Autonomous Agents, Autonomous Attacks: The New Battlefield in AppSec

Introduction: A Watershed Moment

In September 2025, security teams around the world bore witness to a watershed event: the first large-scale, AI-orchestrated cyber espionage campaign, in which 80-90% of tactical operations were carried out autonomously. This wasn’t a conventional hacker with an AI assistant - it was AI as the operator. The rules of application security (AppSec) have fundamentally changed.

Anthropic, the company behind the Claude AI platform, released a detailed post-mortem of the incident, calling it “the first documented case of a cyberattack largely executed without human intervention”

That single campaign signals a turning point: AI is no longer just a tool for hackers - it’s becoming the hacker. And defenders need to adapt fast.

What Is Agentic AI?

To understand the disruption, we need to define our key term.

Agentic AI refers to systems that operate with genuine agency - they don’t just provide advice or suggestions. Instead, they:

1. Reason deeply (intelligence) - they understand complex instructions, context, and multi-step tasks.
   
2. Act autonomously (agency) - they loop through decision-making cycles, chain internal actions, and make choices with little human input.
   
3. Leverage external tools - they interface with real-world software through APIs or protocols like the Model Context Protocol (MCP), enabling them to scan networks, run vulnerability tools, or write code.
   
   

Anthropic’s report describes how the attackers used all three of these capabilities to devastating effect.

Why Reasoning Changes Everything

Agentic AI doesn’t just speed things up - it fundamentally changes the threat model. Here’s how:

• Complex instructions, chained tasks: Modern models can understand multi-step commands, break them into subtasks, and recombine skillfully. That means asking an agent to “find vulnerabilities, write exploits, exfiltrate data” is no longer science fiction.
  
• From advisor to Operator: Previous AI misuse often meant “help me write this exploit.” Now, models can be told to run entire attack chains, test, adapt, and document. In Anthropic’s case, Claude handled reconnaissance, crafted exploit code, harvested credentials, and packaged stolen data.
  
• Unmatched speed: According to Anthropic, Claude made thousands of requests per second during the campaign - an attack speed simply impossible for a human team to match.
  
  

While some argue that this isn’t a breakthrough - we believe this is a gamechanger in AppSec.

The Attack Landscape Has Shifted

AI-Orchestrated Attacks Are Here

According to Anthropic’s investigation, in mid-September 2025, a state-sponsored group (which Anthropic calls GTG-1002) manipulated Claude Code into supporting a coordinated cyber-espionage campaign targeting roughly 30 high-value organizations, including tech firms, financial institutions, chemical companies, and government agencies. 

The campaign executed 80-90% of its operations via AI, with human intervention required only at a handful of key decision points (Anthropic estimates 4-6 per campaign).

To circumvent Claude’s built-in guardrails, the attackers used a clever technique: they jailbroke Claude by breaking the malicious workflow into innocuous “security testing” tasks and telling the model it was doing legitimate red teaming.

AI Is Weaponizing the Vulnerability Backlog

One of the most alarming consequences: AI is lowering the barrier to exploit old vulnerabilities, enabling the attackers to customize their attacks in ways that were not cost-effective before. 

The recent Intruder’s report reveals that In 2025, attackers have increasingly focused on exploiting long-known weaknesses - vulnerabilities disclosed one, two, or even three years ago but still left unpatched in many environments.

The very same report also puts a spotlight on CVE-2025-24813, a critical remote code execution (RCE) issue in Apache Tomcat (score 9.8). If AI can automatically generate working exploits in minutes, then unpatched or misconfigured legacy systems become a ticking time bomb.

In fact, the challenge isn’t just finding new flaws - it’s that AI makes it easier than ever to weaponize existing ones. Yes, we’ve talked about it in the past.

The Math No Longer Works

Traditional remediation pipelines simply can’t keep up with AI-driven attackers:

• Human fix cycles (weeks to months) are far too slow for attackers that can exploit in minutes or hours.
  
• The backlog of unpatched vulnerabilities isn’t just “technical debt” - it’s an active, AI-scaled attack surface.
  
• Even if your team is doing well (e.g., 89% of critical vulnerabilities are remediated in 30 days), it’s not enough when AI adversaries are operating at machine speed.

How Agentic AI Is Disrupting Application Security (AppSec)

To defend in this new reality, AppSec needs a radical rethink.

1. Defense must match attack speed
   
   • Continuous, autonomous security coverage: Deploy AI agents that monitor, triage, and respond around the clock.
     
   • Real-time analysis: Agents can scan for anomalous behavior, trigger investigations, and even self-heal.
     
2. Proactive vulnerability management
   
   • Predictive risk: Instead of waiting for vulnerability disclosures, leverage AI to forewarn which dependencies or modules are likely to be targeted.
     
   • Shift-left deployments: AI fixes don’t just live in dev; they push into production rapidly.
     
3. Near-instant automated remediation
   
   • Drop-in replacements: Use tools like Resolved Security’s drop-in secure replacements to apply fixes without waiting for upstream fixes. It’s THE scalable way to fix a vulnerability that hits you in several services or applications.
     
   • Automated PRs: AI agents can generate, test, and open remediating pull requests, complete with rollbacks and canary deployments.
     
4. Intelligent consolidation of tools
   
   • Unified security agents: Instead of silos (SAST, DAST, occasional Pen Testing), use AI that reasons across code, dependencies, runtime, and threat intelligence - triaging, exploiting, and fixing all in one layer.
     
5. Human teams evolve
   
   • From operators to supervisors: Security professionals will increasingly oversee AI agents, set trust boundaries, and intervene only when needed.
     
   • Guardrail design: Humans build the policies and constraints that guide agent behavior, rather than doing the manual work themselves.
     
6. Economic transformation
   
   • Sharper cost-efficiency: Automated defense can reduce the cost of securing applications at scale.
     
   • Shrinking vulnerability windows: With AI-powered remediation, “weeks to fix” becomes “minutes to remediate.”

The Choice Ahead

Security teams face a fundamental decision:

• Adapt to AI-speed defense, or
  
• Risk falling behind AI-speed attacks.
  
  

Organizations that embrace agentic security agents will be best positioned to outpace adversaries. Those that don’t may find themselves perpetually chasing, reacting - and losing.

At Resolved Security, we believe open-source risk must be managed at AI speed. Our platform delivers:

• Secure-by-default drop-in library replacements that contain fixes, not just alerts.
  
• Automated remediation pipelines that integrate with your CI/CD.
  
• AI-powered analysis to surface risk, suggest fixes, and even deploy them with minimal disruption.
  

By deploying agentic AI for defense, we help organizations compress their vulnerability window - from weeks or months down to minutes.

Conclusion

Agentic AI isn’t just another tool in the cybersecurity toolbox - it fundamentally reshapes the battlefield.

The first documented AI-orchestrated espionage campaign is a wake-up call. As AI makes it easier to weaponize old vulnerabilities, security teams can no longer rely on slow, manual processes. The vulnerability window is closing - and the only question is whether you’ll close it before attackers walk through.

‍