AI Agents Are Already Hacking You. Your Internal Controls Won't Save You.

Something  shifted in September 2025, and most organizations still haven't processed it, and yes, this is talking about AI (and specifically systems relying on LLM's), but bear with us.

A Chinese state-sponsored threat group used AI agents — not as research tools, not as coding assistants — as the actual attackers. They targeted roughly 30 organizations across financial services, government, tech, and chemical manufacturing. The AI handled 80-90% of the attack autonomously. Humans only stepped in for strategic calls like picking targets and approving data exfiltration. Everything else — recon, exploit development, data analysis — the AI did on its own, making thousands of requests per second at peak operation.

Anthropic, whose Claude model was exploited in the campaign, documented the full incident publicly. The Congressional Research Service followed with a formal assessment calling it "the first documented case of an AI-orchestrated cyberattack."

This presents new challenges which should change the way you think about security.

Why Reducing Dwell Time No Longer Matters 

For years, the industry has measured security maturity by how quickly you detect and respond to threats already inside your network. Dwell time — how long an attacker sits undetected — became the metric everyone obsessed over.

And sure, dwell times have been dropping. A Sophos report from H1 2025 found median dwell time dropped down to 8 days overall. Sounds like progress, right?

Look closer. Ransomware dwell time specifically dropped from 9 days to just 5. That's not because defenders got better. It's because attackers got faster. They don't need to camp out anymore.

Palo Alto Networks' Unit 42 team found that a quarter of all data thefts now happen in under five hours from initial access — three times faster than 2021. Their researchers expect AI tools to compress that further, potentially to minutes.

Five hours. That's your entire window from breach to data loss.

Now layer in what CrowdStrike reported: 76% of organizations can't defend at the speed AI-powered attacks operate. Three out of four companies are structurally incapable of keeping pace with the threat that already exists today. Not a future threat. Today's threat.

Why "Assumed Breach" Is Now a Dangerous Strategy

This is where people get uncomfortable, because the cybersecurity industry has spent the better part of a decade building its identity around assumed breach. Invest in EDR. Build your SOC. Deploy SIEM and SOAR. Hunt for threats inside your network. Assume the attacker is already there.

That strategy maybe made sense when APT groups would quietly sit in your environment for months (like when Volt Typhoon was discovered to have been embedded in critical infrastructure for up to five years). But some attackers who know their goals are in and out before anyone knows. When we conduct penetration testing, we have often gathered all the targets and left a client’s environment during an engagement seemingly before the ink on the contract has dried.

But when an AI agent can breach your perimeter, identify high-value data, and exfiltrate it before lunch? And this is available to anyone who wants it? Your internal controls are chasing shadows.

Internal controls aren't worthless, to be clear. But if your entire security strategy assumes the attacker will be inside long enough for you to find them, you're planning for a war that's already over.

The AI-Powered Threat: From Nation-States to Scriptless Cyber Attackers 

The September 2025 espionage campaign was sophisticated. State-sponsored and well-resourced. It was easy to dismiss as "not my problem" if you're not a government contractor or defense target.

But Anthropic's August 2025 threat intelligence report tells a different story. They documented a cybercriminal — not a nation-state— who used AI agents to conduct large-scale data theft and extortion across at least 17 organizations, including healthcare providers, emergency services, and government institutions. The actor threatened to expose stolen data publicly, demanding ransoms exceeding $500,000.

Here's the detail that should scare you: another actor they caught was entirely dependent on AI to build functional malware. Without it, this person couldn't implement basic encryption algorithms or anti-analysis techniques. AI is what made the attack possible, without which they couldn’t do anything.

That's the inflection point. Agentic AI is turning people who couldn't write a basic script into credible threats. The Congressional Research Service assessment put it plainly: "both state-sponsored and less sophisticated criminal groups could potentially perform large-scale attacks using agentic AI."

Mark Stockley at Malwarebytes told MIT Technology Review: "I think ultimately we're going to live in a world where the majority of cyberattacks are carried out by agents. It's really only a question of how quickly we get there."

Meanwhile, the threat surface keeps expanding from the inside too. A vulnerability in Microsoft Copilot (CVE-2025-32711, dubbed "EchoLeak") showed how AI agents within your own enterprise environment can be weaponized through indirect prompt injection to silently exfiltrate sensitive data — no user interaction required. The attacker sends an email with a hidden instruction, the AI agent processes it, searches recent emails for keywords like "password," and quietly sends the results to an external server.

Let’s also keep in mind all the vibe-coded slop that’s being developed and released, which is full of security holes, and possibly being deployed to a network near you…

The World Economic Forum flagged that agentic AI is creating massive numbers of non-human identities across enterprises — API keys, service accounts, AI agent credentials — that most CISOs can't see, let alone govern. And we all know the first rule of cyber: "You can't protect what you can't see."

So What Needs to Change?

Stop treating offensive testing as a compliance exercise. When AI agents can map your external attack surface in minutes and identify exploitable paths faster than your team can review a vulnerability scan, annual pentesting may need a rethink. 

Test your perimeter continuously. Not once a year. Not quarterly. Your external attack surface — applications, cloud infrastructure, APIs, everything an attacker can reach — changes constantly. If you tested it six months ago, you don't know what it looks like today. An AI agent will figure it out in minutes. Sure, point-in-time testing for complex targets continues to be needed. But broadly speaking, it’s time to realize things have changed.

Rebalance your investment. Most organizations pour the overwhelming majority of their security budget into detection and response. That made sense in a long-dwell-time world. In a world where attackers operate in hours, prevention and proactive hardening deserve a much bigger share of your attention and budget.

Know your actual attack surface. Not the one in your CMDB (if you actually have a CMDB). Not the assets you know about. The real one — including the shadow IT, the misconfigured S3 bucket someone spun up last Tuesday, the forgotten dev environment with production credentials. If you haven't looked at it from the outside recently, you're guessing.

The Point

If you skimmed to the bottom instead of reading this whole post, here’s the one lesson you should take away: The cybersecurity industry got comfortable with a model that assumed attackers would be slow enough to catch. That assumption is now wrong (and if you want, we’re happy to discuss and show how it was never really right).

AI agents are being weaponized today — by nation-states, by criminals, by people who couldn't have pulled off these attacks a year ago. Dwell times are collapsing. Attack speed is accelerating. And the vast majority of organizations are structured to defend against a threat model that no longer reflects reality.

No, A.I is not perfect and no, everyone who wants to hack is now going to breach your network. A.I hallucinates (aka "Makes mistakes") a lot, but the scale and speed it affords means the attackers of odds of being right increases. It's also easy to spin up an agent (on the flip side those systems have huge numbers of security holes, so maybe active defense has a new vector) with little to no coding skill.

The attackers who will hurt you are fast, automated, and gone before your alerts fire. If you're not proactively finding and fixing what they'll exploit — your perimeter, your apps, your cloud — before they get there, you're hoping for the best.

Hope isn't a security strategy. It never was, but now it's an especially bad one.

Sources

1. Anthropic, "Disrupting the first reported AI-orchestrated cyber espionage campaign", November 2025
2. Congressional Research Service, "Agentic Artificial Intelligence and Cyberattacks", 2025
3. Anthropic, "Detecting and countering misuse of AI: August 2025", August 2025
4. MIT Technology Review, "Cyberattacks by AI agents are coming", April 2025
5. CSO Online, "Attack time frames are shrinking rapidly", March 2025
6. CSO Online, "Why 2025's agentic AI boom is a CISO's worst nightmare", February 2026
7. Packet Labs, "What Is Attack Dwell Time?", December 2025
8. AllAboutAI, "AI Cyberattack Statistics 2026", December 2025
9. World Economic Forum, "Non-human identities: Agentic AI's new frontier of cybersecurity risk", October 2025
10. Barracuda Networks, "Dwell time declining: Good news or bad?", 2024
11. Fortune, "Anthropic says it 'disrupted' first documented large-scale AI cyberattack", November 2025
12. Cyber Magazine, "AI Agents Drive First Large-Scale Autonomous Cyberattack", January 2026