Offensive AI: State of the Field

On this page

Question

How has agentic AI changed offensive operations in 2026, and what does the kill chain look like when AI is the abstraction layer attackers operate on? Specifically: which kill-chain phases (recon, initial access, persistence, C2, lateral movement, exfiltration) now have demonstrated AI-assisted or AI-driven techniques? Which tools (commercial and OSS) are in operator use? Where are the trust and capability boundaries between human-operator-with-AI-assistant and fully-autonomous offensive agents?

Current position

The 2026 offensive-AI surface centers on promptware as the unit of capability: multi-stage operations written in natural language and executed across heterogeneous agentic substrates. The kill chain has migrated up a layer. Instead of crafting binaries that execute on a target operating system, operators craft prompts that execute across an agent’s tool surface. Rehberger’s Unprompted 2026 talk demonstrated the kill chain across production systems (Gemini Workspace, Microsoft Enterprise Copilot, ChatGPT, OpenClaw, KimiCloud), establishing it as an operational reality rather than a research curiosity.

Three load-bearing patterns characterize the field:

  1. Prompt-level C2. Agent Commander demonstrates command-and-control infrastructure built on prompt abstractions: enrollment, exfiltration, and arbitrary dispatch. The C2 surface is the agent itself.
  2. Tool-set manipulation. Tool poisoning and delayed tool invocation are the AI-era equivalents of supply-chain and timing attacks. Both are vendor-disclosed and demonstrated.
  3. Continuous adversarial testing as offense. General Analysis (raised a $10M seed round in April 20261) productizes Continuous Adversarial Red Team for agentic AI; the same orchestration applies symmetrically to attacker tradecraft.

Supporting evidence

Counter-evidence

XBOW operates as a multi-model orchestration layer (Opus 4.7, Sonnet 4.6, Haiku 4.5, GPT 5.5, plus preview-stage Mythos) that converts frontier-model vulnerability candidates into validated exploits via live-site interaction harnesses. Its evaluation reports a 42% false-negative reduction versus Opus 4.6 on its own web-exploit benchmark, 55% with source-code access, when paired with Mythos.2 XBOW fits at Tier 5 (Vendor Evaluation) of the Red Teaming Capability Framework.

Prophet AI / Dropzone (offensive-side)

Both have offensive-adjacent capabilities under SOC framing. Need clarification of where they sit on the WITH-AI vs. FOR-AI axis.

Autonomous offensive agents — production reality?

Rehberger’s work demonstrates human-operated AI-augmented offense at scale. Within the sources surveyed here, the line between “operator with copilot” and “autonomous offensive agent” is rhetorical, not technical. Need sourced examples, or explicit acknowledgment that the autonomous-agent threat is forecast rather than present.

How this position has evolved

  • 2026-05-13. Seeded during the wiki scope expansion. The practitioner-research surface (Rehberger, General Analysis, the Unprompted conference cohort) is well-covered; commercial offensive tooling is thin and is the priority for the next ingest sprint.

Open sub-questions

  • Does offensive AI deserve its own anchor artifact (a maturity model or reference architecture), or is the right address a thesis page that periodically annexes the relevant CMM domains?
  • How do defender CMM levels translate to offensive-capability tiers? Is there a useful symmetry: does an enterprise at CMM L4 face L4-equivalent offensive AI, or is the relationship asymmetric?
  • See Gaps Index for related open questions.

Footnotes

  1. General Analysis Raises $10M in Seed Funding to Secure Agentic AI (BusinessWire, 2026-04-29).

  2. XBOW, Mythos for Offensive Security: XBOW’s Evaluation (2026-05-12): false negatives cut by 42%, and 55% with site source code. See the page summary.