Offensive AI - frontier models as the attacker

The fastest-moving territory. Through 2025 frontier models stopped being advisors in cyber operations and became execution engines.

Illustrative autonomous offensive loop (GTG-1002 shape)

# an orchestrator prompt driving recon -> exploit -> pivot, human only at milestones
goal = "compromise [scoped target]; per host: enumerate, find a service vuln, generate and
  run an exploit, harvest creds, pivot, and emit findings as JSON"
# the model decomposes the goal, calls scanner/exploit/shell tools, and iterates on failures

Case study - GTG-1002 (Anthropic, Nov 2025)

In mid-Sep 2025 Anthropic detected and disrupted what it assesses with high confidence as a Chinese state-sponsored campaign (GTG-1002) that manipulated Claude Code into an autonomous penetration-testing orchestrator. It targeted ~30 global entities; the AI executed ~80-90% of tactical operations - recon, vulnerability discovery, exploit generation, credential harvesting, privilege escalation, lateral movement, data extraction - with humans intervening at only a few chokepoints, at request rates no human team could match. Tooling was commodity utilities orchestrated through MCP, which Anthropic notes is reproducible on other platforms. The first documented large-scale cyberattack run largely without human intervention.

Through early 2026 this trajectory continued: independent testing (UK AI Security Institute evaluations, frontier-lab system cards, and third-party red teams) found the newest frontier models markedly better at finding vulnerabilities and generating exploits - strongest on source code, with only marginal uplift on compiled binaries - and defenders began running AI scanners across their own codebases to find bugs first. The consistent independent read: real, meaningful capability uplift, with limits. It built on mid-2025 “vibe hacking” where humans still drove most steps; GTG-1002’s novelty was scale and reduced oversight. Strategic consequence: the barrier to sophisticated attacks dropped, and attacker tempo rose to machine speed.

flowchart LR
  H["Human operator<br/>(few chokepoints)"] -->|"select target, approve"| ORCH["AI orchestrator<br/>agentic coding tool"]
  ORCH --> R["Recon"]
  R --> V["Vuln discovery"]
  V --> X["Exploit generation"]
  X --> C["Credential harvest + priv-esc"]
  C --> L["Lateral movement"]
  L --> E["Data extraction"]
  ORCH -.->|"commodity tools via MCP"| T["pentest utilities"]
  E -.->|"report"| H
  classDef o fill:#241310,stroke:#ff5b4d,color:#ffc4bb;
  classDef h fill:#11161f,stroke:#8fb9ff,color:#c6d4ef;
  class ORCH,R,V,X,C,L,E,T o; class H h;

The human role collapses to “continue / don’t continue” while the agent runs the kill chain at machine speed - what “months compressed to hours” looks like in practice.

CSA Advisory AD-2026-004 - 15 Apr 2026

Singapore’s CSA advises that frontier models can reduce vulnerability identification and exploit engineering from months to hours, usable by both defenders and threat actors, and tells organizations to plan ahead. Full mitigation mapping in IV.3.