In November 2025, Palo Alto Networks’ Unit 42 research team demonstrated something that should keep every CISO awake: a coordinated team of AI agents that compressed an entire ransomware campaign, from initial compromise through lateral movement to data exfiltration, into 25 minutes. Not 25 hours. Not 25 days. Twenty-five minutes. For context, the mean time to exfiltrate in 2021 was 9 days.
That compression ratio is the story. Attackers operate at machine speed. But according to Darktrace’s 2026 survey of 1,500+ security professionals, only 14% of organizations allow their AI defenses to take independent remediation actions. Attackers have no approval workflows. Defenders do. That structural asymmetry defines the cybersecurity landscape right now.
The Offensive Side: AI Agents as Attackers
The statistics paint a clear picture. 87% of organizations worldwide experienced AI-driven cyberattacks in 2025. AI-generated phishing now accounts for 82.6% of phishing emails (a 53.5% year-over-year increase), and the click-through rate on AI-crafted phishing sits at 54%, far above what human-written campaigns achieve.
But phishing is table stakes. The real shift is autonomous multi-step attacks.
GTG-1002: The First AI-Orchestrated Espionage Campaign
In September 2025, Anthropic detected and disrupted what appears to be the first documented large-scale AI-orchestrated cyberattack. A Chinese state-sponsored group designated GTG-1002 used Claude to autonomously attack roughly 30 organizations across tech, finance, manufacturing, and government. The AI handled 80-90% of attack operations with human intervention required only at 4-6 critical decision points per campaign. The attackers disguised tasks as defensive security testing, breaking operations into small, seemingly innocent requests. Four intrusions succeeded.
This is not a proof-of-concept. It happened.
XBOW: The AI That Topped HackerOne
On the defensive-testing side, XBOW’s autonomous AI agents reached #1 on the global HackerOne leaderboard, discovering over 1,000 vulnerabilities across real bug bounty programs with zero human input. Notable findings included a previously unknown vulnerability in Palo Alto Networks’ GlobalProtect VPN affecting 2,000+ hosts. The system found RCE, SQL injection, XXE, path traversal, SSRF, and XSS entirely on its own.
The Deepfake Dimension
Deepfake fraud has grown 2,137% since 2022. A single deepfake incident at engineering firm Arup cost $25.6 million when attackers used real-time video deepfakes of the CFO to authorize wire transfers. North America alone saw $200 million in deepfake losses in Q1 2025. Only 0.1% of people can reliably identify deepfakes.
The Defensive Side: AI Agents Protecting Organizations
The defensive tool landscape has matured rapidly. Every major security vendor now ships AI agent capabilities, but the implementations differ significantly.
CrowdStrike Charlotte AI and the Agentic SOC
CrowdStrike’s Fall 2025 release introduced the “Agentic SOC” concept. Charlotte AI transitioned from a copilot to an autonomous agent workforce with Charlotte AI AgentWorks (a no-code agent builder using plain language) and Charlotte Agentic SOAR for orchestrating AI agents across the security lifecycle. Seven mission-ready agents shipped at launch, each handling specific security workflows.
Microsoft Security Copilot Agents
Microsoft’s numbers are concrete. Their Phishing Triage Agent detects malicious emails 550% faster, identifies 6.5x more malicious alerts, and improves verdict accuracy by 77%. Analysts get 53% more time to investigate real threats. The Conditional Access Optimization Agent achieves 204% greater accuracy in identifying missing Zero Trust policies.
Google Sec-Gemini
Google took a different approach with Sec-Gemini v1, a cybersecurity-specific model that combines Gemini with Google Threat Intelligence, OSV, and Mandiant data. It scored 88.5% on the CTI-MCQ benchmark, 14 points ahead of the next leading foundation model. Their Alert Triage and Investigation Agent, which autonomously investigates alerts and produces comprehensive explanations, is slated for GA in 2026.
Vectra AI and Darktrace
Vectra AI, named Leader in the 2025 Gartner Magic Quadrant for NDR, claims its platform removes 99% of alert noise and cuts up to 50% of time spent on manual tasks. Darktrace reports a 90% increase in threat detection accuracy in customer environments and launched Darktrace / SECURE AI for oversight of enterprise AI adoption.
The common thread: all of these tools are moving from “copilot” (human asks, AI answers) to “agent” (AI acts, human oversees). That transition is happening faster on the offense side, which is exactly the problem.
The New Attack Surface: When Agents Attack Agents
Here is where it gets genuinely unsettling. The third dimension of this arms race is not attackers using AI or defenders using AI. It is AI agents attacking other AI agents.
OWASP Top 10 for Agentic Applications
The OWASP Top 10 for Agentic Applications, released in December 2025 with contributions from over 100 security researchers, identifies the specific threat categories:
- Agent Goal Hijack (ASI01): Altering agent objectives through malicious content
- Tool Misuse and Exploitation (ASI02): Legitimate tools used with destructive parameters
- Identity and Privilege Abuse (ASI03): High-privilege credentials reused or escalated across agents
- Agentic Supply Chain Vulnerabilities (ASI04): Compromised tools, plugins, and MCP servers
- Memory and Context Poisoning (ASI06): Poisoned RAG databases and long-term memory stores
- Insecure Inter-Agent Communication (ASI07): No authentication or encryption in agent-to-agent messages
The ServiceNow Agent-to-Agent Attack
AppOmni researchers demonstrated a real second-order prompt injection attack against ServiceNow Now Assist that makes the OWASP list concrete. A low-privileged user embeds malicious instructions in data fields. A higher-privileged user’s AI agent processes the poisoned data. The compromised agent then uses agent-to-agent discovery to recruit more powerful agents, leading to data exfiltration, record modification, and privilege escalation. This worked even with built-in prompt injection protections enabled.
A related vulnerability, CVE-2025-53773, demonstrated that VS Code’s GitHub Copilot Agent could be manipulated via zero-click exploit to create files without user authorization and fully compromise a developer machine.
Non-Human Identity Explosion
The volume of non-human and agentic identities is expected to exceed 45 billion by end of 2026. Palo Alto Networks already reports an 82:1 ratio of autonomous agents to humans in the emerging AI economy. Each agent is an identity. Each identity is an attack surface.
AI vs. Human Hackers: The Wiz Benchmark
In January 2026, Wiz Research published a direct comparison between AI agents (Claude Sonnet 4.5, GPT-5, Gemini 2.5 Pro) and human pentesters across 10 lab-based security challenges. The results defy the simple narratives.
Where AI won: AI agents solved 9 of 10 challenges, typically at under $1 per success. One agent identified a Spring Boot Actuator exploit in just 6 steps by recognizing the tech stack from error message formatting. Another completed a multi-step authentication bypass in 23 steps using exposed API documentation.
Where humans won: The one challenge AI failed required finding exposed credentials in a public repository’s git history, a task demanding broad, creative exploration. AI made 500+ tool calls over an hour without success. A human pentester found an exposed RabbitMQ interface with default credentials in approximately 5 minutes through directory enumeration.
The key insight from Wiz: when AI approaches fail, agents try variations of the same method. Human testers recognize dead ends and change strategies entirely. AI excels at pattern recognition and multi-step reasoning within a known framework. Humans excel at creative lateral thinking when the framework itself is wrong.
This means AI agents are devastating for known vulnerability patterns but still struggle with the novel, open-ended discovery that defines real penetration testing.
The Speed Asymmetry Problem
76% of organizations cannot match AI attack speed, according to CrowdStrike. Meanwhile, 92% of security professionals agree AI-powered threats are forcing significant defense upgrades, and 96% say AI significantly improves speed and efficiency. They know AI helps. They are still not deploying it fast enough.
The bottleneck is trust. Only 6% of organizations have an advanced AI security strategy. The rest are caught between knowing they need autonomous defense and being unable to relinquish human oversight of security decisions. This is not irrational: giving an AI agent the power to isolate a network segment or quarantine a production server carries real risk. But the alternative, having a human approve every defensive action while attackers operate at machine speed, carries bigger risk.
The cybersecurity skills gap, 4.8 million unfilled positions worldwide, makes this worse. There are not enough humans to keep humans in the loop even if you wanted to.
What Companies Should Do Now
The cybersecurity AI market is projected to reach $93.75 billion by 2030, growing at 24.4% annually. Organizations using AI security tools save $1.9 million per breach compared to those that do not (IBM). The business case is settled. The question is execution.
Adopt the OWASP Agentic framework. The OWASP Top 10 for Agentic Applications gives you a concrete threat model. Map your existing AI deployments against it. If you cannot answer whether your agents have proper identity management, scoped permissions, and encrypted inter-agent communication, start there.
Apply the principle of least agency. Every AI agent should have the minimum permissions required for its task, enforced through short-lived credentials that expire automatically. CrowdStrike’s $740 million acquisition of SGNL in January 2026 signals that identity management for agents is now a board-level concern.
Comply with dual regulatory pressure. European companies face NIS2 (Germany’s BSI registration deadline was March 6, 2026, with fines up to EUR 10 million) and EU AI Act Article 15 (high-risk AI system compliance by August 2, 2026). Using AI agents in security operations may itself trigger high-risk classification, creating a compliance requirement for the compliance tool.
Start with defensive AI that has human oversight, then gradually increase autonomy. The 14% of organizations that already allow autonomous AI remediation are building institutional experience that will compound. Starting with copilot-mode agents in low-risk areas (alert triage, phishing detection, vulnerability scanning) and expanding scope as trust builds is the pragmatic path.
Frequently Asked Questions
How are AI agents used in cybersecurity?
AI agents are used on both sides. Defensively, they power autonomous threat detection (CrowdStrike Charlotte AI, Microsoft Security Copilot, Google Sec-Gemini), alert triage, phishing identification, and incident response. Offensively, attackers use AI agents for automated vulnerability scanning, AI-generated phishing (82.6% of phishing emails now use AI), deepfake fraud, and coordinated multi-step attacks. XBOW’s AI agents reached #1 on HackerOne’s bug bounty leaderboard, finding over 1,000 vulnerabilities autonomously.
Can AI agents replace human cybersecurity analysts?
Not fully. Wiz Research’s 2026 benchmark showed AI agents solved 9 of 10 security challenges faster and cheaper than humans. But humans beat AI on creative, open-ended discovery: a human found exposed credentials in 5 minutes that AI failed to find after 500+ attempts over an hour. The practical model is AI handling volume (alert triage, known vulnerability scanning) while humans handle novelty.
What is the OWASP Top 10 for Agentic Applications?
Released in December 2025, the OWASP Top 10 for Agentic Applications identifies security risks specific to AI agent systems, including agent goal hijacking, tool misuse, identity and privilege abuse, supply chain vulnerabilities in MCP servers, memory poisoning, and insecure inter-agent communication. It was contributed to by over 100 security researchers and provides a concrete framework for securing AI agent deployments.
How fast can AI agents execute a cyberattack?
Palo Alto Networks’ Unit 42 demonstrated that coordinated AI agents can compress an entire ransomware campaign into 25 minutes. The mean time to exfiltrate was 9 days in 2021 and 2 days by 2024. 76% of organizations cannot match AI attack speed.
How much do AI security tools save per data breach?
According to IBM’s Cost of Data Breach Report, organizations using AI security tools save $1.9 million per breach compared to those that do not, against an average global breach cost of $4.88 million. The AI cybersecurity market is projected to reach $93.75 billion by 2030.