It finally happened, and it happened on a clock no human can race. In May 2026, Sysdig's threat research team captured the first documented intrusion where the post-exploitation was run by a language-model agent rather than a person. The attacker did not sit at a keyboard pivoting through the network. They handed stolen cloud credentials to an AI agent and let it work. It replayed the credentials, pulled an SSH key out of a secrets manager, moved laterally through a bastion, and exfiltrated a full PostgreSQL database. The lateral-movement chain completed in under two minutes. The whole thing was over in under an hour, with no human in the loop.
Weeks later, Google's Threat Intelligence Group confirmed the other shoe: the first AI-written zero-day exploit caught in the wild, a working two-factor-bypass script with the fingerprints of a language model all over it, hallucinated CVSS score included. Two firsts in one month. After seventeen years in network security, I read these not as hype but as the moment a long-predicted line got crossed. This is what changes for everyone who defends.
What actually happened, and why it is different
Strip the drama and the Sysdig case is a normal breach with one abnormal component. The entry was an unremarkable remote-code-execution flaw in a data-science notebook tool, the kind of foothold that happens every day. What was new is what drove the next four steps. Instead of a human operator deciding "now I check the secrets manager, now I try the bastion," an agent took the output of each command, decided the next action in real time, and adapted when something did not behave as expected. It was not running a script. A script is a fixed plan. This was a reasoner improvising an attack path, the way a skilled human red-teamer does, except it never paused to think, type, or check Slack.
That is the distinction that matters. We have had automated attack tooling for decades, worms, exploit kits, scanners. They are fast but dumb: they execute a predetermined sequence and fall over the moment reality diverges from it. An LLM agent does not fall over. It re-plans. That single property, adaptation at machine speed, is what turns a multi-hour manual intrusion into an automated sequence measured in minutes.
And now the exploit writes itself
The Google finding closes the other half of the loop. Their Big Sleep agent, working from threat-intelligence artifacts, pinpointed a zero-day before a criminal group could run a mass-exploitation campaign, and the exploit code itself appeared to be AI-generated. Tellingly, the flaw was not a memory-corruption bug that a fuzzer would catch. It was a high-level logic vulnerability, a hardcoded trust assumption in the two-factor enforcement, exactly the kind of semantic flaw that traditional scanners miss and that I keep flagging in code review. I wrote about that whole failure class in the OWASP LLM Top 10 for 2026; here it is being found and weaponized by the machine instead of by me.
This breaks the assumption defence quietly runs on
Here is the part the headlines miss. For seventeen years, defence has quietly depended on attackers being slow. Dwell time, the gap between foothold and real impact, is not just a metric. It is the working window the entire security operation lives inside. It is the time you have to fire an alert, triage it, decide it is real, and contain it before the data leaves. Every SOC runbook, every escalation tier, every "we respond within fifteen minutes" SLA assumes a human on the other end who also needs minutes and hours.
An autonomous agent collapses that window toward zero. Lateral movement in under two minutes is faster than your on-call analyst can read the first alert, let alone act on it. The comfortable arithmetic of detect-and-respond, where you assume some time between compromise and consequence, stops holding. I have argued before that the same failure looks identical across a network and an AI stack; the new wrinkle is that the attacker exploiting it no longer operates on human time.
What the defender's playbook becomes
None of this means the fundamentals are wrong. It means the margin for human-speed response is gone, and the controls that do not depend on a human reacting in time are the ones that now carry the weight.
- Containment over detection, where detection cannot keep pace. If you cannot reliably catch and stop a chain in under two minutes, the win is to make sure there is less to chain. Least privilege, segmentation, and default-deny egress shrink the number of pivots an agent has to reason through, and they work whether or not anyone is awake. This is the substance of the 90-day Zero Trust plan I run with mid-sized teams.
- Automated response, not just automated detection. The action that contains the breach has to fire at machine speed too: isolate the host, revoke the credential, cut the egress, without waiting for a ticket. Detection that only pages a human is detection that loses the race.
- Assume near-zero dwell time. Plan for impact at the moment of foothold, not after an investigation. Your tabletop exercises should include "the agent finished before anyone looked," because that is now a real branch.
- Watch for the machine's fingerprints. The AI-generated exploit had tells: a hallucinated CVSS score, textbook structure. Agent behaviour has tells too, inhuman speed and consistency. Behavioural detection of "this is moving too fast and too cleanly to be a person" becomes a real signal. The detection side of this is its own discipline, which I cover in AI threat detection strategies.
Keep your head: this is early, not apocalyptic
I will not sell you panic. This is one documented post-exploitation case and one zero-day that was caught before it was used at scale. The agent in the Sysdig incident was driven by a human who chose to point it at the target; it did not wake up and decide to attack. We are at the start of the curve, not the end of the story. But the curve is set, and the lab is already ahead of the wild: university researchers have built a self-replicating worm that reasons its way through a network on a local open-weight model, with no commercial API to throttle it. The trajectory does not require a leap of faith. It requires planning for the attacker that does not sleep, and that is a planning problem, not a doomsday one.
The throughline
Seventeen years taught me that defence is a race against the clock: how fast can you see it, decide, and contain. The clock just had a machine bolted to it, one that pivots in seconds and writes its own exploits. The fundamentals do not change, least privilege, segmentation, containment, fast revocation, but the assumption that a human will have time to react has quietly expired. Build for the attacker that never hesitates, and you are building for the one that is already in the wild.
If you are reassessing your detection-and-response posture against autonomous, machine-speed attackers, request a review. I run AI security engagements anchored in seventeen years of enterprise network defence. See also FwChange.com for the firewall and containment side of the same problem.