My startup is building agents for automating pentesting. We started experimenting with Llama 3.1 last year. Pentesting with agents started getting good around Sonnet 3.5 v1.

The switch from Sonnet 4 to 4.5 was a huge step change. One of our beta testers ran our agent on a production Active Directory network with ~500 IPs and it was able to privilege escalate to DA within an hour. I've seen it one-shot scripts to exploit business logic vulnerabilities. It will slurp down JS from websites and sift through for api endpoints, then run a python server to perform client side anaysis. It understands all of the common pentesting tools with minor guard rails. When it needs an email to authenticate it will use one of those 10 minute fake email websites with curl and playwright. I am conservative about my predictions but here is what we can learn from this incident and what I think is inevitably next:

Chinese attackers used Anthropic (a hostile and expensive platform) because American SOTA is still ahead of Chinese models. Open weights is about 6-9 months behind closed SOTA. So by mid 2026 hackers will have the capability to secretly host open weight models on generic cloud hardware and relay agentic attacks through botnets to any point on the internet.

There is an arms race between the blackhats and private companies to build the best hacking agents, and we are running out of things the agent CAN'T do. The major change from Claude 4 - Claude 4.5 was the ability to avoid rate limiting and WAF during web pentests, and we think that the next step for this is AV evasion. When Claude 4.7 comes out, if it is able to effectively evade anti-virus, companies are in for a rude awakening. Just my two cents.

Skipping over the cringe writing style, I really don't get the hate on Anthropic here. What would people want from them? Not disclose? Not name names? I'm confused how that would move the field forward.

At the very least, this whole incident is ironic in that a chinese threat actor used claude instead of the myriad of claude killers released in china every other week.

At another level this whole thing opens up a discussion about security, automated audits and so on. The entire industry lacks security experts. In eu we have a deficit, from bodies in SOCs to pen-testers. We definitely could use all the help we can get. If we go past the first wave of "people submit bullshit AI generated reports" (which, for anyone that has ever handled a project on h1 or equivalent, is absolutely nothing new - it's just that in the past the reports were both bullshit and badly written), then we get to the point where automated security audits become feasible. Don't value "reports", value "ctf-like" exercises, where agents "hunt" for stuff in your network. The results are easily verified.

I'll end on this idea that I haven't seen mentioned on the other thread that got popular yesterday: for all the doomerism that's out there regarding vibe coding and how insecure it is, and how humans will earn a pay check for years fixing vibe coded projects, here we have a bunch of companies with presumably human devs, that just got pwned by an AI script kiddie. Womp womp.

> How about, “which parts of these attacks could ONLY be accomplished with agentic AI?” From our little perch at BIML, it looks like the answer is a resounding none.

Lost me right out of the gate. It doesn't matter if only agentic AI could have found it. Any attack could be found by somebody else, what matters is that isn't a human sitting there hammering away for hours. You can just "point and shoot."

I don't understand how anyone could think that the step change from "requiring expensive expertise" to "motive and money to burn" is not massive in the world of security.

It would be like looking at the first fully production AI infrantry and saying "yeah, well, someone else could do that."

from the "cybersecurity implications" conclusion section at the end of the anthropic report:

> This campaign demonstrates that the barriers to performing sophisticated cyberattacks have dropped substantially—and we can predict that they’ll continue to do so.

this is the point. maybe it's not some novel new thing, but if it makes it easier for greater numbers of people to actually carry out sophisticated attacks without the discipline that comes from having worked for that knowledge, then maybe it's a real problem. i think this is true of ai (when it works!) in general though.

Article doesn't say much. Nor does the Anthropic article.

AI as a power tool for attackers does provide additional attack power. Even if it can't do anything new, it can do a lot of existing stuff and follow up on what's working. Which is often enough to get the job done. Plus, like all programs, it's fast, patient, and can be parallelized. "Agentic AI" provided with a set of hacking tools it can run is somewhat scary.

This isn't what I got from the Anthropic article.

It's the fact that somebody like NSO Group could create a Pegasys in much faster time without humans in the loop.

Write down everything your most brilliant hacker minds know - put it in some documents, feed it do the AI with the workflow you usually do and let 50 AI agents do them all at the same time.

Put the information in the documents about how you thought to come up with those exploits, how you tested them, how you explored the possibility. Tell the AI to do that too.

We're talking about speed and scale, not some dismissive "script kiddies were doing this in the 90s".

Yes, we were. But not at this scale - and this is just the early days of this sort of thing.

AI hype is real, but we ought to start also examining anti-AI-hype-hype. It's become fashionable to rage against AI as a whole with about the same amount of understanding that the MBA hype edgelords have when they push AI as a cure-all, and both are a bad look.

To balm the enraged; look, I agree with you, the hype is indeed out of control. But like, let the vultures spend all their monies. Eventually the bubble itself will go the way of NFTs and we'll all be able to buy GPUs and SSDs again. Hopefully.

That said, there's an important chunk of discourse that gets shouted down and it really shouldn't. For just a moment, table the issues that come out of "AI as an Everything Replacement" and think of the new things that come out of this tech. On-demand tutors that never tire. Actually viable replacement for search. Large heterogenous datasets can now be rapidly parsed, by an individual, for specific insights. Personal dev teams at a fraction of the cost that now make it possible for people with absolutely bugfuck ideas to actually try them without worrying about wasted time or resources - we are going to see a vibrance in the world that was not there before.

It is not an unqualified or unmitigated good. Hell, I'll even grant that it may be a net negative - but I don't know either way, and I don't think anyone else does either. Not with any significant confidence. It just feels like we've skipped the part of the discussion where discourse occurs and gone right to "Pro" and "Anti" camps with knives at throats and flushed, sweaty faces.

LLMs are already pretty good at brute force security testing. They aren’t “polite” pen testers.

I recently used an LLM to win a CTF at work (there were no rules against AI, but I bet there will be next year). I felt a little bad, at the end, when they demoed the intended hacks and, for a couple of them, it was the first time I saw the home page. If it could quickly hack it with just the clue and URL I just let it.

For any serious website it needs a lot more direction, but it will help you along nicely.

I only saw denials twice, over an entire week, and I used three different major LLM agents (Codex CLI, Claude Code CLI, and Gemini CLI).

It took time, I spent something like 20 hours guiding, but if you have the time, and some expertise, the tools are extremely workable.

What the heck is "cyber cyber"? They say that twice...

Whoa there. Asking for evidence from an AI company? That's an unreasonable standard! /s