In March we asked, "Who's pentesting the agents?". Two months on, the answer is clearer. And worse than the question implied. Two attributed disclosures already on the record this year show AI transitioning from advisor to operator in offensive cyber operations. Both have named victims, named platforms, and timelines you can audit.
Disclosure 1: AWS / FortiGate, Feb 20, 2026
AWS CISO CJ Moses disclosed that between January 11 and February 18, 2026, a Russian-speaking, financially motivated threat actor compromised over 600 Fortinet FortiGate firewalls across 55+ countries in a five-week campaign. The attacker used commercial LLMs (reportedly DeepSeek and Anthropic Claude, drawn from independent reporting by Cyber and Ramen) to orchestrate credential harvesting, network reconnaissance, exploit selection, and lateral-movement planning at machine speed.
There were no zero-days. The campaign exploited exposed FortiGate management interfaces on common ports (443, 8443, 10443, 4443), weak credentials, and missing MFA. The point isn't that AI invented a new exploitation primitive. The point is that AI orchestrated a campaign at a scale and cadence that previously required a coordinated human team.
Disclosure 2: Anthropic GTG-1002, Nov 2025
Anthropic disclosed that a Chinese state-sponsored actor (designated GTG-1002) used Claude Code in mid-September 2025 to run an espionage campaign against approximately 30 large tech companies, financial institutions, chemical manufacturers, and government agencies. Anthropic's report attributes 80–90% of the operational tactical work, reconnaissance, exploitation, credential harvesting, lateral movement, data exfiltration, to the AI agent itself. Human operators were limited to target selection and strategic approval.
This is the first publicly documented case where AI did not just advise an attack. It executed the majority of it.
Why Defenses Aren't Ready
- Detection assumes human cadence. SOC playbooks calibrate alert thresholds for human attackers. AI-orchestrated reconnaissance runs in seconds and pivots in milliseconds. Your "unusual login pattern" alarm fires after the campaign is over.
- Rate limits weren't designed for this. AI orchestration can drive thousands of simultaneous, well-formed sessions from rotating infrastructure. Your "5 failed logins per minute" rule is performance art.
- Patch windows haven't shrunk. When attackers can weaponize a CVE in 10 hours (see Marimo and Langflow) and now drive AI-orchestrated global campaigns, "we patch within the SLA window" is a quaint policy.
- Identity and supply-chain risk compound. Combine AI-orchestrated attack tooling with an OAuth pivot like the Vercel breach, and you have an attacker that can identify, exploit, and pivot at speeds your IR team can't match.
What "Pentesting the Agents" Means Now
It's no longer enough to test AI agents you deploy. You also need to test your defenses against AI-driven adversaries. That means:
- Adversarial agent simulation: Red-team your environment with autonomous agents. If your detection can't catch a benign agent, it definitely won't catch a malicious one.
- Velocity-aware detection: Build alerts that look at session topology and behavioral velocity, not just per-event thresholds.
- Identity-graph hardening: Map every OAuth grant, every service-account-to-resource edge, every credential boundary. The agent's job is to traverse that graph faster than you can audit it.
- Continuous, autonomous validation: Periodic human pentests can't keep up. Defense at machine speed requires testing at machine speed.
The Xploitix Take
The "AI vs AI" framing isn't marketing. It's the operational reality of 2026. Both disclosures above are documented, attributed, and made public by the platforms involved. The defender's question has shifted: it's no longer "do I have vulnerabilities?" Now it's "can my detection and response keep up with an attacker that doesn't sleep, doesn't tire, and runs hundreds of campaigns in parallel?" If your security validation cycle is annual, you're already losing.
Sources
- Bloomberg: Hackers Used AI to Breach 600 Firewalls in Weeks, Amazon Says
- The Register: AWS says 600+ FortiGate firewalls hit in AI-augmented attack
- The Hacker News: AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries
- BleepingComputer: Amazon, AI-assisted hacker breached 600 FortiGate firewalls in 5 weeks
- OECD.AI Incidents Database: AI-Driven Cyberattacks Breach 600+ Firewalls Globally
- Anthropic: Disrupting the first reported AI-orchestrated cyber espionage campaign (GTG-1002)
- Anthropic: GTG-1002 full report (PDF)