How AI-Driven Cyberattacks
Are Changing the Threat Landscape in 2026
By Christiaan Ottow, Northwave CTO
HuFiCon Management Memo:
Journey with the CISO
A mountain climb to cyber security resilience. Find out how to get to the summit of cyber security resilience in Inge van der Beijl's management memo, from her presentation at the Human Firewall Conference (HuFiCon) on the 14.11.2024.
The climb will take you from the base camp of foundational security to the high-camp of a security conscious culture, all the way to the summit consisting of strategic security integration.
Inge van der Beijl
Director Innovation
Has the Age of AI-Enabled Adversaries Arrived?
In the past two months, we’ve seen a lot of news about AI-powered cyber-attacks. Is this all part of the gradual development of AI capabilities? Or, after several years in the making, have we reached an inflection point where we as defenders need to start worrying and kick our efforts up a gear? In this article we look at what AI-assisted attacks currently are capable of, what this means for the future, and what defenders should do now.
Are We at an Inflection Point for AI-Assisted Cyber Attacks?
For three years, generative AI adoption by threat actors remained slow and largely unimpressive. That is, until late 2025, when a wave of worrying developments arrived in quick succession.
One such development is malware exploiting public LLMs, through APIs, in different ways. The LAMEHUG malware uses live LLM interactions to generate system commands on-demand, making it harder to detect by traditional methods and ensuring its actions were suited to the local target environment. Another malware strain, called PROMPTFLUX, used live LLM interactions to re-generate its own source code upon every execution, also making it difficult to detect and track. Yet another example is an LLM-driven tool that creates exploit code from vulnerability information (CVE’s), in under 15 minutes. Currently this only works for certain (web-based) types of vulnerabilities, but the premise has a lot of potential.
In addition to these “smart” malware strains, which are still somewhat experimental, we see the first LLM-based tools arise that take care of the complete attack chain. This is where things get scary: a tool that can execute the entire chain, from reconnaissance and initial access all the way to actions on target, would be a serious game-changer. Both in terms of the speed of attack, from initial access to actions on target, and in terms of accessibility of performing this kind of attack to a large and less technically savvy public.
The first tool in this area is Villager, which adds LLM-based automation on top of CobaltStrike, a popular offensive toolkit. A second is HexStrike AI, which is different because it isn’t a tool itself or a wrapper around a single existing tool. Rather, it is a framework that allows for orchestration and automation among ±150 other attack tools. And most recently, Anthropic, the makers of Claude, reported on a framework created and used by Chinese nation-state actors to perform large-scale automated attacks by abusing Claude.
Two Breakthroughs Driving Agentic AI For Threat Actors
We can speculate as to why we have witnessed an enormous leap in offensive AI capabilities within a few short months. Two recent developments likely play a role. The first is the creation of MCP: a protocol for orchestrating interaction and data exchange between agentic AI tools and other tools and data sources. MCP makes it much easier to make existing data available to an AI agent, and to give an AI agent capabilities to affect change in existing IT systems. This has really enhanced the capabilities of AI agents, and the speed at which they are developed.
The second is the arrival of so-called reasoning LLMs. These LLMs break a task down into smaller tasks and come up with intermediate steps to arrive at conclusions, results or actions. This makes them much more suited to agentic work than the previous LLMs. These models can be given a high-level task, and they will take care of the needed intermediate steps within certain limits. Their scope of reasoning and execution is still a bottleneck.
What we’re afraid of as defenders is the use of Agentic AI systems by threat actors. When such tools are available to people with motive to attack, we expect to see the following effects:
- Dramatic increase of successful attacks.
- Short time from initial access to actions on objective, so short time to detect and stop attacks.
- Different attack paths, favouring for instance exploitation over phishing.
The examples we discussed in the previous section, like the LameHug malware and the Anthropic report, have been criticised for being over-hyped. The malware that uses LLMs isn’t that potent and is easily detectable, and the Anthropic report lacks IoCs and verifiability. However, the question isn’t whether these examples are as dangerous as Skynet, but what the speed of the development is that they point to.
In our view, there are roughly three possible scenarios:
- The AI Nothingburger: the AI bubble burst soon and we’ll go back in time a few years in terms of AI capabilities, with a slower rate of development
- Linear growth: this isn’t a watershed moment, we’re just on a curve of gradual development. Agentic AI for threat actors should be dealt with but it’s not urgent.
- Inflection point reached: we’ve reached a tipping point and very soon (months) we’ll see automated AI attacks all around us. Defenders should act now.
With each scenario we are trying to assess the pace at which we arrive at point X: the moment in time where adversarial agentic AI is commonplace enough to have the described impacts.
Why Agentic AI is a New Tool in Cyber Defence
At Northwave, we expect the reality of our collective situation is somewhere between scenario 2 and 3. The availability of LLMs that can handle longer chains of reasoning have made more complex agentic tasks possible and the arrival of MCP makes orchestration between tools easy. On the other hand, building tools is difficult, and it will take some time to get to tools that are reliable enough. The examples we’ve seen in the past weeks are of experimental quality but show the possibilities.
However, a timeline that sits between scenario 2 and 3 is still bad enough. We believe it’s crucial for defenders to prepare for arrival at the inflection point and the way to fight adversarial agentic AI is with defensive agentic AI. We can already strengthen our defences using the very same technology that gives attackers an edge.
Prevention - Reduce attack surface
Nothing changed here, it’s just become more important. Limit rights of users and applications, limit what’s exposed towards the internet, take continuous vulnerability scanning and mitigation seriously. If you don’t want public LLMs use on your network, preventing outbound traffic to them adds a little security.
Detection - Automate in your SOC
Firstly, defenders need to be ready to deal with an increase in volume of successful attacks. Not just an increase in SOC alarms across the board, we expect the increase to be in alarms that turn out to be true positives. This means SOCs will need additional capabilities for investigation, or even better: automation to speed up investigation. Agentic AI can serve defenders even better than attackers here. If you haven’t already, this is the time to start building agentic AI additions to your SOC to assist alarm analysis and response. If you have outsourced your SOC, it’s time to start a conversation about how they handle this threat. Automated active response capabilities are becoming a baseline requirement. To keep up with the attacker speed, responses such as isolating devices or disabling accounts need to happen without human intervention.
Respond - Be ready for incidents
You need to be ready to handle incidents; be able to do quick triage, containment, eradication and recovery. This requires having a good inventory of what software and systems you have running where, and to what business processes they are vital. Have EDR tools with response capabilities running on your endpoints and have central logs at hand.
Recover - Hide your backup
Where in the past only the existence of backups was important, nowadays they should be duplicated across geographical locations, on different mediums, and immutable to those with domain admin level access on your network. It’s a good idea to test how well you can recover from backups every now and then.
How Northwave Is Preparing to Counter AI-Driven Attacks
Since Northwave’s SOC is a primary line of defence of our customers’ IT infrastructure, we’re right in the middle of this story. Our SOC is rapidly building automations to make sure it can keep up with a much larger and faster attack volume. This sounds simple, but is quite challenging in a large, multi-tenant MDR platform that consists of many different technologies and orchestration tools. We also need to be very careful of our clients’ infrastructures when we do active response. At the same time, our dedicated detection engineering team within the SOC monitors TTPs of newly published attacks and continuously adapts our detection baseline.
Meanwhile, our cyber threat intelligence (CTI) team keeps track of the developments of adversarial agentic AI to gauge the speed at which the inflection point comes at us. We do so by defining specific milestones we think will be hit before this moment arrives. By measuring when these milestones are hit, we get an impression of the speed of development, and we adjust our approach and advice to clients accordingly.
What Every Organisation Should Do Before the Inflection Point Hits
The steps you would need to take to defend yourself against this threat have great advantages outside of this threat. Improving detection to spot different attack paths, automating alarm enrichment and analysis and automating responsive actions are important processes to continuously work on–only now with more urgency than usual.
If you operate a SOC or help clients defend themselves against cyberattacks in other ways, you need to take this development into account and prepare defences for the types of impact we described. If you have a digital infrastructure but you have outsourced your cyber security, you should ask your vendor how they see this development and how they defend you against adversaries using agentic AI attack tools.
In any case, if you want to know more about what Northwave’s Managed Detection and Response (MDR) can do for your defences, or if you have an incident and require support, get in touch with us today.
We are here for you
Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.