AI Agents Enable Adaptive Computer Worms
Abstract: A computer worm is malware that spreads on a network by replicating itself from one machine to another. Traditional worms, like WannaCry, exploited predetermined vulnerabilities, and their spread can be halted by patching those vulnerabilities. Here we show that AI agents enable a fundamentally new threat: a worm that generates tailored attack strategies to each target it encounters. The worm parasitically uses compromised machines to run open-weight LLMs to sustain its reasoning, or extend its reach for further attacks. Deployed on a network of machines spanning Linux, Windows, and IoT (Internet of Things) devices, the worm propagated by exploiting common, real-world corporate network vulnerabilities. Since the worm is powered by stolen compute, the attacker's marginal cost per new infection is zero. This creates a destabilizing economic asymmetry between attackers and defenders. Moreover, because the worm requires no commercial AI platform, centralized safety controls, such as service refusals or rate limiting, are structurally irrelevant. Our results demonstrate that self-sustaining AI-driven cyber-threats are no longer theoretical. We must prepare for autonomous generative adversaries: malware systems that propagate without human operators and are defined not by fixed exploit code, but by the capacity to reason about targets, adapt to observations, and synthesize attack logic in real time.
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.
Top Community Prompts
Explain it Like I'm 14
What is this paper about?
This paper shows a new kind of computer threat: an AI-powered computer worm that can think and adapt as it spreads. A “worm” is a kind of malware that moves from one computer to another on a network by copying itself. Old worms used a fixed set of tricks; once those were patched, the worm stopped. This new worm uses an AI agent (a LLM, or LLM—think of it like a very smart text-based assistant) to study each target and come up with a custom plan on the spot. It can even run the AI on the computers it takes over, so it doesn’t need to call any company’s AI service.
What questions did the researchers want to answer?
The team asked simple but important questions:
- Can an AI agent power a worm that adapts its attack for each new computer it meets?
- Can such a worm run only on open, local AI models (no commercial AI platform) and keep spreading on its own?
- Will this work across mixed networks (Linux, Windows, and smart/IoT devices) with everyday, real-world weaknesses?
- Could it quickly use newly published security warnings to launch attacks, even if the AI wasn’t trained on that new info?
- What does this mean for the “economics” of cyberattacks—especially if each new infection costs the attacker basically nothing?
How did they study it?
The researchers built a careful, limited “proof-of-concept” and tested it safely.
Safe testing and ethics
- They ran everything inside a sealed virtual lab network with strict controls and no open internet access.
- They told their university and government partners, redacted dangerous details, and didn’t add stealth features (like hiding its tracks).
- Their goal was to show the risk clearly, not to release a ready-to-use harmful tool.
How the AI worm works (in everyday terms)
Imagine a robot burglar that:
- Scouts the neighborhood,
- Tries a way in,
- Gains full control of a house,
- Sets up a copy of itself there,
- Uses that house’s tools to scout and reach more houses.
That’s the basic idea. The AI agent is given structure and guardrails so it doesn’t get confused:
- It moves through phases like “discover the network,” “probe one host,” “get a first foothold,” “gain higher privileges,” and “replicate.”
- In each phase, it follows a small reasoning loop: plan, critique, act, summarize, and check progress.
- It uses memory to keep track of what worked and what failed, so it doesn’t repeat mistakes.
- It uses “tools” for common tasks (like opening remote sessions or moving files) so it doesn’t have to write every command from scratch.
- It uses “skills” (like mini reference cards) that add just-in-time tips specific to what it’s seeing, without overwhelming its short memory window.
Running the AI on stolen compute
- If it takes over a machine with a graphics card (GPU), it installs a small, open AI model there and uses it to think locally.
- If it takes over a simpler device (like an IoT gadget), it asks an already-compromised GPU machine for help with the “thinking.”
- This way, the worm doesn’t rely on any commercial AI service that could cut it off—its AI runs on the machines it’s captured.
The test network and experiments
- They set up 15 separate trials on an isolated network with 33 devices: Linux servers, Windows systems, and IoT devices.
- The network had common, realistic vulnerabilities and misconfigurations that companies often have.
- Each trial ran for up to 7 days with no human help once started.
What did they find and why does it matter?
Main results across the trials:
- On average, the worm correctly identified about 31 vulnerabilities per run and fully compromised about 23 hosts.
- It successfully spread (replicated) to about 20 hosts per run, sometimes reaching 7 “generations” of copies.
- That means, on average, it exploited roughly 74% of the network and managed to replicate to about 62% of devices in each trial.
Other key findings:
- It used newly published security advisories to attack vulnerabilities that appeared after the AI’s training cutoff. In plain words: even if the AI hadn’t “learned” about a specific issue during training, it could read public info at runtime and turn that into a working attack.
- Because the worm runs its own AI on infected machines, the attacker’s extra cost for each new infection is basically zero. That creates a big economic advantage for attackers.
- Traditional “centralized” safety controls (like rate limits on commercial AI APIs) don’t help here, because the worm doesn’t need those services at all.
Why this matters:
- Patching one specific weakness may not stop an adaptive worm that can just change tactics.
- The speed from public warning to attack shrinks—organizations might not patch fast enough.
- Combined, this could change how common and widespread certain attacks become.
What could this mean for the future?
- Defenders need new strategies to spot and slow AI-driven, adaptive malware. The authors suggest:
- Better detection methods for agent-like behavior across networks.
- Reducing the “attack surface” by quickly finding and fixing common misconfigurations.
- Wider use of zero-trust and network isolation so one compromise doesn’t easily spread.
- The research community needs standards and safe testing environments to study these threats responsibly.
- Policymakers and organizations should plan for “generative adversaries”: automated, self-replicating malware that can reason, adapt, and act without human oversight.
In short, the paper’s message is that self-sustaining, AI-driven worms have moved from theory to reality in controlled tests. That doesn’t mean widespread outbreaks are happening now, but it does mean we should prepare—technically, organizationally, and legally—for malware that can think on the move.
Knowledge Gaps
Knowledge gaps, limitations, and open questions
Below is a single, concrete list of what remains missing, uncertain, or unexplored, framed to guide actionable follow-on research.
- External validity under active defense: No evaluation against real-world enterprise controls (EDR/XDR, NIDS/NIPS, endpoint hardening, application whitelisting, egress filtering, DNS controls, golden image re-provisioning, patch SLAs, SOC response). Quantify propagation when such controls are present.
- Assumed vulnerability density: Each host was seeded with at least one exploitable weakness. Measure worm performance in sparse-vulnerability networks with realistic benign noise and mixed host hardening.
- Stealth, persistence, and OPSEC omitted: The prototype intentionally lacks evasion, persistence, lateral movement stealth, polymorphism, and log tampering. Characterize detectability, trade-offs, and propagation impact when these are added or defended against.
- Internet access realism: Internet use was simulated via a local package cache. Evaluate behavior with real-world package repos, rate limits, mirrors, takedowns, TLS interception, captive portals, authenticated proxies, and content filtering.
- Platform- and vuln-class breakdowns: Results lack per-OS (Windows/Linux/IoT), per-service, and per-vulnerability-class success/failure analysis. Provide stratified metrics and error typologies to direct defense investment.
- Baseline comparisons: No head-to-head against traditional worms, automated exploit frameworks, or human red-teamers under equal time/constraints. Establish relative advantage and conditions where AI-driven worms dominate.
- Model choice sensitivity: The specific open-weight model(s), size, quantization, temperature, and context window are not disclosed. Map performance to model scale and configuration; identify the minimal viable model that still propagates.
- Harness ablations: Many harness details (reasoning graph nodes, tools, handlers) are redacted. Quantify which components are necessary and sufficient; measure propagation degradation when each is removed or weakened.
- Knowledge base dependency: The curated skill/KB retrieval pipeline is central but under-specified. Assess contribution via ablations, robustness to outdated/missing entries, and susceptibility to poisoning/deception of advisory sources.
- Generalization beyond public disclosures: The worm converted recent advisories into exploits, but its capacity to discover novel (0-day) flaws or subtle logic errors is untested. Design evaluations for unknown-vuln discovery vs. reuse of public PoCs.
- Error, hallucination, and damage rates: No quantification of failed actions that brick services, corrupt hosts, or self-sabotage. Measure collateral damage, rollback needs, and safe-guarding mechanisms.
- Compute acquisition thresholds: Propagation dynamics vs. GPU scarcity are unclear. Determine minimal GPU density, inference latency/bandwidth tolerances, and bottlenecks for remote reasoning nodes in heterogeneous networks.
- Swarm coordination robustness: Reservation/orchestration details are omitted. Test behavior under network partitions, duplicate reservations, conflicting replicas, and Byzantine/compromised nodes; define consistency and failover guarantees.
- Non-persistent replication resilience: Without persistence, survivability across reboots, credential rotation, and routine IT hygiene is unknown. Evaluate long-horizon foothold retention and re-compromise rates.
- Economic modeling: Claims about marginal cost asymmetry lack formal quantification. Model attacker costs (stolen compute availability, discovery time, opportunity cost) vs. defender costs (patching, segmentation, monitoring) under varied scenarios.
- Detection signals and metrics: Proposed detection ideas are not empirically validated. Identify robust telemetry features (tool-use cadence, command sequencing, LLM-like artifacts), build detectors, and report ROC/precision-recall under operational noise.
- Defensive interventions efficacy: No controlled trials of mitigations (network isolation, zero trust policies, rate-limiting, package manager controls, memory forensics, deception/honeypots, LLM bait/prompt-injection traps). Run A/B studies with measurable slow/stop rates.
- Adversarial environments against the agent: Test how deception (fake advisories, honeytokens, induced dead-ends) degrades reasoning and step budgets; characterize agent susceptibility to defensive prompt injection or environment-manipulation.
- On-host AI execution constraints: Explore OS/hypervisor-level measures (GPU access controls, driver signing, cgroups, IOMMU, sandboxing) that restrict on-host LLM execution and their impact on propagation.
- Reproducibility and safe benchmarks: Redactions limit independent validation. Develop a standardized, safely shareable testbed, metrics, and partial artifacts that enable defense research without empowering misuse.
- Patch-window timelines: The paper asserts near-term action on disclosures but lacks time-to-exploit benchmarks. Measure end-to-end latency from advisory release to successful exploitation under realistic operational delays.
- Parameter sensitivity: Step budgets, cooldowns, and rotation heuristics are not systematically tuned. Provide sensitivity analyses linking these parameters to success, speed, and detectability.
- Cross-network and internet-scale behavior: Evaluation is limited to a 33-host single-org network. Examine internet-scale scanning constraints, NAT traversal, IPv6 reachability, ISP-level containment, and cross-domain propagation dynamics.
- Payload trade-offs: Focus is on propagation, not monetization (exfiltration, ransomware). Study how payload goals interact with stealth, dwell time, and detection risk in AI-driven worms.
- Kill-switch and takeover: The worm’s susceptibility to defensive hijacking, authenticated shutdown, or containment via command-channel interposition is unexplored. Design and test practical kill-switches.
- Context-window management impacts: Heuristics for truncation/compression may discard critical facts. Quantify information loss, retrieval miss rates, and improvements from structured memory or external vector stores.
- Internationalization and environment diversity: Tooling/handlers may be brittle across locales, encodings, non-English banners, non-default shells, and atypical filesystems. Measure portability and failure modes across diverse environments.
- Advisory dependence and coverage: Exploitation of 2026 vulnerabilities is demonstrated anecdotally. Conduct large-scale evaluations across a representative corpus of recent CVEs with and without public PoCs to assess coverage and limits.
- Ethical release processes: Planned access controls and test-environment release need concrete criteria, auditability, and community governance. Define standardized vetting, usage agreements, and sunset/patch policies for dual-use artifacts.
Practical Applications
Overview
Based on the paper’s findings, methods, and innovations—particularly the agentic harness (phases, reasoning graph, hierarchical memory, tool handlers, and dynamic skill retrieval), cross-platform propagation, and “parasitic compute” model—below are practical applications. These are grouped as Immediate Applications (deployable now) and Long-Term Applications (requiring further research, scaling, or development). To minimize misuse risk, all applications are framed for defensive, research, governance, and resilience purposes and avoid operational details that could facilitate offensive replication.
Immediate Applications
- Autonomous red-teaming in safe cyber ranges
- Description: Use the paper’s harness design (phases, reasoning graph, memory, tool handlers) to build controlled, sandboxed agents that emulate generative adversaries for enterprise exercises.
- Sectors: software, finance, healthcare, energy, government
- Tools/products/workflows: “Agentic Red-Team Emulator” for cyber ranges; scenario templates for heterogeneous networks (Linux/Windows/IoT); SOC/purple-team drill playbooks; debrief analytics on failure modes and lateral-movement paths.
- Assumptions/dependencies: Availability of safe, isolated ranges and legal/ethical approvals; rigorous containment and monitoring; curated vulnerability seeding.
- Blue-team detection content for AI-driven malware behaviors
- Description: Translate observed behavioral patterns into detection logic (e.g., repeated plan–act–summarize loops, tool-use sequences, cross-host reasoning requests, GPU-local LLM servers, exploit hypothesis rotation).
- Sectors: cybersecurity vendors (EDR/NDR/SIEM), MSSPs, large enterprises
- Tools/products/workflows: SIEM correlation rules for agentic loops; NDR signatures for intra-lan “reasoning queries”; EDR telemetry for long-lived local HTTP servers serving models; GPU process inventory alerts; anomaly scoring of command sequences (scan→exploit→replicate).
- Assumptions/dependencies: Sufficient endpoint/network telemetry; low false-positive tolerance; privacy and performance considerations.
- GPU/AI workload governance in enterprise environments
- Description: Track and govern on-device model execution to counter “parasitic compute” (stolen GPUs hosting local LLMs).
- Sectors: IT operations, MLOps, cloud/on-prem GPU fleet managers
- Tools/products/workflows: GPU workload attestation and allow-lists; agent-based monitoring of model checkpoints and on-disk artifacts; cgroup/container policies limiting GPU access; SIEM enrichment with GPU scheduling logs.
- Assumptions/dependencies: OS- and vendor-level hooks for telemetry; change management to avoid disrupting legitimate AI workloads.
- Vulnerability-management acceleration via advisory ingestion
- Description: Repurpose dynamic skill retrieval to convert newly published advisories into prioritized patch/mitigation steps tailored to local inventories.
- Sectors: enterprise IT, software, managed services
- Tools/products/workflows: “Advisory-to-Action” pipeline that parses CVEs and vendor bulletins and generates host-specific change tickets; automated compensating control suggestions (e.g., temporary firewall rules); patch SLAs driven by exploitability signals.
- Assumptions/dependencies: Accurate CMDB/asset inventory; machine-readable advisories; human-in-the-loop change control.
- IoT/OT microsegmentation and quarantine playbooks
- Description: Use the paper’s demonstration of cross-OS/IoT spread to justify immediate network isolation and egress control for embedded devices.
- Sectors: energy, manufacturing, healthcare (connected devices), smart buildings
- Tools/products/workflows: Default-deny VLANs for IoT; device identity-based policies; egress DNS/HTTP filtering; rapid quarantine automations for anomalous lateral movement.
- Assumptions/dependencies: Device fingerprinting reliability; compatibility with legacy OT; minimal operational disruption.
- SOC training and tabletop exercises focused on generative adversaries
- Description: Update training content to include autonomous, target-adaptive malware scenarios.
- Sectors: all with SOCs/MSSPs
- Tools/products/workflows: Incident-response injects that simulate agentic adaptation; hunt missions for “reasoning node” beacons; after-action reviews emphasizing detection of non-signature-based threats.
- Assumptions/dependencies: Access to simulation tooling and skilled facilitators.
- Asset and exposure management tuned to low-marginal-cost attacks
- Description: Re-prioritize hardening/patching for services where the attacker’s marginal cost approaches zero (e.g., remote management interfaces, unauthenticated web apps).
- Sectors: finance, healthcare, SaaS, government
- Tools/products/workflows: Exposure scoring that weights the “AI-wormability” of services; automated disablement of unused management ports; preemptive isolation of high-risk segments.
- Assumptions/dependencies: Accurate external and internal attack-surface mapping; executive sponsorship for rapid risk reduction.
- Procurement and onboarding controls for GPUs and high-compute endpoints
- Description: Treat GPUs and AI workstations as privileged assets with enhanced controls.
- Sectors: enterprise IT, research labs, media/graphics firms
- Tools/products/workflows: Hardened baseline images; mandatory EDR with GPU visibility; privileged access management for model-serving ports; audit of AI frameworks in use.
- Assumptions/dependencies: Vendor support for GPU telemetry; user acceptance.
- Cyber insurance underwriting and control validation
- Description: Adjust underwriting criteria and control requirements to reflect increased scale of adaptive, low-cost attacks.
- Sectors: insurance, risk management across all industries
- Tools/products/workflows: Evidence of microsegmentation, GPU governance, rapid advisory-to-patch workflows; tabletop validation reports for generative adversary scenarios.
- Assumptions/dependencies: Standardized control frameworks and third-party attestations.
- Household and SME hardening guidance (non-technical)
- Description: Practical steps to reduce exposure to adaptive malware without operational details.
- Sectors: daily life, small businesses
- Tools/products/workflows: Default router isolation for IoT devices; automatic updates; disable UPnP and remote admin; strong unique passwords + MFA; security suites that alert on unusual CPU/GPU usage; routine firmware updates for routers/cameras.
- Assumptions/dependencies: Vendor support for auto-update; simple consumer UX; user awareness.
Long-Term Applications
- Autonomous blue-team agents for continuous hardening
- Description: Apply the harness to defensive agents that discover misconfigurations, propose patches/controls, and verify remediation—under strict policy and guardrails.
- Sectors: enterprise IT, MSPs, cloud providers
- Tools/products/workflows: “Self-healing network” agents with phase-gated actions (discover→recommend→validate) and human-approval checkpoints; fleet-wide misconfiguration remediation campaigns.
- Assumptions/dependencies: Robust guardrails, change windows, rollback automation; formal verification of actions; governance frameworks.
- OS- and hardware-level “AI runtime permissions” and attestation
- Description: System support for declaring, signing, and verifying local model execution; permission prompts akin to camera/microphone access.
- Sectors: OS vendors, GPU/CPU manufacturers, device OEMs
- Tools/products/workflows: Attested AI workload launch; signed model registries; kernel-enforced GPU access mediation; enterprise MDM policies for AI runtime.
- Assumptions/dependencies: Vendor ecosystem coordination; performance and developer experience trade-offs.
- Network-layer detection of agentic control loops
- Description: ML-based behavioral analytics to recognize multi-step plan–act–reflect patterns and cross-host reasoning topologies.
- Sectors: NDR vendors, carriers, large enterprises
- Tools/products/workflows: Graph anomaly detectors for intra-lan “reasoning node” hubs; time-series models for cyclical tool-use sequences; explainable alerts integrated with SIEM.
- Assumptions/dependencies: Privacy-preserving modeling; high-quality labeled data from safe ranges; resilience to adversarial adaptation.
- Machine-readable, actionable vulnerability advisory standards
- Description: Evolve CVE/CVSS ecosystems to include structured mitigation playbooks consumable by automated defenders.
- Sectors: standards bodies, vendors, CERTs, regulators
- Tools/products/workflows: Advisory schemas with environment preconditions, compensating controls, rollback guidance; automated ingestion pipelines in patch management tools.
- Assumptions/dependencies: Broad adoption; backward compatibility; liability considerations.
- Sector-specific “AI adversary” digital twins
- Description: Safe, high-fidelity replicas of hospital, finance, energy, and manufacturing environments for evaluating adaptive threats and defenses.
- Sectors: healthcare, finance, energy/OT, government
- Tools/products/workflows: Pre-built twin templates with realistic device mixes and workflows; accreditation for research and vendor testing; repeatable evaluation benchmarks.
- Assumptions/dependencies: Data de-identification, vendor participation; funding and maintenance.
- Agent-behavior gateways and kill switches
- Description: Policy enforcement points that can halt or quarantine suspected autonomous agent processes based on behavioral rules or attestations.
- Sectors: endpoint platforms, cloud, container orchestration
- Tools/products/workflows: Runtime monitors for agentic patterns; circuit breakers that revoke GPU/Net permissions; progressive containment (throttle, sandbox, isolate).
- Assumptions/dependencies: Low false-positive operation; clear escalation workflows; compatibility with business-critical automations.
- Supply-chain governance for open-weight models
- Description: Provenance, licensing, and integrity controls for model artifacts to prevent unauthorized or tampered deployments.
- Sectors: model hubs, AI tooling vendors, enterprises
- Tools/products/workflows: Signed model distribution with SBOM-like metadata; enterprise model registries; DLP controls for model weights.
- Assumptions/dependencies: Ecosystem standards and cryptographic infrastructure; organizational adoption.
- Education and certification for generative-adversary defense
- Description: Curricula and practitioner certifications focused on defending against autonomous, adaptive threats.
- Sectors: academia, professional training, government
- Tools/products/workflows: Lab modules using safe emulators; blue-team capstones; regulator-recognized certifications for critical sectors (e.g., healthcare, energy).
- Assumptions/dependencies: Access to safe tooling; alignment with workforce development programs.
- Policy and regulatory frameworks for offensive AI research
- Description: Standardized ethics, containment, and vetting processes for dual-use agent research and controlled code access.
- Sectors: policymakers, regulators, academia, industry consortia
- Tools/products/workflows: Accredited testbed registries; mandatory pre-publication risk reviews; cross-border disclosure norms with CERTs.
- Assumptions/dependencies: International cooperation; legal harmonization; balancing openness with misuse prevention.
- Consumer OS features surfacing suspicious AI workload activity
- Description: End-user-visible indicators and controls for unusual local model execution (CPU/GPU/memory/network signatures).
- Sectors: consumer OS and device vendors, security suites
- Tools/products/workflows: “AI Activity” dashboard; just-in-time prompts for first-time on-device model serving; easy quarantine/removal wizards.
- Assumptions/dependencies: Usability, noise reduction; privacy safeguards; partner ecosystem for remediation content.
- Cross-organizational telemetry sharing for AI threat signals
- Description: Federated, privacy-preserving sharing of behavioral indicators related to agentic threats (not signatures of specific exploit code).
- Sectors: ISACs/ISAOs, CERTs, large enterprises, vendors
- Tools/products/workflows: Schemas for behavior-based IOCs; secure enclaves for model training on shared patterns; rapid dissemination channels.
- Assumptions/dependencies: Legal frameworks for data sharing; robust anonymization; incentives to contribute.
Notes on feasibility dependencies across items:
- Many defenses hinge on richer endpoint/GPU/network telemetry, which may require OS/vendor updates and careful privacy/overhead management.
- Behavior-based detection must manage false positives and adversarial adaptation.
- Safe emulation and research require accredited, isolated environments with strong governance.
- To avoid dual-use risk, any automation that can act on systems should be strictly constrained by guardrails, attestation, and human oversight.
Glossary
- agentic framework: The surrounding organizational structure that enables an AI agent to operate via components like planning, memory, and tools. "the surrounding agentic framework"
- agentic harness: A control and support system around an LLM that structures reasoning, tools, and memory to improve reliability and effectiveness. "a systematic agentic harness can compensate"
- attack surface: The sum of a system’s exploitable entry points and weaknesses available to an attacker. "reducing the AI-worm-exploitable attack surface"
- autonomous generative adversaries: Malware systems that use generative AI to reason and adapt without human operators, synthesizing new attack logic. "autonomous generative adversaries"
- beacons: Malware components that maintain persistent access/communication with a compromised host. "deploying beacons (software that gives the worm agent persistent access to a host once it has been compromised)"
- context pollution: The accumulation of irrelevant or noisy content in an LLM’s prompt/history that degrades decision-making. "context pollution between reconnaissance stages"
- context window: The maximum amount of text an LLM can attend to at once in its prompt/history. "shorter context windows"
- dual-use: Research or technology that can be applied for both beneficial and harmful purposes. "dual-use"
- endpoint detection: Security controls that detect malicious activity on endpoint devices (e.g., hosts, servers). "no endpoint detection or active defence software is deployed"
- exponential-backoff: A retry strategy that increases the delay between attempts exponentially to handle transient failures. "exponential-backoff retries"
- foothold: An initial level of code execution or control on a target machine achieved after exploiting an entry point. "foothold exploitation"
- frontier models: State-of-the-art, highly capable AI models typically requiring significant compute resources. "frontier models"
- hypervisor: A virtualization layer that runs and isolates virtual machines and can enforce security controls. "hypervisor-enforced network controls"
- launch attestation: A process for verifying the integrity and state of software or virtual machines at startup. "launch attestation"
- local privilege escalation: Techniques that elevate privileges on a system from a lower level (e.g., user) to higher (e.g., admin) after initial access. "local privilege escalation"
- long-range retrieval: An LLM’s ability to recall and utilize information from far back in its contextual history. "weaker long-range retrieval"
- marginal cost: The incremental cost of one additional unit—here, the extra cost per infected host. "the attacker's marginal cost per new infection is zero."
- multi-agent coordination: Mechanisms that allow multiple agent instances to share information and avoid conflicts. "multi-agent coordination that shares intelligence across instances"
- open-weight LLMs: LLMs whose parameter weights are available for local execution without relying on vendor services. "open-weight LLMs"
- patching-window: The time between a patch’s release and its deployment, during which systems remain vulnerable. "The patching-window implications are acute"
- payload: The code or artifact delivered to a target to achieve a malicious effect (e.g., exploitation, persistence). "payload deployment"
- persistence: A malware capability to maintain access across reboots or over time, resisting removal. "polymorphic code, persistence"
- polymorphic code: Malicious code that continually changes its form to evade detection while preserving behavior. "polymorphic code, persistence"
- privilege escalation: Gaining higher system privileges than initially obtained, often moving to full administrative control. "Privilege Escalation Exploitation"
- reasoning graph: A structured sequence of specialized LLM calls/nodes that plan, act, critique, and summarize to guide decisions. "a structured reasoning graph"
- reconnaissance: Systematic information-gathering on targets to inform subsequent exploitation steps. "based on reconnaissance."
- retrieval system: A component that fetches relevant external knowledge to augment the LLM’s context for decision-making. "A retrieval system further queries a knowledge base"
- single-GPU LLMs: LLMs small enough to run on a single GPU, enabling local deployment. "Single-GPU LLMs exhibit"
- skill system: A modular library that injects context-specific exploitation guidance into the agent’s prompts when needed. "a skill system that injects context-aware pentesting guidance on demand"
- swarm orchestration: Coordination of multiple distributed agent instances so they cooperate efficiently and avoid duplicating work. "Swarm orchestration ensures this through several mechanisms."
- tiered design: An architectural approach that distributes functionality across layers (e.g., compute-rich and low-compute hosts). "This tiered design enables exploitation of heterogeneous targets"
- tool handlers: Programmatic components that interpret raw tool outputs, extract actionable signals, and update persistent findings. "tool handlers offload some of the analytical burden"
- zero-knowledge: Operating with no prior information about the target environment at the outset. "'zero-knowledge' starting configuration"
- zero-trust: A security model that assumes no implicit trust and enforces strict, continuous verification for access. "known zero-trust and network isolation techniques"
Collections
Sign up for free to add this paper to one or more collections.