AI Agents Are Now Running Entire Cyberattacks, Start to Finish
Two separate investigations show that criminals are handing whole attack campaigns to artificial intelligence, cutting the time it takes to ransack a company from weeks to hours.

Key points
- Security firm Sysdig documented a full criminal campaign, named JadePuffer, run end-to-end by an autonomous AI agent in 2025.
- Sysdig's JadePuffer investigation found the AI exploited CVE-2025-3248, a vulnerability in Langflow (a tool for building AI agents), disclosed roughly one year before the attack.
- Security firm Sygnia separately investigated an AI-assisted break-in to a cloud environment where attackers chained weaknesses across application services, storage, code repositories, and databases.
- University of Toronto researchers in early 2025 built a self-replicating AI worm that autonomously found and exploited weaknesses across dozens of simulated systems.
- Experts say most at-risk organisations are not missing AI defences; they are relying on human-speed security teams against machine-speed attacks.
For years, companies have been getting better at catching intruders. Security teams trained harder, bought smarter tools, and shrank the time between "someone broke in" and "we caught them." AI is now erasing that progress.
Two investigations, published within days of each other, show that criminals are using AI agents, which are software programs that can plan, decide, and act on their own, to run attacks from the very first move to the final ransom demand, with little or no human involvement.
Sygnia, a security firm, investigated a break-in to a company's cloud environment, where the cloud is just remote computer systems rented from a provider rather than owned on-site. The attackers used AI to move through the victim's systems at a pace no human security team could comfortably track. The AI assessed each new foothold, picked the next best target, and adapted its approach on the fly, whether it landed on a virtual server, a file-storage bucket, or a software-build pipeline.
Sysdig looked at a separate criminal campaign it called JadePuffer. An autonomous AI agent carried out the whole operation: stealing login credentials (usernames and passwords stored on systems), mapping out internal services, and locking in multiple access points so the criminals could stay inside even if the victim tried to kick them out. The goal in both cases was extortion: pay up, or we release your data and prove we still own your network.
How did the attackers get in?
Neither attack needed exotic, previously unknown security flaws. JadePuffer walked through a door that had been left open for a year: CVE-2025-3248, a flaw in a software tool called Langflow that, ironically, is designed to help people build AI agents. The Sygnia attackers found an AWS key, which is a digital password that unlocks a company's rented cloud resources, sitting exposed inside a web application. From there, AI automation did the rest.
This is the pattern that worries experts most. The criminals did not need genius. They needed patience and a cheap AI subscription.
"The skill floor for running a ransomware operation dropped to the cost of running an agent," Dray Agha of security firm Huntress told CSO Online. More attackers, lower costs, faster strikes.
The speed matters enormously. Historically, intruders spent weeks quietly exploring a network before striking, giving defenders time to spot them. The AI-assisted attacks documented by Sygnia compressed multiple stages of intrusion into a timeframe too short for human analysts to catch and contain.
For ordinary people whose data sits inside companies facing these threats, the immediate practical steps are familiar but genuinely useful. Watch for unexpected password-reset emails or login alerts. If a company you use announces a breach, change your password there and anywhere you reused it, and turn on two-step verification (where a service texts or emails you a second code before letting you log in) wherever it is offered.
For organisations, the defensive answers are less glamorous than AI: patch known flaws fast, rotate secrets and credentials regularly, and give staff and systems only the access they actually need. AI-powered detection tools help, but only when they are properly connected to the teams and processes that can act on their alerts.



