AI Already Operates Cyberattacks and Reduces Defense Margin to Hours

Artificial intelligence has started to perform tasks within real intrusions, from exploring networks to generating commands and analyzing stolen information. Check Point Research’s AI Security Report 2026 documents the shift of models from attacker assistants to agents connected with terminals and tools, capable of maintaining an active operation between human interventions.

The keys to AI-operated cyberattacks in 30 seconds

  • An attacker used Claude Code and GPT-4.1 in an intrusion against nine Mexican agencies.
  • The agents generated 5,317 commands over 34 sessions, although the operator maintained control of the attack.
  • Detections of indirect injections of extensive prompts multiplied fivefold between March and May.
  • Business prompts with sensitive data increased from 2% to 4%.
  • Check Point found security issues in 40% of 10,000 analyzed MCP servers.

The report does not describe an artificial intelligence that autonomously selects targets and attacks without human involvement. In the studied incidents, an operator still exists who sets priorities, provides credentials, or validates decisions. The technical difference is that this person no longer needs to manually execute each phase.

An agent can receive a target, consult files, call tools, write commands in a terminal, and review results before choosing the next step. This capability allows a single person to maintain multiple attack lines simultaneously and compresses the time available to detect and contain activity.

From code generation to working inside a compromised network

Until recently, the main risk associated with offensive AI was its ability to craft phishing messages, translate campaigns, or assist in writing malware. Check Point asserts that over the past year, models have entered the live attack chain.

AI as AssistantAI as Operator
Explains a vulnerabilityTests actions against the system
Generates code snippetsBuilds and executes commands
Translates phishing messagesAdapts communications for each victim
Summarizes stolen informationClassifies data and proposes new tasks
Suggests next stepsChains actions through tools
Requires frequent interventionWorks over longer periods

The most notable case in the report involves nine Mexican government agencies. A single attacker reportedly sent 1,088 instructions that produced 5,317 commands executed via AI over 34 sessions. According to Check Point, the operation combined Claude Code for network access and navigation, with GPT-4.1 analyzing obtained data and preparing subsequent tasks.

The activity was not fully autonomous. The more than a thousand human instructions show that the operator continued guiding the intrusion. However, the ratio between human commands and generated commands reflects how much work could be delegated.

Incident IndicatorData Collected
Affected agencies9
Operator instructions1,088
Commands executed by AI5,317
Attack sessions34
Cited toolsClaude Code and GPT-4.1

The report also analyzes VoidLink, a command and control platform of about 88,000 lines of code, reportedly created by a single person in less than a week with AI-assisted development tools. Initially, researchers thought it was a project developed by a team over several months.

These examples do not eliminate the need for technical knowledge. A model can generate vulnerable code, misinterpret a response, or lose control of a session. The attacker still needs to understand the environment and fix errors. AI reduces—but does not remove—the entry barrier.

The implication for defenders is an acceleration of known operations. If recognition, tool generation, and data analysis run in parallel, an intrusion can progress faster than manual review, escalation, and authorization processes in many organizations.

Agents turning websites, documents, and MCPs into attack surfaces

The same ability to use tools opens new vulnerabilities. An AI that only returns text has limited scope. An agent connected to email, repositories, terminals, or databases can perform actions with direct consequences.

One major risk is indirect prompt injection. An attacker inserts instructions within a website, document, email, or data returned by another application. When the agent processes this content, it may mistake malicious instructions for legitimate commands.

Check Point recorded an approximate fivefold increase in detections of extensive malicious loads from March to May 2026. In the last analyzed month, about 1% of observed prompts fell into this category. The company interprets this growth as indicative of increased indirect attack flows and agent-based flows, though a long prompt alone does not prove malicious intent.

Entry PointRisk to an Agent
Web pageHidden instructions in text, comments, or metadata
EmailInjected instructions in messages or attachments
DocumentManipulation during summarization or analysis
Code repositoryTampered configuration files
MCP serverVulnerable or overly-permissive tools
Development extensionTheft of credentials and supply chain risks

The Model Context Protocol (MCP) warrants special attention because it connects models with data and tools. Check Point reports security issues in 40% of 10,000 MCP servers examined. This figure includes various vulnerabilities, not all of which are immediately exploitable.

The investigation also found configuration files for Claude Code published accidentally in 428 out of 46,500 reviewed packages. About one in thirteen contained active credentials, including repository keys and development service credentials.

Risks increase when an agent has broad permissions to save steps for the user. Manipulated instructions may have little effect on an isolated chatbot but could cause it to read files, install software, or send information when it has tools.

Therefore, agent security cannot rely solely on filtering questions. It must also control identities, permissions, connectors, activity logs, and permitted actions. Each added tool extends the system’s capabilities and also the potential damage if it misinterprets a malicious command.

Everyday data leaks surpass sophisticated attacks

The report indicates that much of the corporate exposure does not come from intrusions but from routine use of generative applications. Employees provide context to obtain more accurate answers and may include source code, credentials, personal information, or internal documents.

Between October 2025 and May 2026, analyzed organizations used an average of ten AI applications per month. The number of prompts per user rose from 56 in December to 70 in May, with 87% to 93% of companies recording at least one high-risk interaction monthly.

Business Use IndicatorResult
AI applications per organization/month10
Prompts per user in December 202556
Prompts per user in May 202670
Organizations with monthly high-risk interactionsBetween 87% and 93%
Prompts with sensitive data at start2%
Prompts with sensitive data at end4%

The proportion of prompts classified as high-risk doubled from 2% to 4%. Practically, this means going from one problematic interaction every 50 to one every 25.

The business sectors with the highest average rates were services at 5.91%, wholesale distribution at 5.47%, telecommunications at 4.06%, and software at 3.52%. These figures come from Check Point telemetry and do not necessarily represent all companies within those sectors.

Identity also loses effectiveness as a sole control measure. The report cites a test where trained reviewers correctly identified about 41% of AI-generated faces. Untrained participants scored nearly 30%. A face, voice, or video call alone is no longer sufficient as an independent identity proof.

For technical teams, the most immediate change is not the emergence of a fully autonomous attacker but the convergence of three trends: faster offensive operations, business agents with tool access, and increasing data sharing with external services.

Check Point organizes its recommendations around protecting AI systems themselves, using AI for machine-speed responses, and controlling the applications employees use. This approach aligns with their commercial portfolio, so separate technical data from the report and the vendor’s solutions.

Frequently Asked Questions

Can AI carry out a cyberattack completely on its own?

Documented cases keep a person in command. AI can execute many steps between interventions but still needs targets, access, and supervision.

What is indirect prompt injection?

It’s a malicious instruction hidden within content that the agent consults, such as a website, email, or document. The model might interpret it as a command and use its tools to execute it.

Why does MCP increase the attack surface?

MCP connects models to files, services, and applications. Insecure configurations or excessive permissions can allow manipulated instructions to reach external systems.

What is the most common risk for a company?

Daily use of AI tools. The report detected an increase in prompts containing corporate, personal, or regulated data, even without an actual attack.

via: Open Security

Scroll to Top