AI agents can’t pull off fully autonomous cyberattacks

AI brokers and different methods cannot but conduct cyberattacks totally on their very own – however they can assist criminals in lots of levels of the assault chain, based on the Worldwide AI Security report.

The second annual report, chaired by the Canadian laptop scientist Yoshua Bengio and authored by greater than 100 consultants throughout 30 international locations, discovered that over the previous yr, builders of AI methods have vastly improved their means to assist automate and perpetrate cyberattacks.

Maybe one of the best, and scariest, proof of that discovering appeared in Anthropic’s November 2025 report about Chinese language cyberspies abusing its Claude Code AI tool to automate most components of assaults directed at round 30 high-profile firms and authorities organizations. These assaults succeeded in “a small variety of circumstances.”

“At the least one real-world incident has concerned the usage of semi-autonomous cyber capabilities, with people intervening solely at vital choice factors,” based on the AI security report. “Absolutely autonomous end-to-end assaults, nevertheless, haven’t been reported.”

Two areas the place AI is very helpful to criminals are scanning for software vulnerabilities and writing malicious code.

Throughout DARPA’s AI Cyber Challenge (AIxCC) – a two-year competitors through which groups constructed AI fashions to seek out vulnerabilities in open supply software program that undergirds vital infrastructure – finalist methods autonomously recognized 77 percent of the artificial vulnerabilities used within the ultimate scoring spherical, based on competitors organizers.

And whereas that’s an instance of defenders utilizing AI to seek out and repair vulnerabilities, reasonably than attackers utilizing AI to seek out and exploit them, criminals are utilizing fashions in related methods. Final northern summer season, we noticed attackers on underground boards claiming to use HexStrike AI, an open-source red-teaming device, to focus on vital vulnerabilities in Citrix NetScaler home equipment inside hours of the seller disclosing the issues.

Moreover, AI methods are getting significantly better at malware writing, and criminals can commerce weaponized fashions that write ransomware and data-stealing code for as little as $50 a month.

The excellent news for now, based on the report’s authors, is that AI methods nonetheless aren’t nice at finishing up multi-stage assaults with out human assist.

“Analysis means that autonomous assaults stay restricted as a result of AI methods can’t reliably execute lengthy, multi-stage assault sequences,” based on the report. “For instance, failures they exhibit embrace executing irrelevant instructions, shedding monitor of operational state, and failing to get well from easy errors with out human intervention.”

Consider, nevertheless, that this all was written earlier than the security dumpster fire that’s OpenClaw – the AI agent previously known as Moltbot and Clawdbot – and Moltbook, the vibe-coded social media platform for AI brokers.

So it is also fully believable that the world will not finish with a complicated, autonomous multi-stage cyberattack dreamed up by a nation-state crew or prison mastermind, however reasonably a single agent that goes off the rails. ®