Introduction: The Shift to Autonomous Attacks

AI systems are moving beyond being tools wielded by human attackers. When AI stops being merely a human-wielded tool and starts running its own campaign, the attack surface fundamentally changes. Autonomous agents do not need sleep, do not lose focus, and do not hesitate between phases of an attack. They plan, retrieve, act, observe, and repeat in a decision cycle stripped of human delay. Understanding these systems is the first requirement for building effective defenses.

‍

What Are Agentic Systems?

Agentic systems use autonomous agents to achieve preset goals by perceiving their environment, algorithmically reasoning, planning, and taking actions involving connected tools. Rather than requiring human developers or hackers at each step, agents are software systems working autonomously across their operational domain. Agent systems are appearing everywhere in society, and these same techniques can be applied to conduct attacks through viral loops, trap friendly agents, and generate increasing persistence.

‍

Viral Agent Loops

Agentic loops concern those instances where autonomous agents act as operators rather than high-level assistants. The typical agentic loop follows a plan, retrieve, act, observe, and repeat cycle. This mirrors the OODA loop from military operations (observe, orient, decide, act), but with a critical difference. Algorithmic processes in agentic loops leave out the cognition and decision phases, directly reducing reaction times. While OODA loops are designed for adaptation, agentic loops are designed to reinforce preset goals.

In the offensive context, an agentic viral loop works when an agent spreads an application or service to achieve a goal. Traditional worms use self-replication to create new versions of themselves, but AI agents can launch new prompts and adjust targets as they spread. Both focus on creating resource exhaustion, but the traditional worm injects malicious binary code while agentic loops use semantic instructions to propagate through instructing language models to take malicious actions.

Recent research suggests viral agent loops act as vectors for self-propagating generative worms without exploiting traditional code-level flaws. These agentic loops happen because agents build context at runtime rather than during build cycles. This means the agentic loops attacking systems may not target underlying vulnerabilities. Instead, the loop focuses on creating vulnerabilities through logical ingestion into other agents or tools by injecting a viral tool or compromised tool across multiple agents.

‍

AI Agent Traps

Recent research has categorized and defined the traps faced by AI agents as they operate in digital environments. The attack surface includes content elements contained within web pages, tools, media, or other digital resources designed to mislead or exploit AI agents. The intention is to coerce the agent into wrongful behavior. The challenge remains that altering the environment rather than the model makes it difficult to detect vulnerabilities in the traditional sense.

‍

Trap Categories

AI agent traps fall into five primary categories:

•   Content Injection: Target perception by exploiting the gap between machine-parsed content and human rendering to hide commands.

•   Semantic Manipulation: Adjust input data to corrupt reasoning and decision-making.

•   Cognitive State: Corrupt the agent's long-term memory, knowledge, and learned behavior.

•   Behavioral Control: Deliver explicit commands to target instruction-following capability.

•   Systemic Traps: Deliver inputs designed to trigger macro-level failures with correlated agent behavior.

These traps challenge security processes by acting outside the traditional detection scope. Traditional security methods examine vulnerabilities during the build process, but agent traps are designed to subvert code after deployment. This creates a fundamental challenge: not just scanners must be built to detect flaws, but any deployed agent must recognize environmental changes and respond appropriately.

Agentic Persistence and Automated Kill Chains

The most significant threat from AI attacking systems lies in their ability to create agentic persistence and automate kill chains. Defense will involve not just opposing a team of human attackers requiring planning and rest, but an agent constantly adjusting and varying attacks to achieve their goals. Most models are not built as adversary tools but are coerced or convinced to contribute over time.
‍

The Claude Code Espionage Campaign

Anthropic reported in November 2025 on the first AI-orchestrated cyber espionage campaign. The attackers, suspected of being a Chinese state-sponsored group, used the Claude Code tool to attempt infiltration against 30 global targets. The agentic orchestration incorporated three critical features: intelligence, agency, and tools. The general model intelligence allowed following complex instructions. Granting agency allowed Claude to act as an agent, create agents, and deploy loops for autonomous actions with chained tasks. Finally, access to tools through the Model Context Protocol enabled the attack infrastructure.

The detected attack used four phases. In phase one, humans selected targets and convinced Claude to engage in the attack through jailbreaking. In phase two, Claude tested vulnerabilities with self-developed code and stole credentials. In the final phases, Claude documented the attack, creating information the hackers used to select additional targets. Critically, Claude conducted 80 to 90 percent of the campaign, with human involvement limited to target selection and initial jailbreaking.

‍

Defending Against Agentic Persistence

Several factors affect defending against agentic attacks. The first critical area involves shadow AI visibility. Much like older shadow IT considerations, enterprises employing agents must know which actions originate from agents and which are agents fulfilling a human's bidding. These policies must expand into AI usage control, where environments define limits for model operations, resources, and actions.

The Claude Code espionage case illustrates what automated kill chains look like at operational scale: humans select the target, then the agent does the rest. As models' capabilities grow and tool access expands, the human attack contribution shrinks further toward target selection and intent, with execution, reconnaissance, lateral movement, and documentation fully agent-delegated. The kill chain does not slow down between phases, and unlike human attackers who must cut and run when detected, a persistent agent can be designed to treat detection as another input and adapt accordingly.

The Shift from Detection to Behavioral Baseline

Defending against agentic persistence requires shifting the security model from event-based detection to behavioral baseline enforcement. Traditional tools catch known bad signatures, but agentic attacks operating through semantic instructions and environmental manipulation will not produce them. Defenders require continuous visibility into agent actions beyond running code: tools called, actions chained to outcomes, and whether agent behavior matches authorized parameters.

This is where runtime observability extends beyond containers and into agent orchestration. The same observability discipline for production applies to deployed AI agents. Shadow AI is not a compliance problem. It is an attack surface. Every unmonitored agent operating within your environment is a potential persistence mechanism that the adversary did not have to build themselves.

‍

The Supply Chain Defense

Agentic attacks succeed fastest where the foundation is weakest. Viral loops exploit bloated, unmonitored software stacks. Traps inject through tools and dependencies that agents trust by default. Automated kill chains move laterally through unused packages and unverified components that accumulate unchecked in production environments.

This is where software supply chain security becomes a direct antidote to AI-driven attacks, not as a compliance exercise but as an operational one. RapidFort's platform reduces the available attack surface before an agent ever reaches it. Curated near-zero CVE images eliminate the vulnerable components that privilege escalation depends on. SBOM-to-RBOM comparison removes packages present in the build but absent at runtime. Continuous daily updates ensure the baseline does not drift between the moment of authorization and the moment of attack. A hardened, minimized container gives an agentic attacker fewer doors. Fewer doors means a slower campaign, more detectable behavior, and more time for defenders to respond.

‍