In July 2026 the cloud security firm Sysdig documented a ransomware attack that had no human running it. Not a human who wrote a clever script and walked away, an attack where an AI agent did the reconnaissance, stole the credentials, moved laterally, escalated privilege, and encrypted the data, adapting to obstacles in real time the way a person would. They named it JadePuffer, and it is being called the first fully agentic ransomware operation seen in the wild. The single detail that should stop any incident responder cold: at one point the agent hit a failed login, diagnosed the problem, and had a working fix running 31 seconds later. It encrypted 1,342 service configuration items before deleting the originals. No operator was awake for any of it.
I have spent a long time in enterprise security, and almost every incident-response plan I have ever reviewed, written, or run rests on one quiet assumption: that on the other end of the attack there is a human being, working at human speed, who sleeps, hesitates, fat-fingers commands, and takes coffee breaks. JadePuffer is the moment that assumption stopped being safe to make. This is not a piece about a new malware family. It is about what breaks in your defensive model when the adversary’s tempo and cost both collapse at the same time.
What actually happened
The facts, from Sysdig’s writeup and the reporting that followed in BleepingComputer, are worth stating precisely because the precision is the point. The intrusion began by exploiting CVE-2025-3248, a critical remote-code-execution flaw in Langflow, an open-source tool for building LLM applications. Once on the first server, an autonomous agent took over: it gathered intelligence about the environment, harvested credentials, mapped the network to find higher-value targets, established persistence, escalated privilege, and finally encrypted data.
What separates it from a well-automated script is adaptation. When a step failed, the agent did not halt and wait for its operator, it diagnosed the failure, adjusted its parameters, and retried, exactly the loop a skilled human intruder runs. The 31-second recovery from a failed login is the tell. A script fails and stops. A human fails, thinks, and tries again in a few minutes. This thing failed, reasoned, and recovered faster than you could read the log line describing the failure.
Two things collapsed at once: tempo and cost
The reason JadePuffer matters more than the sum of its techniques is that it collapses two limits simultaneously, and defenders have quietly depended on both.
The first is tempo. Every detection-and-response program is built around a window: the time between an attacker gaining a foothold and a defender noticing and acting. We have names for it, dwell time, mean time to detect, mean time to respond, and a whole industry of tooling to shrink it. All of it assumes the attacker also operates on a human clock. An agent that goes from failed login to working fix in 31 seconds is not inside your response window. It has finished before your first alert has cleared triage. I wrote about this collapse when the first end-to-end autonomous intrusion was still a research demonstration, in the autonomous AI attacker piece. JadePuffer is that demonstration with a name, a CVE, and a victim.
The second is cost. Ransomware has always been gated by the scarcity of skilled operators. A criminal crew has only so many people who can run a hands-on-keyboard intrusion, so they pick targets worth a human’s time. Take the human out and that constraint evaporates. The keynote for Black Hat USA 2026 is titled, with no exaggeration, “The End of Rare: Defending When Offense Is Cheap.” That is the whole thesis in five words. When an intrusion costs almost nothing to run, it stops being reserved for the targets big enough to justify a skilled attacker’s attention, and the small organisation that assumed it was beneath notice becomes worth attacking simply because attacking is nearly free.
What breaks in the standard IR playbook
Put the two collapses together and specific, load-bearing assumptions in the way most teams defend start to fail. These are the ones I would revisit first.
- Human-speed response. The plan that says “analyst reviews the alert, escalates, and contains” assumes minutes to hours are fast enough. Against a sub-minute adversary, a response that depends on a human reading a ticket is already too late. Containment that matters now has to be automated and pre-authorised, decided before the incident, not during it.
- Target selection by value. “We are too small to be a target” was always weak, and it is now finished. When offense is nearly free, there is no target too small; you are attacked because you are reachable, not because you are worth it.
- Alert-fatigue triage. A detection pipeline that batches, scores, and queues alerts for human attention was designed for an adversary who would still be there when the analyst got around to it. This one will not be.
- Patch cadence as a background chore. JadePuffer got in through a known, patchable CVE in an internet-reachable component. The initial access was not exotic. The slow bit, deciding to patch, scheduling the window, was entirely on the defender’s side, and the agent exploited exactly that latency.
What actually still works
The honest and slightly deflating news is that the defences that hold up against a machine adversary are the same fundamentals that held up against a human one. They just stop being optional and start being the whole game, because the margin for sloppiness that a slow human attacker used to give you is gone.
- Reduce the initial-access surface, ruthlessly. The agent needed a way in, and it used a known RCE in an exposed service. Every internet-facing component you can remove, patch faster, or put behind authentication is one the agent cannot start from. This is unglamorous attack-surface hygiene, and it is now your highest-leverage control.
- Contain the blast radius before the breach. The agent’s damage came from lateral movement and privilege escalation after the foothold. Segmentation, least privilege, and tight egress control do not stop the entry, but they decide whether entry becomes an incident or a catastrophe. This is the same identity discipline I described in the piece on non-human identity sprawl: standing, over-broad access is what turns one compromised host into all of them.
- Kill the standing credential. The agent harvested credentials and reused them to move. Long-lived, reusable credentials are the fuel for exactly this. Short-lived, continuously verified access starves it, the argument I made in the continuous-verification piece.
- Automate the response, not just the detection. If the attacker operates in seconds, your containment has to as well. That means pre-approved automated actions, isolate this host, revoke this token, block this egress, that fire without waiting for a human decision. The uncomfortable part is trusting your own automation enough to let it act.
- Test whether your controls actually do anything. An automated adversary will find the control that passes the audit and stops nothing far faster than a human tester would. I wrote about that specific failure mode in the silent-controls piece, and JadePuffer is precisely the kind of thing that exposes it.
Do not over-learn the lesson either
It is worth being sober about what this is and is not. One documented case is not an epidemic, the initial access was a known CVE rather than anything novel, and the same AI capability that ran this attack is available to defenders to triage, detect, and respond at the same speed. The agent did not invent a new class of vulnerability; it industrialised the exploitation of an old one. The correct reaction is not panic and it is certainly not a new product line, it is to notice that the economics of being attacked just changed and to make sure your fundamentals are tight enough to survive an adversary that no longer works at human speed or human cost.
Why it matters
For twenty-five years the defender’s implicit ally was the attacker’s humanity, the fact that there were only so many of them, that they got tired, that they were expensive, that they worked at a pace you could, on a good day, keep up with. JadePuffer is the first clear, named, in-the-wild sign that this ally is leaving. The response is not despair and it is not a shiny new tool. It is to compress your own patch window, contain your own blast radius, kill your standing credentials, and let your containment act at machine speed, because the thing on the other end already does. The teams that stay calm through this shift will be the ones who treated those fundamentals as the job all along, rather than the box they ticked for the audit.
If you want a second pair of eyes on whether your detection and response can survive a machine-speed adversary, request a review. I run AI and network security engineering engagements grounded in enterprise experience.