When an AI agent can run an entire attack chain — from reconnaissance to data exfiltration — without a human pulling the trigger, the cybersecurity rulebook needs to be thrown out. The question is whether defenders can move fast enough.
For decades, every cyberattack in history has shared one essential characteristic: somewhere, at some point, a human being made a decision. A criminal decided which target to probe. A nation-state actor chose which system to compromise. Even the most automated malware campaigns required a person to write the code, select the victims, and pull the trigger. That foundational assumption — that a human is always in the loop — is now obsolete.
In November 2025, a cyber espionage operation was disclosed that changed the calculus permanently. For the first time, security researchers confirmed that an AI agent had conducted a complete attack lifecycle — reconnaissance, exploitation, and data exfiltration — with no human directing each step. The targets included major technology companies and government agencies. The implications, documented in the World Economic Forum’s Global Cybersecurity Outlook 2026 and underscored by Anthropic’s own findings from Project Glasswing, have been reverberating through every CISO office since.
- 94% of global cyber leaders identify AI as the single biggest driver reshaping cybersecurity in 2026
- 1,000s of zero-day vulnerabilities found in weeks by Anthropic’s Claude Mythos across every major OS and browser
- $1.9M average reduction in breach costs for organisations that deploy AI strategically in their defences
- 80 days shorter average breach lifecycle when AI is extensively used in security operations
The Moment Everything Changed: November 2025
The disclosed espionage operation was not a theoretical exercise or a red-team simulation. It was a live operation, confirmed and documented, in which an AI agent moved through the entire kill chain — the structured sequence of steps that defines a sophisticated cyberattack — without requiring human instruction at each phase. Reconnaissance: identifying targets and probing for weaknesses. Exploitation: using those weaknesses to gain access. Lateral movement: spreading through connected systems. Data exfiltration: removing sensitive information.
Each of these stages has historically been a choke point. Each required human expertise, human timing, and human decision-making. An attacker who could automate even one stage gained an advantage. An attacker who could automate all of them simultaneously, across multiple targets, at machine speed — that changes the threat landscape entirely.
The AI-Automated Attack Chain — All Stages, No Human in the Loop
- Reconnaissance: Target profiling, vulnerability mapping, surface scanning
- Exploitation: Zero-day or known flaw exploitation to gain initial access
- Lateral Movement: Spreading through connected systems, privilege escalation
- Exfiltration: Sensitive data removed without triggering standard alerts
The WEF’s Global Cybersecurity Outlook 2026, published in January, is direct about the significance: the emergence of autonomous AI agents capable of executing full-scale attacks signals a potential turning point. Researchers note that while generative AI had previously been used primarily to enhance social engineering and reconnaissance, the November operation demonstrated something categorically different — an agentic system that could pursue a goal across multiple technical domains, adapting its approach as it encountered obstacles, without waiting for human instruction.
“Criminals are always willing to use all possible ways to get access to value. Consequently, to stay ahead, those of us who defend must use every tool at our disposal — which now includes agentic AI.”
Arvind Krishna, CEO, IBM — WEF Global Cybersecurity Outlook 2026
Project Glasswing: When the Defender Uses the Same Weapon
In April 2026, Anthropic disclosed something that forced the security industry to confront the full dual-use nature of frontier AI. Project Glasswing — named after the glasswing butterfly, whose transparent wings make it invisible to predators — was launched not as a research curiosity but as an urgent operational response.
The trigger was an internal testing of Claude Mythos Preview, a general-purpose frontier model that Anthropic has chosen not to release publicly. During that testing, something unexpected emerged: the model demonstrated cybersecurity capabilities that its developers had not specifically engineered. It was not trained as a security tool. But because it could deeply understand and modify complex software, it could also find that software’s vulnerabilities — at a depth and speed that surpassed all but the most skilled human researchers.
Project Glasswing — Key Facts
- Anthropic’s Claude Mythos Preview identified thousands of zero-day vulnerabilities across every major operating system and every major web browser — in weeks of testing. Zero-day flaws are previously unknown bugs; they are among the most dangerous discoveries in security because no patch exists until they are disclosed.
- The model was made available to a closed group of partners, including AWS, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, NVIDIA, and Palo Alto Networks. Anthropic declined to release it publicly due to what it described as its “dual-use cybersecurity risks” — a frank acknowledgment that the same capability that finds vulnerabilities defensively could be weaponised offensively.
- Anthropic’s stated goal: give defenders a durable advantage before the capabilities of this kind proliferate to actors who might deploy them without safeguards. The company committed over $100 million in model usage credits to the initiative.
The Glasswing disclosure has forced a reckoning with a question the security industry has long deferred: what happens when AI collapses the gap between vulnerability discovery and exploitation? Traditionally, even when a zero-day was found, there was a window — sometimes days, sometimes weeks — between discovery and active exploitation. That window is where the defenders lived. It was where patches were written, where detection signatures were created, and where incident response teams prepared.
Security researchers at IANS described the new dynamic starkly: the good guys have Mythos for now, but there is no moat around AI capabilities, and adversaries will acquire equivalent abilities eventually. When they do, the discovery-to-exploitation window shrinks toward zero. Patch pipelines that assumed days of lead time will be inadequate. Detection tools calibrated to known patterns will miss novel exploits generated on demand. The operational tempo of the entire industry will need to accelerate.
The Concern That Overtook Ransomware
For the past several years, ransomware has occupied the top spot in nearly every cybersecurity risk ranking. The formula was simple and devastating: encrypt a target’s data, demand payment, threaten to publish what was taken. It worked. It scaled. It generated billions. It dominated board-level conversations and government policy.
In 2026, something displaced it — at least in how CEOs think about the threat landscape. The WEF report documents that business leaders now rank cyber-enabled fraud and phishing as their primary concern, with ransomware dropping from the top position it held throughout 2025. The reason is the same as everything else in this story: AI. Automated tools now allow criminal organisations to create hyper-personalised phishing messages at an industrial scale, localise content by language and culture, and impersonate trusted voices with precision that humans cannot match by volume.
The WEF’s 2026 survey found that 73% of respondents said they or someone in their professional network had been personally affected by cyber-enabled fraud in the previous twelve months. Among the most common attack vectors: phishing, vishing, and smishing — reported by 62% of those affected. The scale of this is not a corporate problem, researchers note. It has become a societal one.
“The weaponisation of AI, persistent geopolitical friction, and systemic supply chain risks are upending traditional cyber defences.”
Paolo Dal Cin, Global Lead, Accenture Cybersecurity — WEF Global Cybersecurity Outlook 2026
Meanwhile, CISOs — who operate closer to the technical reality — have not abandoned ransomware from their threat models. They still rank it first, with supply chain disruption second. This divergence between CEOs and CISOs reflects different risk lenses: financial loss and brand exposure versus operational continuity and incident response. Both are correct. Both are real. The tension between them is one of the defining governance challenges of 2026.
The Identity Problem No One Has Solved
Beneath the headline threat of AI-powered attacks lies a more fundamental problem that the industry is only beginning to map: who — or what — is operating inside your systems right now?
The proliferation of AI agents in enterprise environments is creating a new category of digital identity that existing security frameworks were never built to handle. Human users have usernames, passwords, access logs, and behavioural baselines. AI agents have… increasingly, none of that, or versions of it that are poorly governed. Security researchers at IBM and the WEF both flag this as one of the critical unresolved vulnerabilities of the current moment.
Without strong governance frameworks, agents can accumulate excessive privileges, be manipulated through design flaws or prompt injection attacks, or inadvertently propagate errors across systems at a speed no human team can match. The multiplication of non-human identities — estimated to outnumber human users inside most large enterprises by the end of 2026 — means that the traditional identity and access management playbook is structurally outdated. Rewriting it is urgent and technically difficult.
The Defenders are Moving, but Unevenly
The most striking finding in the WEF’s May 2026 follow-up report, developed with KPMG, is that the defenders are not standing still. The report documents measurable gains from organisations that have deployed AI defensively: average breach costs reduced by up to $1.9 million, and breach lifecycles shortened by approximately 80 days for those using AI extensively in security operations. These are not marginal improvements. They are structural advantages.
The share of organisations formally assessing the security of their AI tools before deployment has also nearly doubled — from 37% in 2025 to 64% in 2026. Security teams are using AI for phishing detection, anomaly detection, behavioural monitoring, and automated incident response. The technology works. The ROI case is increasingly clear. And 77% of surveyed organisations now have AI embedded somewhere in their security stack.
But the gains are distributed unevenly in ways that create systemic risk. Large, well-resourced organisations in North America, Europe, and parts of Asia-Pacific are deploying defensive AI at a meaningful scale. Smaller organisations, those in emerging markets, and those operating legacy infrastructure are not keeping pace. A global skills shortage in AI-literate security professionals — affecting 70% of engineering teams in sub-Saharan Africa and 69% in Latin America — means that the threat landscape is globalising faster than the defensive capability to match it.
- Agentic AI has already executed a full attack lifecycle without human direction. This is no longer a theoretical scenario — it is a documented, confirmed event.
- Frontier AI models can discover zero-day vulnerabilities at a scale and speed that human teams cannot match. The window between discovery and exploitation is compressing.
- The CEO-CISO divide on threat priorities (fraud vs ransomware) reflects a governance gap — boards and security operations centres are not assessing the same risk landscape.
- AI agent identity management is the critical unresolved security problem of 2026. Non-human identities will outnumber human users inside most enterprises before year-end.
- Organisations deploying defensive AI extensively reduce average breach costs by up to $1.9 million and shorten breach lifecycles by ~80 days. The ROI case for investment is now empirical.
- The security advantage from Project Glasswing-style capabilities is temporary. Assume adversaries will have equivalent capabilities within 12–24 months. Build accordingly.
The Harder Question: Governance in an Autonomous World
The most uncomfortable implication of agentic AI in cybersecurity is not technical. It is jurisdictional and ethical. When an AI agent conducts a defensive action autonomously — blocking an IP, isolating a compromised system, triggering an alert — the question of accountability is relatively clear. But as autonomous defensive capabilities grow in sophistication, the line between defensive action and offensive response blurs.
The WEF’s Outlook notes that the governance and liability implications of autonomous cyber actions are only briefly sketched in existing frameworks. The EU AI Act, critical infrastructure protection regulations across multiple jurisdictions, and emerging sector-specific AI rules all touch this question — but none have yet produced operational guidance that security teams can act on. The gap between regulatory intent and operational reality is widening at precisely the moment when the need for clarity is most urgent.
Anthropic’s approach with Project Glasswing — a controlled, gated initiative with named institutional partners and explicit public disclosure — represents one model for how to deploy frontier AI capabilities responsibly in a security context. It is not the only model. But in an environment where the alternative is uncontrolled proliferation, it is a meaningful marker for what responsible deployment of powerful cybersecurity AI could look like.
The invisible threat, ultimately, is not just the agentic attack that arrives without warning. It is the governance vacuum that allows both attackers and defenders to operate without adequate accountability. Closing that vacuum — technically, institutionally, and legally — is the defining cybersecurity task of the next decade. The clock started running in November 2025.