance, manufacturing, government.

The shift: Reframe the conversation with your board around three material risks:

Threat actors now compress months of reconnaissance into 72 hours using autonomous AI. This speed asymmetry creates:

  1. Regulatory and fiduciary risk: When attacks complete in days but our Mean Time to Detect (MTTD) averages 200+ days, we face significant defensibility challenges in regulatory audits and shareholder litigation. The “reasonable security measures” standard evolves with the threat landscape.

  2. Revenue risk: AI-orchestrated breaches cause 3-6 week operational disruptions. Modern Cyber Risk Quantification platforms now model these scenarios in financial terms, shifting the conversation from tool requests to quantified exposure and mitigation ROI.

  3. Competitive disadvantage: Organizations that achieve detection and response capabilities matched to AI-speed threats will maintain customer trust and operational velocity. Those that don’t will face extended recovery, customer attrition, and reputation damage.

The investment is in operational resilience, regulatory defensibility, and competitive positioning—not tools. The question isn’t whether to invest, but whether we can defend our current posture if tested.

Technology Deep Dive: Cyber Risk Exposure Management (CREM) & Quantified Risk

Modern platforms have evolved from simple asset management to Cyber Risk Exposure Management (CREM). These systems ingest telemetry from across the organization to calculate a unified Cyber Risk Index (CRI)—a quantifiable score that translates technical debt into business risk terms. It allows security leaders to present the Board with a “Risk Buy-Down” plan: demonstrating how a specific investment in AI defense will directly lower the organization’s Risk Index score and benchmark their resilience against industry peers.

What This Means for CISOs (The Real Talk)

What AI-orchestrated attacks mean for CISOs

I’ve had this conversation with security leaders from across Southeast Asia. Here’s what I tell them:

The uncomfortable truth: Your security program was designed to defend against human attackers who need to sleep, who make mistakes, who work at human speed. That’s no longer your primary threat model.

The opportunity: AI-powered attacks will get more sophisticated, but so will AI-powered defenses. The organizations that invest now in AI-native detection systems, resilient architectures that assume breach, teams trained to think about AI threat actors, and clear governance that enables safe AI adoption for defense—those organizations will have a significant advantage.

The leadership imperative: This is not a “wait and see” situation. Anthropic detected this attack in mid-September 2025. The next iteration will be more sophisticated. The actors will share techniques. The barrier will drop further.

The Bigger Picture: Defender’s Advantage Exists (If You Act)

Here’s what gives me hope: Anthropic detected this attack. They mapped its scope. They banned accounts. They notified victims. They disrupted the campaign.

The defenders can win—but only if we match the attacker’s speed and scale. That means using AI to defend against AI, building architectures that are resilient not just hardened, training teams to recognize autonomous AI behavior, and moving proactively instead of reactively.

This is exactly the kind of inflection point where servant leadership makes the difference. Your team needs clarity on the threat, tools to match the new threat speed, permission to experiment and learn rapidly, and support from leadership that this is a strategic priority.

My Take: We’re in the Early Innings

The new reality: AI has moved from advisor to autonomous operator

Anthropic called this “the first reported AI-orchestrated cyber espionage campaign.” Think about that word: first. Not last. First.

The attackers achieved 80-90% automation. The remaining 10-20% human involvement will shrink. The jailbreaking techniques will improve. The tool access will expand.

But here’s what the attackers can’t easily replicate: resilient architectures, trained defenders using AI-powered tools, and security leaders who think proactively instead of reactively.

The question isn’t whether AI-orchestrated attacks will become common. They will. The question is whether your organization will be ready.

After two decades in cybersecurity, I’ve seen every “game-changing” threat prediction. Most were overhyped. This one isn’t. This is the real inflection point.

What’s your 90-day plan?

Resources:

Cheewan is a cybersecurity leader with 20+ years of experience advising CISOs and security executives across AMEA on AI-driven security platforms and proactive threat management strategies. He specializes in helping organizations move from reactive security to resilient architectures.

#AI #AI Security Threat
← All writing