Each weapon begins as an extension of the hand that holds it. The spear lengthened the attain of the arm. The bow despatched the purpose flying with out the throw. The rifle positioned a person’s dying 1 / 4 mile past his sight, and the plane carried that dying throughout oceans. At every flip, the space between the warrior and the wound grew wider, and but one factor by no means moved: a human selected the goal, and a human struck the blow. For your entire historical past of battle, the cyber realm included, the hand has remained on the weapon.
Offensive AI is the second the weapon learns to goal itself.
For 3 years, synthetic intelligence (AI) has been an extension of the pen. It drafted the phishing electronic mail, proposed the exploit, sketched the malicious operate, after which, like each instrument that got here earlier than it, handed the work again to a human to hold out. In 2023, I revealed a whitepaper on the SANS Know-how Institute displaying how an individual of virtually no ability might coax a chatbot into producing malware that strolled previous the controls constructed to cease it. That was the age of the assistant: harmful, definitely, however nonetheless leashed to the operator who held it. Agentic AI severs the leash. It takes the target and walks the steps itself. This single change, from a instrument that drafts to a instrument that acts, is reshaping offensive operations sooner than the defenses constructed to catch them, and it cuts in two instructions without delay. It grants actual functionality to attackers who by no means possessed any, and it lends ferocious pace to those that had been already lethal.
In case your commerce is offensive work, that is the bottom you now stand upon. The tooling an adversary turns towards a goal is the tooling you have to be able to turning your self, and it has marched far past chatbots composing prettier phishing. It’s price finding out, with clear and unsentimental eyes, what these brokers can do at this time, how they allow you to function at a tempo that these days appeared inconceivable, and the place they are going to quietly stroll you off a cliff must you observe them with an excessive amount of religion.
The Gate Has Fallen
Think about the entry-level menace actor, traditionally restricted by an absence of technical experience. Such people can now leverage brokers to develop exploits and conduct campaigns autonomously. Technical mastery is now not a prerequisite; intent and entry to succesful instruments suffice. I check with this phenomenon as ‘script kiddie as a service,’ signifying the emergence of subtle assaults from beforehand unskilled actors.
An extra implication is that the constraints of unskilled attackers at the moment are outlined by the capabilities of their chosen AI fashions somewhat than their very own experience. As quite a few untrained actors make use of related fashions in comparable methods, their assault methodologies start to converge, leading to a behavioral monoculture. Whereas this will increase the quantity of competent assaults, it additionally creates recognizable patterns, corresponding to standardized phishing and exploit chains. Expert adversaries will adapt past these defaults, however the majority is not going to. Consequently, defenders who perceive these default behaviors can higher anticipate and mitigate widespread threats.
For knowledgeable practitioners, synthetic intelligence doesn’t essentially improve ability, but it surely considerably will increase operational pace. Coaching an agent on established tradecraft allows parallel execution of campaigns, lowering duties that beforehand required weeks to mere hours. This twin impact, extra attackers on the entry degree and accelerated assaults from consultants, broadens the general menace panorama. For these conducting approved offensive operations, that is now the prevailing normal. Adversaries already make the most of these instruments, and any engagement that neglects them fails to replicate present threats.
The Hunt Runs Itself
Some of the widespread examples I typically give to folks is autonomous social engineering. On this state of affairs, an attacker deploys an agent to collect publicly out there details about a goal, corresponding to LinkedIn profiles, press releases, or convention recordings, to assemble an in depth profile. This intelligence is then utilized by a second agent, which generates and sends personalised messages, manages responses, and conducts an ongoing dialog, incrementally advancing towards its goal. No human intervention is required within the communication course of.
The hazard right here will not be pace; it’s the quiet dying of the alerts we trusted. For years, our phishing defenses leaned on the tells of mass manufacturing: the clumsy grammar, the recycled template, the equivalent mail despatched ten thousand instances. These are exactly the tells this association erases. Every message arrives fluent, singular, and grounded in one thing genuinely true about its mark. Certain, the infrastructure alerts endure; issues like sender status, authentication, and the like nonetheless stand watch, however now as defenders, now we have to lean on them tougher than ever, and the way lengthy is it going to be earlier than these defenses break beneath that stress? The linguistic and template-level data tells us that a lot of our detection, quietly depended upon, is gone.
And it’s not simply social engineering. The identical automation is overtaking exploitation. As frontier fashions develop practiced at chaining instrument calls and correcting themselves towards a residing atmosphere, the bar for producing a working exploit is sinking decrease with every launch. A lot in order that the federal authorities is now getting concerned and forcing fashions like Anthropic’s Fable 5 to be taken off the market over fears of its capabilities. However that is solely the tip of the iceberg. Tying even reasonably succesful fashions right into a retrieval database of recognized vulnerabilities, and it’ll carry out its personal reconnaissance, decide what a goal is probably going uncovered to, draw the matching exploit from the shelf, and report again like a hound that has caught a scent: I consider this can work, based mostly on these indicators. Shall I run it? Malware is touring the identical highway, rising agentic in its personal proper, and we’re already watching brokers rewrite present malware into quieter strains bred to slide previous the controls that knew the older kind. This began years in the past with the introduction of the “Guided Community Entry Weapon (GNAW)” which I debuted on the Hackers Instructing Hackers convention.
The Confidence of a False Oracle
All of this makes the brokers a really seductive factor to lean upon. They’re swift, they run themselves, they usually converse with unbroken authority from starting to finish. That final high quality is the lure, and to name it mendacity is to flatter it with intent. The agent will not be searching for the reality. It’s searching for a completed process and a solution that wears the looks of being proper. It holds no privileged sight into whether or not a number is actually susceptible; it matches indicators to a conclusion and delivers that conclusion in the identical regular voice, whether or not the conclusion is sound or hole. Marry it to a retrieval retailer of vulnerabilities, and the flaw compounds, for retrieval surfaces what’s plausibly associated, not what genuinely applies. It doesn’t test the model, nor the configuration, nor whether or not the service may even be reached.
The place the Proof Is Made
That drawback of judgment is exactly why the place this work occupies issues. The SANS Secure AI Blueprint, authored by SANS Chief AI Officer Rob T. Lee, divides the wider challenge into three tracks: Protect AI, Utilize AI, and Govern AI. Govern produces the policy and the oversight that keep these systems accountable. Protecting hardens the systems an organization actually runs. Utilize is where AI is put to work for offense and defense alike, and offensive operations are its keenest edge.
Leadership hears the words “AI security” and pictures policy binders and a governance committee in a quiet room. Yet Utilize is the only one of the three that yields proof: the actual attacks run against the actual systems, which reveal whether the policy and the hardening hold when they are struck. An organization may write every guideline it pleases and stand up every defense it can purchase, but until someone turns this tooling against its own walls, it does not yet know which of them will hold. A defense is a theory until it makes contact, and the operator is the one who brings it there. That is why the operators are, more and more, the ones who hold the whole program to account.
What the Warrior Is For
Return, then, to where we began. For the whole of human history, the hand stayed on the weapon because the weapon could not be trusted to choose, and that much has not changed. The machine can aim itself now, but it cannot tell you whether the shot should be taken. It will name a target that was never there and ask, in the same untroubled voice it uses when it is right, for permission to fire. Every mechanical part of this craft is passed to the machine. The one part that is not, the judgment to know a true thing from a confident lie and to hold your hand until you are certain, is becoming the whole of the work. The warrior has never stood farther from the wound, and the choice that joins them has never weighed more. The weapon no longer needs a warrior to swing it, but it has never needed a person to decide whether it should be swung at all more than now.
Learn Offensive AI at SANS San Antonio 2026
This August, I will take up these questions in depth during my SEC535: Offensive AI – Attack Tools and Techniques course run at SANS San Antonio 2026. Across three days of hands-on labs, we work the techniques described here from the operator’s side of the line: AI-assisted reconnaissance and social engineering, deepfake and voice-cloning attacks, AI-supported vulnerability discovery, and the use of AI in the development and evasion of malware. You will drive the tooling with your own hands and come away with a true sense of its reach, its limits, and the precise points at which it must not be trusted. That is the distance between knowing these attacks exist and being able to carry them out.
The machine will do the aiming. Be the judgment behind the shot.
Register for SANS San Antonio 2026 here.
Note: This article has been expertly written and contributed by Foster Nethercott, SANS SEC535 Course Author.
