Every weapon begins as an extension of the hand that holds it. The spear extends the arms. The bow sent the point flying without throwing. The gun placed the dead man a quarter mile out of his sight, and the plane carried that death across the seas. With each turn, the distance between the hero and the wound increased, but still one thing did not move: someone chose something, and someone hit it. Throughout the history of conflict, cyberspace included, the hand has always been on the weapon.
Offensive AI is when a weapon learns to target itself.
For three years, artificial intelligence (AI) has been an extension of the pen. It wrote a phishing email, suggested an exploit, mapped out the bad work, and then, like all tools that came before it, sent the work back to the human to do it. In 2023, I published a white paper at the SANS Technology Institute showing how an unskilled person can trick a chatbot into producing malware that bypasses controls designed to stop it. That was the age of the assistant: dangerous, sure, but still tied to the operator who held it. Agent AI cuts the cord. It takes a goal and goes through the steps on its own. This single change, from a draft tool to an active tool, reshapes offensive operations faster than defenses are built to contain them, and cuts two sides at once. It gives real power to attackers who have never had anything, and lends devastating speed to those who are already killing.
If your trading is an aggressive activity, this is the domain you are in now. Using the adversary turns into a tool that you should be able to answer for yourself, and it goes far beyond the chatbots that name more serious phishing. It is good to study, with clear and dispassionate eyes, what these agents can do today, how they allow you to work at a speed that seems impossible recently, and where they will leave you quietly on the cliff if you follow them with great faith.
The gate has fallen
Consider the threat actor of the entry level, historically limited by a lack of technical expertise. Such people can now use agents to develop exploits and conduct campaigns independently. Technical excellence is no longer a requirement; intention and access to competent tools are sufficient. I call this phenomenon the ‘child of the script as a service,’ which reflects the evolution of sophisticated attacks from the unskilled actors of the past.
Another implication is that the limitations of unskilled attackers are now defined by the abilities of their chosen AI models rather than their expertise. As many untrained actors use the same models in comparable ways, their attack methods begin to converge, leading to a single behavior. While this increases the volume of sophisticated attacks, it also creates visible patterns, such as common phishing and exploit chains. Skilled enemies will adapt beyond this default, but most will not. Therefore, defenders who understand these automated behaviors can better anticipate and mitigate widespread threats.
For experienced workers, artificial intelligence does not increase efficiency, but it greatly increases the speed of operation. Training an agent on established marketing practices enables campaigns to be run more consistently, reducing tasks that previously took weeks to mere hours. This double effect, more entry-level attackers and accelerated attacks from professionals, expands the entire threat landscape. For those who carry out authorized offensive actions, this is now the standard. Adversaries are already using these tools, and any engagement that ignores them fails to reflect current threats.
The Hunt Runs Itself
One of the most common examples I often give people is independent civil engineering. In this scenario, the attacker uses an agent to collect publicly available information about the target, such as LinkedIn profiles, press releases, or conference recordings, to create a detailed profile. This intelligence is then used by a second agent, which generates and sends personalized messages, manages responses, and conducts an ongoing conversation, moving steadily toward its goal. No human intervention is required in the communication process.
The danger here is not speed; it’s the quiet death of the signs we hoped for. For years, our defense against phishing has relied on mass-produced narratives: complicated grammar, recycled templates, the same email sent ten thousand times. That is exactly what is being said that this provision is being cancelled. Each message comes across smoothly, singularly, and based on something true about its brand. Of course, infrastructure signs are permanent; things like sender reputation, authentication, and the like are pending, but now as defenders, we have to depend on them more than ever, and how long will it be before those defenses break under that pressure? Language-level knowledge and templates tell us that many of our acquisitions, which depend on silence, no longer exist.
And it’s not just social engineering. The same automation goes beyond exploitation. As frontier models become increasingly accustomed to integrating tool calls and debugging against a live environment, the bar for producing effective exploits lowers with each release. So much so that the federal government is getting involved and forcing models like Anthropic’s Fable 5 off the market due to fear of their power. But this is just the tip of the iceberg. It binds even moderately skilled models to the database of known vulnerabilities, and will do its own assessment, judge where the target is exposed, draw similar exploits on the shelf, and report like a sniffer: I believe this will work, based on these indications. Did I run it? Malware goes the same way, it multiplies itself, and we’re already watching agents rewrite existing malware into a silent strain born to bypass controls that know the old strain. This started years ago with the introduction of the “Guided Network Access Weapon (GNAW)” which I presented for the first time at the Hackers Teaching Hackers conference.
The Confidence of the False Oracle
All this makes agents a very attractive thing to rely on. They are fast, they run, and they speak with unrelenting authority from start to finish. That last quality is a trap, and to call it lying is an understatement. The agent does not want the truth. It wants a job done and a response that wears the appearance of being right. It has no right as to whether the recipient is actually in danger; it matches the clues to the conclusion and conveys that conclusion in the same consistent voice, regardless of whether the conclusion is logical or empty. It’s married to a vulnerability detection store, and a combination of errors, to find what’s apparently related, not what actually works. It does not check the version, or configuration, or whether the service can be accessed.
Where Evidence is Made
That problem of judgment is exactly why this work is in its place. I The SANS Secure AI Blueprint, endorsed by SANS Chief Executive Officer Rob T. Lee, divides the broad challenge into three tracks: Secure AI, Deploy AI, and Govern AI. Government produces policy and oversight that keeps these systems accountable. Security complicates the systems an organization uses. Use is where the AI is used for offense and defense alike, and offensive duties are its sharp edge.
Leadership is asked the words “AI security” and images that bind the policy and the management committee in a quiet room. However Use the only three that provide evidence: actual attacks against actual programs, which reveal whether the policy and holding firm when they are hit. The organization can write all the guidelines it likes and adopt all the defenses it can buy, but until someone turns this tool against its walls, it doesn’t know which of them will take hold. Defense is theory until communication, and the operator is what brings you there. That is why the operators, continuously, are the ones who hold the whole system to account.
What is a Hero
So let’s go back to where we started. Throughout human history, the hand stayed on the weapon because the weapon could not be trusted to choose, and that much has not changed. The machine can target itself now, but it can’t tell you if the gun should be taken. It will name a target that was never there and ask, in the same calm tone it uses when it’s okay, for permission to shoot. Every mechanical part of this craft is transferred to the machine. The one missing part, the judgment of knowing the true thing from the honest lie and holding your hand until you are sure, becomes the whole job. A hero never stops short of a wound, and the choice to meet them never carries more weight. The weapon no longer needs a warrior to wield it, but it has never needed someone to decide whether it should be wielded more than now.
Learn Offensive AI at SANS San Antonio 2026
This August, I will answer these questions in depth during my course SEC535: Attack Tools and Techniques held at SANS San Antonio 2026. Throughout the three days of hands-on labs, we work on the techniques described here on the line work side: AI-assisted reconnaissance and voice attacks, supporting voice detection, voice-fake detection and voice attacks. and the use of AI in malware development and prevention. You’ll drive the tool with your hands and walk away with a true sense of its reach, its limitations, and the exact points it shouldn’t be trusted. That is the distance between knowing that this attack exists and being able to carry it out.
The machine will serve the purpose. Be judgmental after shooting.
Register i SANS San Antonio 2026 is here.
Note: This article was expertly written and contributed by Foster Nethercott, Author of the SANS SEC535 course.
