Unit 42 outlines how Agentic AI capabilities can be leveraged by attackers to increase the speed of attacks 100x.
The integration of AI into adversarial operations is fundamentally reshaping the speed, scale and sophistication of attacks. As AI defense capabilities evolve, so do the AI strategies and tools leveraged by threat actors, creating a rapidly shifting threat landscape that outpaces traditional detection and response methods. This accelerating evolution necessitates a critical examination for CXOs into how threat actors will strategically weaponize AI across each phase of the attack chain.
One of the most alarming shifts we have seen, following the introduction of AI technologies, is the dramatic drop in mean time to exfiltrate (MTTE) data, following initial access. In 2021, the average MTTE stood at nine days. According to our Unit 42 2025 Global Incident Response Report, by 2024 MTTE dropped to two days. In one in five cases, the time from compromise to exfiltration was less than 1 hour.
In our testing, Unit 42 was able to simulate a ransomware attack (from initial compromise to data exfiltration) in just 25 minutes using AI at every stage of the attack chain. That’s a 100x increase in speed, powered entirely by AI.
Recent threat activity observed by Unit 42 has highlighted how adversaries are leveraging AI in attacks:
- Deepfake-enabled social engineering has been observed in campaigns from groups like Muddled Libra (also known as Scattered Spider), who have used AI-generated audio and video to impersonate employees during help desk scams.
- North Korean IT workers are using real-time deepfake technology to infiltrate organizations through remote work positions, which poses significant security, legal and compliance risks.
- Attackers are leveraging generative AI to conduct ransomware negotiations, breaking down language barriers and more effectively negotiating higher ransom payments.
- AI-powered productivity assistants are being used to identify sensitive credentials in victim environments.
A significant evolution is the emergence of Agentic AI – autonomous systems capable of making decisions, learning from outcomes, problem solving and iteratively improving their performance without human intervention. These systems have the potential to independently execute multistep operations, from identifying targets to adapting tactics midattack. This makes them especially dangerous. As agentic models become more accessible, you can expect a surge in automated, self-directed cyberattacks that are faster, more adaptive and increasingly difficult to contain.
Palo Alto Networks Unit 42 has been researching and developing an Agentic AI Attack framework that demonstrates how these capabilities can execute attacks with minimal input from the attacker.
Through our research, we are able to demonstrate just how easily this technology could be turned against enterprises and execute attacks with unprecedented speed and scale. Over time, Unit 42 will integrate these capabilities into our purple teaming exercises, so you can test and improve your organization’s defenses against Agentic AI attacks.
The emergence of Agentic AI is not just a theoretical risk; it’s an accelerating reality that will challenge how your organization approaches threat detection, response and mitigation.
The Agentic AI Attack Chain
Unit 42 believes that attackers will leverage Agentic AI to create purpose-built agents with expertise in specific attack stages. When chained together, these AI agents can autonomously test and execute attacks, adjusting tactics in real time, based on feedback. In the near future, we expect to see the rise of a new class of adversaries powered by Agentic AI. These Agentic AI attackers won’t just assist with parts of an attack but can plan, adapt and execute full campaigns, end-to-end with minimal human direction.
Below, we break down how Agentic AI will reshape key tactics in the attack chain, through the lens of what Unit 42 is seeing in the wild, and how to help defend against them.
Reconnaissance AI Agent — Always Watching, Always Learning
Traditional Recon: Recon was often a one-and-done step – run some scripts, scrape LinkedIn, check GitHub and maybe do some passive DNS work. It was time-bound, manual and noisy.
Agentic AI Recon: Recon agents operate persistently and autonomously. They self-prompt: “What data do I need to identify a weak point in this org?” Then they go collect it from social media, breach data, exposed APIs and cloud misconfigurations. If a target changes (new hire, new vendor portal, leaked key) the agent re-evaluates and updates its strategy.
Example: An agent selects a target organization and constantly scans job postings from that organization. It finds some job listings and infers that the company uses SAP. It checks subdomains, finds a staging SAP server and matches it to a recent CVE. It then shifts to LinkedIn, identifies midlevel IT staff and flags them for phishing, adapting its recon strategy on the fly.
Initial Access AI Agent — Personalized, Multi-Channel Intrusion
Traditional Initial Access: Attackers focus on tactics, like mass phishing, credential stuffing or vulnerability scanning. If one method didn’t work, the campaign often failed or required manual retargeting.
Agentic AI Initial Access: Agentic systems don’t just try once. They generate phishing lures using LLMs tailored to individual targets with tone, language and context. If the first attempt fails, they self-prompt: “What alternative channels or messaging might work better?” Then they try again via SMS, LinkedIn or a fake video conferencing invite. Exploitation attempts are just as adaptive with AI matching CVEs to detected tech stacks in real-time.
Example: A CFO ignores an initial phishing email. The agent rewrites the message in a more casual tone, references a recent company press release, and delivers it via a spoofed Microsoft Teams chat, thus improving its odds with every iteration.
Execution AI Agent — Smart Payloads That Wait and Learn
Traditional Execution: Payloads used to execute as soon as they were triggered. There was no context check, no real-time decision-making. And there was a high risk of getting caught in a sandbox.
Agentic AI Execution: Execution agents can observe before acting. They check where they are, who the user is and what security tools are active, then select an appropriate execution path. If one method fails (e.g., a blocked script, restricted privileges), the agent prompts itself: “What’s the next viable path?” Then, it tries again.
Example: A payload lands on a user’s machine, but pauses execution. The agent checks: “Is the user in finance? Is EDR active? Is it business hours?” Based on the answers, it decides to inject into a trusted process and delay execution until the user opens Outlook, blending into normal behavior to avoid detection.
Persistence AI Agent — Living Long and Quietly
Traditional Persistence: Persistence used to rely on one or two techniques – scheduled tasks, registry keys, startup folder implants. If defenders spotted and cleaned them, access was lost.
Agentic AI Persistence: Agents choose persistence mechanisms dynamically based on endpoint posture. They install redundant footholds (in cloud platforms, browser extensions and identity tokens) and monitor for removal. If one gets burned, the agent self-corrects: “Fallback activated. Re-establishing access.”
Example: The agent adds a run key under an admin user registry hive and simultaneously schedules a hidden task using a trusted system binary. Days later, the run key is deleted during a security scan. The agent detects the removal, prompts itself again and recreates the registry key with obfuscated values, using the scheduled task to fall back as a trigger to stay persistent and undetected.
Defense Evasion AI Agent — Learning to Hide on the Fly
Traditional Defense Evasion: Obfuscate the payload. Rename the binary. Inject into a common process. If something was detected, retooling took time and effort.
Agentic AI Defense Evasion: Agentic malware is self-rewriting. If it gets flagged by EDR or antivirus, it retrains itself on evasion techniques, recompiles and redeploys. It prompts itself to test alternative execution paths, encode traffic differently or rotate to backup C2 protocols.
Example: DNS filtering flags a malware beacon. The agent immediately rewrites its traffic to blend in with encrypted Windows updates, changes its behavior and resumes exfil without ever tripping the same detection twice.
Discovery AI Agent — Silent Internal Mapping
Traditional Discovery: Fire off scans. Dump user info. Use standard tools like SharpHound or BloodHound – effective, but noisy and often time-limited.
Agentic AI Discovery: Discovery agents probe passively and selectively. They monitor internal traffic, enumerate systems using native commands and prioritize targets. If blocked, they replan: “What access paths are still open?” The process continues until a viable route to the crown jewels is mapped.
Example: An agent identifies a misconfigured dev server and uses it to access a production backup cluster. It analyzes folder names, file sizes and user patterns to decide what’s worth taking, all while mimicking legitimate internal user activity.
Exfiltration AI Agent — Smart, Stealthy and Fast
Traditional Exfil: Exfil was usually slow and blunt – compress everything, drop it on an FTP server or send it out over a file streaming service. Big payloads meant big detection risks.
Agentic AI Exfil: Exfiltration agents do their research first. They identify valuable data, prioritize it and test multiple covert paths. They throttle traffic, blend into sanctioned application protocols, and rotate channels if blocked. This kind of automation is what allowed Unit 42 to simulate a complete ransomware attack in just 25 minutes, from compromise to exfil. Agentic AI compressed a full attack lifecycle into a single lunch break.
For Example: The agent identifies sensitive intellectual property documents, compresses and encrypts them, then begins exfiltrating in small chunks via a Slack bot. When the channel is blocked midtransfer, it self-prompts, switches to embedding data in outbound OneDrive syncs, and resumes – completing the mission without triggering alerts.
Agentic AI Attacks Call for AI-Enabled Defenses
The pace of AI is accelerating so rapidly that what security vendors and attackers can do with AI is changing by the day. Agentic AI has the power to reimagine and execute attacks at greater scale and speeds. These agents are persistent, adaptive and frighteningly efficient. They don’t get tired, they don’t make typos, and they won’t stop until they succeed. At Unit 42, we’re already seeing signs of this shift – experimental malware samples, hands-off affiliate kits and active research into autonomous red teaming tools. The message is clear: tomorrow’s threats won’t wait for human operators. They’ll operate on their own.
While Unit 42 has developed one example of an Agentic AI attack framework as part of our offensive security research, we expect this is how threat actors will carry out attacks in the future, if they’re not already test-driving this technology today. Incorporating these same methodologies into our purple teaming exercises allows us to test your organization’s security controls more effectively and, given the speed of Agentic AI attacks, conduct more simulations in less time, ultimately strengthening your security posture.
When dealing with AI-enhanced cyberthreats, it's important to recognize that we are still at a point where AI serves as an amplifier for traditional attack techniques rather than fundamentally altering them. While the frequency and ease of executing certain attacks may increase, the foundational strategies for effective detection and response still hold strong. You need security solutions that also leverage AI and can evolve just as quickly as threats.
Unit 42 can help you proactively prepare for AI-enabled threats and more with our proactive services, incident response and managed security solutions. For more information, please visit our website.
Forward-Looking Statements
This blog contains forward-looking statements that involve risks, uncertainties and assumptions, including, without limitation, statements regarding the benefits, impact, or performance or potential benefits, impact or performance of our products and technologies or future products and technologies. These forward-looking statements are not guarantees of future performance, and there are a significant number of factors that could cause actual results to differ materially from statements made in this blog, including, without limitation: developments and changes in general market, political, economic, and business conditions; risks associated with managing our growth; risks associated with new products and subscription and support offerings; shifts in priorities or delays in the development or release of new offerings, or the failure to timely develop, release and achieve market acceptance of new products and subscriptions as well as existing products and subscription and support offerings; failure of our business strategies; rapidly evolving technological developments in the market for security products and subscription and support offerings; our customers’ purchasing decisions and the length of sales cycles; our competition; our ability to attract and retain new customers; and our ability to acquire and integrate other companies, products, or technologies. We identify certain important risks and uncertainties that could affect our results and performance in our most recent Annual Report on Form 10-K, our most recent Quarterly Report on Form 10-Q, and our other filings with the U.S. Securities and Exchange Commission from time-to-time, each of which are available on our website at investors.paloaltonetworks.com and on the SEC's website at www.sec.gov. All forward-looking statements in this blog are based on information available to us as of the date hereof, and we do not assume any obligation to update the forward-looking statements provided to reflect events that occur or circumstances that exist after the date on which they were made.