Security professionals have spent two decades defending against human attackers who use automation as a force multiplier. That model is obsolete. The adversary now fielding against every internet-connected organization is not a human using AI tools — it is an AI agent using human objectives. The shift is not theoretical. It is documented, timestamped, and publicly reported, and it requires every CISO, security engineer, and software maintainer to rethink what defense actually means from this point forward.
"The cybersecurity industry has entered an era of AI versus AI," Joe Carson, chief security evangelist and advisory CISO at Segura, told Information Security Media Group at RSAC Conference 2026 in April. "Humans are increasingly becoming the orchestrators rather than the operators." That framing — humans as orchestrators, AI as operators — is the strategic pivot every security team must now make, on both offense and defense. Organizations that do not make it are not running a security program. They are running a legacy operation against an adversary class it was never designed to face.
The evidence arrived in concentrated form this week. On May 28, Security Magazine published an interview with Michael Clark, Director of Threat Research at Sysdig, about a documented intrusion his team captured on May 10, 2026. In it, an unknown attacker ran a large language model agent against a target's infrastructure — not as an assistant, not as a co-pilot, but as the autonomous operator of a complete intrusion chain. The agent made every post-exploitation decision on its own. It adapted in real time. It completed four pivots from an exposed Python notebook to a fully exfiltrated internal database in under one hour, with no human typing a single command.
The same week, Anthropic released the first quantified results from Project Glasswing — the first month of deploying its most powerful frontier model defensively against exactly this threat class. The numbers are staggering and sobering simultaneously. Defenders are standing up AI systems that can find vulnerabilities at a scale and speed no human team can match. So can attackers. The race is now explicit, accelerating, and not close to over.
The Autonomous AI Cyberattack Documented on May 10
The incident Sysdig captured on May 10 began with CVE-2026-39987, a critical pre-authentication remote code execution vulnerability in Marimo, an open-source Python notebook used widely by AI researchers and data scientists. The flaw required no exploit kit: a single WebSocket request to an exposed endpoint produced a fully interactive shell. Marimo's maintainers patched it in version 0.23.0, but the window was already open — Sysdig had recorded the vulnerability being exploited within nine hours and 41 minutes of its first public disclosure, and between April 11 and April 14 alone, 662 distinct exploit events targeted it from 11 IP addresses across 10 countries.
The May 10 intrusion was qualitatively different from those earlier waves. Once the attacker gained initial access through the Marimo notebook, a large language model agent took over. It harvested two cloud credentials from environment files. It replayed those credentials through a distributed pool of Cloudflare Workers edge nodes — 12 API calls spread across 11 distinct IP addresses in 22 seconds, breaking any per-source-IP detection — to retrieve an SSH private key from AWS Secrets Manager. It opened eight parallel SSH sessions against a downstream bastion server and dumped the full contents of an internal PostgreSQL database in under two minutes.
The entire chain ran in a little over one hour. The agent improvised a six-table database dump against a target whose schema it had never seen. It left a Chinese-language planning comment — "看还能做什么" ("see what else we can do") — in the live command stream, an artifact consistent with LLM training data rather than a national attribution, as the origin IP traced to Indonesia. Every command was formatted for machine consumption: delimiters, bounded output captures, discarded stderr. The agent fed its own prior output forward at each step, lifting database passwords from files it had just read and SSH key paths from directory listings it had just run.
"This attack demonstrates how LLMs are enabling threat actors to conduct increasingly complex operations — not just simple or opportunistic attacks at the edge," Clark told Security Magazine. "Sophisticated intrusion workflows that once required highly skilled operators can now be accelerated and even driven by AI, significantly lowering the barrier to entry and expanding the potential adversary pool."
The barrier is no longer expertise. It is inference budget. A scripted attacker writes a playbook once and reuses it; the cost of adding a new target is engineering time. An agent operator carries general priors about a class of applications and composes the attack chain live against whatever it finds. Scale is now bounded by compute, not skill.
Why Human-Speed Defense No Longer Matches the Threat
The Sysdig intrusion is not an isolated data point. It is the most precisely documented instance of a structural shift that every major threat intelligence organization confirmed months ago.
CrowdStrike's 2026 Global Threat Report documented an 89% year-over-year increase in AI-enabled adversary operations in 2025. The average attacker breakout time — the elapsed time from initial access to lateral movement — fell to 29 minutes, down from 62 minutes the year before. The fastest observed breakout on record was completed in 27 seconds. Eighty-two percent of detections involved no traditional malware: attackers used valid credentials, legitimate administrative tools, and commercial remote access utilities to blend into normal business activity, bypassing every signature-based detection rule in their path.
That last figure — 82% malware-free — is the crux of why human-speed, signature-based security has already lost. Signatures detect known patterns. Agents compose novel patterns on every target. CrowdStrike's own Chief Technology Officer Elia Zaitsev said it plainly when Anthropic launched Project Glasswing: "The window between a vulnerability being discovered and being exploited by an adversary has collapsed — what once took months now happens in minutes with AI."
The Cloud Security Alliance put the strategic implication in terms every board member can understand: "If you're not leading with AI in your defense strategy, you're already behind. The era of buying a different solution for every problem is ending." The math behind that statement is brutal: attackers don't need to win every time. Defenders do. AI has shifted those odds dramatically in the attacker's favor for any organization not meeting the threat with equivalent capability.
AI-Powered Cyber Defense: What the Defensive Stack Now Looks Like
The arms race is not one-sided. Defenders are building, and some of what they have built is remarkable. The problem is that the defensive AI deployment is uneven, under-resourced, and — for most organizations — still catching up to a threat that moved first.
Anthropic Project Glasswing and Claude Mythos Preview: The most concentrated defensive AI deployment currently operating is Anthropic's Project Glasswing, which gives roughly 50 vetted partner organizations — including AWS, Apple, Cisco, Google, JPMorganChase, Microsoft, NVIDIA, CrowdStrike, Cloudflare, and Palo Alto Networks — controlled access to Claude Mythos Preview, Anthropic's most capable frontier model, withheld from general release because no adequate safeguards yet exist to prevent its misuse at scale.
The first-month results, published May 22, are the clearest single data point for how far defensive AI has already traveled. Mythos Preview flagged 23,019 potential vulnerabilities across more than 1,000 open-source projects. Of those, 6,202 were estimated as high- or critical-severity. Independent security firms confirmed 1,726 as valid true positives; 97 have been patched upstream and 88 advisories issued. Cloudflare found 2,000 bugs in its own systems — 400 of them high or critical — at a false-positive rate lower than conventional human-led testing. Mozilla found and fixed 271 vulnerabilities in Firefox 150, ten times more than it found using an earlier Claude model.
One confirmed finding, CVE-2026-5194 in WolfSSL (CVSS 9.1), would have allowed attackers to forge TLS certificates and impersonate legitimate banking, email, and other services across an estimated five billion IoT, automotive, and industrial control devices. It was found by an AI before any attacker found it first. A Glasswing partner bank used Mythos to detect and block a fraudulent $1.5 million wire transfer mid-execution.
Autonomous offensive security platform XBOW evaluated Mythos Preview independently and called it "a major advance — substantially better than prior models at finding vulnerability candidates" and "adept at analyzing source code with a security mindset," adding that it achieved "absolutely unprecedented precision" on a token-for-token basis compared with all prior models.
OpenAI Daybreak: On May 10 — the same day Sysdig's observation was being recorded — OpenAI launched Daybreak, combining GPT-5.5 and GPT-5.5-Cyber with its Codex Security agentic framework to embed vulnerability discovery, patch validation, and automated remediation directly into developer pipelines. The most capable tier, GPT-5.5-Cyber, is available only to defenders who clear identity verification through OpenAI's Trusted Access for Cyber program. On May 27, OpenAI expanded the program to South Korea and Japan through its Government Trusted Access for Cyber initiative — the third and fourth nations to gain access after the United States and Canada.
Google Big Sleep and CodeMender: Google's Big Sleep agent, a collaboration between Google DeepMind and Project Zero, achieved something in mid-2025 that no defensive system had done before: it identified a live zero-day vulnerability in SQLite (CVE-2025-6965) that was known to threat actors and actively being prepared for exploitation, then flagged it before a single attack could be launched. Google confirmed it as the first time an AI agent directly prevented a live zero-day exploit. The company is also testing CodeMender, an experimental agent that uses Gemini's reasoning capabilities to automatically patch critical code vulnerabilities before they can be exploited — moving beyond discovery into autonomous remediation.
Microsoft Security Copilot: At RSAC 2026, Microsoft announced an expansion of Security Copilot into a full agentic SOC platform. The Security Alert Triage Agent autonomously identifies malicious alerts at 6.5 times the rate of human analysts working alone. The Security Analyst Agent performs multi-step investigations across Defender and Sentinel telemetry. Microsoft has identified five dimensions where autonomous AI attacks gain disproportionate advantage — patching speed, open-source software exposure, customer source code review, internet-facing attack surface, and baseline security hygiene — and built agentic tooling specifically targeting each.
CrowdStrike Charlotte AI + IBM ATOM: CrowdStrike and IBM have integrated Charlotte AI with IBM's Autonomous Threat Operations Machine for what they describe as machine-speed investigation and containment — coordinated AI response across endpoint, identity, and cloud environments that closes the gap between a 29-minute attacker breakout time and the hours or days it has historically taken human teams to detect and contain a breach.
What AI vs AI Actually Means for Detection Architecture
The operational implication of the Sysdig attack is not primarily about patching Marimo — though any organization still running versions of Marimo 0.20.4 or earlier needs to update to 0.23.0 immediately and rotate every credential, API key, and SSH key that was accessible from that environment. CVE-2026-39987 is on CISA's Known Exploited Vulnerabilities catalog with a passed federal remediation deadline.
The deeper implication is about how detection must be rebuilt. Signature-based detection degrades rapidly against agent-driven attacks because agents do not reuse patterns across targets. No consistent User-Agent, no fixed command order, no identical probe sequence, no predictable timing. What survives this shift is behavioral detection built around what the attacker is trying to accomplish — reading credentials, enumerating secrets, escalating to a bastion, exfiltrating a database — rather than the specific sequence of commands used. Palo Alto Networks Unit 42 has been explicit on this point in its May 2026 Frontier AI Defense update: autonomous AI-driven attacks require autonomous AI-driven detection, and the SOC must operate on single-digit mean time to detect and respond to keep pace.
The arms race also extends into a domain most security teams have not yet fully reckoned with: the AI development supply chain itself. Google's Threat Intelligence Group reported in May that threat actors are increasingly targeting not frontier models directly — which have proven resilient to direct compromise — but the orchestration layers around them: open-source wrapper libraries, API connectors, and skill configuration files. The attack surface that AI development creates is now itself an attack vector.
Gartner has put numbers to the downstream risk: a projected 2,500% increase in software defects from AI-generated code by 2028. Organizations are creating, in a single year of enthusiastic AI-assisted development, roughly a decade's worth of conventional technical debt — unreviewed code, unaudited dependencies, unvalidated integrations — that is simultaneously the surface AI attackers will scan and the liability AI defenders will need to find before they do.
What Security Leaders Must Do Differently Now
The transition to AI vs. AI is not optional, and it is not a future state. It is the present condition of every organization connected to the internet.
The first priority is cognitive: abandon the human-speed incident response model as the primary frame. Patch-in-days and investigate-in-weeks is not calibrated for an adversary that moves from initial access to database exfiltration in under an hour. Every response SLA in your security program needs to be re-evaluated against the 29-minute breakout benchmark, not the quarterly patch cycle.
The second priority is architectural: deploy behavioral detection that looks for agent-pattern attack signatures rather than known-malware signatures. Machine-formatted command streams, parallel session launches from distributed IPs, adaptive schema enumeration, and self-referential value handoffs are the fingerprints of LLM-agent intrusions — and they are already in the Sysdig report in precise technical detail.
The third priority is surface reduction: treat every internet-reachable developer tool, notebook server, research environment, and AI pipeline component as production-grade attack surface. The Marimo attack was not anomalous. It was the logical consequence of a research environment that had network access to cloud credentials. Any such environment, unpatched and unmonitored, is a one-hour pivot device for an agent.
The fourth priority is tooling: evaluate and deploy AI-class defensive tools. Glasswing's early results show that the rate of vulnerability discovery with frontier AI is ten times higher than conventional human-led methods. That disparity cuts both ways. Attackers with access to equivalent capabilities will find what you have not patched. Defenders without equivalent capabilities will patch slower than attackers move. The gap is already measurable. It is widening.
The Marimo intrusion of May 10, 2026 is not a warning about one vulnerability. It is proof that the paradigm shift security professionals have been discussing in theoretical terms has already happened in operational ones. The question for every CISO and security team is not whether AI-vs-AI cybersecurity is coming. It is whether their defenses are already built for it.
Frequently Asked Questions
What is AI vs AI in cybersecurity, and why does it matter now?
AI vs AI cybersecurity describes the emerging paradigm in which both attackers and defenders deploy autonomous AI agents rather than relying on human operators running scripts or tools. It matters now because the Sysdig-documented attack of May 10, 2026 provided the first publicly reported proof that an LLM agent can operate an entire post-exploitation intrusion chain autonomously — without a human directing individual steps. Combined with CrowdStrike's 2026 report showing a 29-minute average attacker breakout time and an 89% increase in AI-enabled adversary operations, the evidence that human-speed defenses are structurally outmatched is no longer theoretical.
How are AI agents being used in cyberattacks today?
AI agents are being used as autonomous post-exploitation operators: they receive the output of each command they run, decide the next action in real time, and adapt when they encounter unexpected results — schemas they haven't seen, missing files, failed authentications. The Sysdig-documented intrusion showed an LLM agent harvesting credentials, pivoting through AWS Secrets Manager, opening parallel SSH sessions, and exfiltrating a database in under an hour with no human in the loop. CrowdStrike has also documented AI-generated malware (FANCY BEAR's LAMEHUG), AI-accelerated credential dumping (PUNK SPIDER), and AI-scaled insider recruitment operations (FAMOUS CHOLLIMA).
What AI tools are defenders using against AI-powered attacks?
The leading defensive AI deployments include Anthropic's Claude Mythos Preview through Project Glasswing — restricted to roughly 50 vetted partners, it found 6,202 high- and critical-severity vulnerabilities across 1,000-plus open-source projects in its first month. OpenAI's Daybreak platform provides GPT-5.5-Cyber for verified defenders doing vulnerability triage, red-teaming, and patch validation. Google's Big Sleep agent has proactively stopped a live zero-day exploit and Google is testing CodeMender for autonomous patching. Microsoft's Security Copilot identifies malicious alerts at 6.5 times the rate of human analysts. CrowdStrike's Charlotte AI, integrated with IBM's autonomous SOC platform, coordinates machine-speed detection and containment.
How fast can AI attackers move compared to human defenders, and what does that mean for my organization?
CrowdStrike's 2026 Global Threat Report documented an average eCrime attacker breakout time of 29 minutes — down from 62 minutes the year before — with the fastest observed breach on record completed in 27 seconds. The Sysdig-documented AI-agent intrusion moved from initial access to database exfiltration in under one hour. For comparison, the IBM 2026 Cost of a Data Breach Report found the average incident lifecycle still exceeds 200 days. The practical implication: every response service-level agreement built around human-speed investigation and remediation timelines is mis-calibrated to this threat class. Organizations need to evaluate whether their current detection and response stack can operate at machine speed — and if not, what AI-class defensive tooling can close that gap.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
