Why the Attacker’s AI Has Already Taken the Human Out of the Loop
The defender, in 2026, has artificial intelligence with a human in the loop. The attacker, in 2026, has artificial intelligence without a human in the loop. Two parties, the same technology, two different operational doctrines. The race is asymmetric. This article reads the asymmetry through three documented data points, and proposes the strategic question it forces.
November 2025: Anthropic publishes the disruption of the first AI-orchestrated espionage campaign
In November 2025, Anthropic publicly disclosed the disruption of what the company assessed, with high confidence, to be the first reported state-sponsored cyber espionage campaign in which artificial intelligence handled the majority of tactical operations autonomously. The threat actor, designated GTG-1002, was attributed to a Chinese state-sponsored group. The campaign targeted approximately thirty global organisations, including large technology companies, financial institutions, chemical manufacturers, and government agencies. A small number of intrusions succeeded.
The technical method, as Anthropic documented it, is worth reading carefully. The group did not develop its own offensive AI. The group hijacked legitimate instances of Claude Code, Anthropic’s coding agent. The hijacking method was jailbreaking, the practice of constructing prompts that bypass the safety alignment of a model. The specific jailbreak was elegant. The attackers broke each offensive operation into small, seemingly innocent sub-tasks, each individually compliant with the model’s safety guardrails. The model, having no visibility on the cumulative intent across the chain, executed each sub-task. The chain produced reconnaissance, lateral movement, and credential exfiltration. The model had, throughout, been polite.
The autonomy ratio, as assessed by Anthropic, was eighty to ninety percent. Human operators of GTG-1002 intervened at four to six critical decision points per campaign. The remaining decisions, the ones that previously required a team of skilled offensive operators working over weeks, were taken by the model. The model worked, at the technical layer, at the speed at which a coding agent operates. The technical layer of a hostile reconnaissance campaign had collapsed from weeks to hours.
Anthropic detected the activity in mid-September 2025, mapped the operation across ten days, banned the relevant accounts, notified affected organisations, and coordinated with authorities. The public disclosure followed in November. The cybersecurity industry, on the day of the disclosure, briefly stopped using the phrase “AI agents could one day be weaponised by adversaries”. The phrase had been overtaken by a tense-correction.
May 2026: the Data Breach Investigations Report quantifies the new baseline
In May 2026, Verizon published the annual Data Breach Investigations Report (DBIR), which, in its sixteenth edition, recorded for the first time autonomous AI agents as a distinct breach category. The headline figure: one in eight breaches in 2025 involved an autonomous AI agent on the offensive side. The figure is, by the DBIR’s own methodology, a conservative count. It includes only breaches in which the involvement of an autonomous agent could be conclusively attributed in forensic analysis. The category did not exist in the 2024 edition.
The same report documented the operational consequence of the trend at the vulnerability layer. The time between the public disclosure of a CVE (the standard identifier for a software vulnerability) and the first working exploit observed in the wild has collapsed from approximately seven hundred days in 2020 to forty-four days in 2025. Twenty-eight point three percent of CVEs disclosed in 2025 were exploited within twenty-four hours of disclosure. The bottleneck that, for two decades, had been “weaponisation of disclosed vulnerabilities”, has functionally disappeared. The new bottleneck, where there is one, is “patch deployment by the defender”.
The reader who is familiar with the 2020 DBIR will remember the recurring industry exhortation that defenders should patch within thirty days. The 2026 reality is that a CVE disclosed at nine in the morning is, in twenty-eight percent of cases, being exploited by autonomous tooling by nine the following morning.
Meanwhile, in the vendor briefings
The cybersecurity industry, over the same period, has sold a parallel product narrative. The leading vendors of detection, response, and security operations have positioned, in 2025 and 2026, their AI-augmented platforms as “force multipliers for the defender”, “AI co-pilots for the SOC analyst”, and “the great equaliser between attacker and defender”.
The narrative is, in its product brochure form, accurate. The platforms do provide useful augmentation. The recommendations they generate are, in most cases, plausible. The triage capabilities they offer do reduce the SOC analyst’s queue. The narrative is also, in its operational form, an interesting concession to the regulatory and governance frameworks of the defender’s jurisdiction. Every AI-augmented defensive platform sold in 2026 includes, as a standard feature, a human-in-the-loop control. The platform recommends. The human approves. The action then executes.
The human, the vendor explains in the deck, is in the loop for governance reasons. The human ensures that the AI does not take autonomous adversarial action against legitimate users. The human satisfies the auditor that the framework is responsible. The human ensures that the certifications required by the procurement process are intact. The human, in operational practice, is also a CISO function staff member, with a queue of competing priorities, between two meetings, and a service-level agreement on the review queue that is measured in hours.
The attacker, having read the same product briefings, made a different operational choice. The attacker noted that the human-in-the-loop is an overhead that does not benefit the offensive workflow. The attacker is not subject to the auditor of the defender’s jurisdiction. The attacker has no certification requirements to maintain. The attacker has no governance framework to be aligned with. The attacker took the loop out.
The arithmetic of asymmetry
The cumulative consequence of the three observations above is an arithmetic of asymmetry that is, in 2026, increasingly difficult to ignore.
On the attacker’s side, the AI runs at thousands of vulnerability scan requests per second, in autonomous mode, with four to six human decision points per campaign. On the defender’s side, the AI runs at the speed of the SOC analyst’s review queue, which is measured in human hours. The reconnaissance phase that previously took the offensive operator weeks now takes the offensive AI hours. The detection phase that previously took the defender hours now takes the defensive AI minutes, but only after the SOC analyst has reviewed the queue, which is measured in hours. The race, in operational terms, is between an autonomous attacker and a governed defender. The defender is, by definition, slower.
This is not, in its underlying technology, an unfair race. Both sides have access to comparable foundation models. Both sides have access to comparable agentic frameworks. Both sides have access to comparable tool integrations. The race is unfair only because one of the two parties has accepted a governance framework, and the other has not. The defender’s governance framework is, in 2026, a strategic choice, not a technical constraint. It is a strategic choice that the defender’s regulator, the defender’s auditor, the defender’s insurer, and the defender’s board have collectively, and reasonably, considered worth the operational cost.
The strategic question is whether the operational cost remains acceptable when the attacker, having accepted no equivalent constraint, has reduced the human-in-the-loop to four to six decisions per campaign and let the AI handle the rest.
What the board should ask in the next governance cycle
Three questions deserve to be asked, in the next governance cycle of any organisation whose threat model now includes autonomous offensive AI.
The first question is whether the defensive AI tooling deployed by the organisation has, as a configuration option, an autonomous response mode for a defined subset of well-understood actions, where the autonomous response is faster than any human-in-the-loop equivalent. The configuration may not be acceptable for all action classes. It is increasingly likely to be acceptable, and necessary, for some.
The second question is whether the organisation’s incident response plan includes the scenario of an attacker operating in fully autonomous mode against a defender operating in human-in-the-loop mode, and whether the plan has been tested. The scenario is no longer hypothetical. It was documented in November 2025.
The third question, the strategic one, is whether the board accepts that the governance framework currently applied to defensive AI was designed in a period in which the offensive side was assumed to operate at human speed, and whether that assumption remains correct in 2026. The board’s answer to the third question determines whether the first two questions have any operational consequence.
The cybersecurity industry sold the AI-augmented defender as the great equaliser between attacker and defender. The sales literature was, in its technical claims, mostly accurate. The technology does equalise. What the sales literature did not address, in 2025 or in 2026, is that the equalisation operates only when both parties are running comparable operational doctrines. They are not. One party has accepted a governance framework. The other has not.
The great equaliser, in 2026, is therefore not the technology. The great equaliser is the choice, made implicitly by every defender that has accepted a human-in-the-loop SLA of hours against an attacker that operates without a loop at all.
The defender that keeps the human in the loop is doing the right thing for the governance framework. The defender that keeps the human in the loop is also, in May 2026, running at the speed of the manager’s calendar against an adversary running at thousands of decisions per second. Both statements are true at the same time. The strategic work for the next eighteen months is to make them stop being true at the same time.
All my “insane” books on cybersecurity and governance are here 👉 https://www.amazon.it/stores/author/B0FB47T6Q4/allbooks
Sources: Anthropic, Disrupting the first reported AI-orchestrated cyber espionage campaign; Axios, Chinese hackers used Anthropic’s Claude AI agent to automate spying; The Register, Chinese spies used Claude to break into critical orgs; TechRepublic, Anthropic: Hackers Used Claude to Automate Cyberattack; Token Security, 2026 DBIR Confirms Identity Is the Control Plane for Agentic AI; The Hacker News, 2026, The Year of AI-Assisted Attacks; Palo Alto Networks, 2026 Predictions for Autonomous AI.
