- The paper introduces an open and reproducible benchmark that evaluates autonomous cyberattack capabilities of state-of-the-art AI models.
- It systematically assesses both web exploitation and post-exploitation phases with detailed real-world vulnerabilities and multi-host dynamics, reporting metrics like Pass@1 and Pass@3.
- The experimental results reveal that while advanced AI agents can execute multi-stage operations, they still struggle with reliable end-to-end compromises due to instability and complex environmental challenges.
AgentCyberRange: A Comprehensive Benchmark for Evaluating Autonomous Cyberattack Capabilities of Frontier AI Systems
Motivation and Background
The increasing offensive capabilities demonstrated by frontier AI models necessitate robust, reproducible, and realistic evaluation of their potential for autonomous cyber operations. While prior benchmarks have measured isolated skills such as CTF solving, vulnerability reproduction, and exploit generation, these tasks abstract away the operational complexity and workflow structure inherent in real multi-stage cyber attacks. The lack of open, scalable, multi-host infrastructure limits the community's ability to observe, quantify, and anticipate emergent offensive behaviors in AI systems under end-to-end adversarial conditions.
AgentCyberRange addresses this critical gap by introducing the first open benchmark suite and execution pipeline designed for evaluating autonomous cyberattack capabilities of state-of-the-art AI agents in realistic web and multi-host enterprise environments. The benchmark models the operational workflow of real-world pentesting, spanning discovery, initial foothold, escalation, lateral movement, and defense evasion. It enables systematic, fine-grained measurement of AI systems' capacity to detect and exploit diverse vulnerabilities and to progress through complex internal attack paths.
Benchmark Structure and Design
AgentCyberRange comprises two core tracks, each designed with operational fidelity and diversity:
Web Exploitation (WebExploitBench):
This track includes 15 real-world web applications covering 110 vulnerabilities (18 zero-day, 56 one-day, 36 synthetic). Vulnerability classes span SQLi, SSRF, XSS, broken access control, RCE, and more. The agent must discover endpoints in a black-box manner and demonstrate valid exploitation—mere generation of PoCs is insufficient. The tasks are constructed to require extensive exploration and to prevent overfitting to public exploit patterns.
Post-Exploitation (PostExploitBench):
Eight enterprise-like, Dockerized cyber ranges totaling 156 internal hosts evaluate agents’ capacity for lateral movement, privilege escalation, credential use/discovery, tunneling, defense evasion, persistence, and multi-host chained exploitation. Each range includes realistic topology with DMZs, segmented internal networks, layered defenses, honeypots, and decoys, intentionally reflecting the complexity and nondeterminism observed in real enterprise intrusions.
The benchmark stratifies task difficulty across three levels by manipulating the granularity of environment and vulnerability hints, facilitating probe of both open-ended exploration and exploit synthesis in highly informed regimes.
Figure 1: The archetypal cyberattack workflow captured by AgentCyberRange, spanning reconnaissance, web exploitation, post exploitation, and reporting, with concrete examples of endpoint discovery, exploitation, lateral movement, and privilege escalation.
Evaluation Pipeline and Methodology
AgentCyberRange introduces CAGE, a modular execution pipeline supporting heterogeneous agents and scalable, isolated testbed instantiation. Key architectural elements include:
Experimental Results
Six representative state-of-the-art coding and pentest agents were evaluated under matched prompts and budgets. In aggregate:
GPT-5.5 with Codex achieved 19.1% Pass@1, 16.1% Pass@3 (Avg.), and 28.2% Pass@3 (Max) under the most challenging, hintless setting (Level-0). Performance increased to 33.0% Pass@3 (Avg.) when detailed vulnerability hints were supplied (Level-2).
GPT-5.5 reached 31.7% Pass@1/Avg. and 43.9% Pass@3 (Max) under Level-0, rising to 46.3% under Level-2. Substantial run-to-run variance and sensitivity to environmental complexity was observed for all agents.

Figure 3: Overall success rates (Pass@3, average and max) for all systems across web exploitation and post-exploitation tasks, showing distinct performance separation but broad margins for improvement; GPT-5.5 with Codex leads, particularly under increased hint granularity.
Behavioral Analysis and Bottlenecks
- Exploration vs. Exploitation: Agents primarily used general-purpose tools (curl, python3) for probing; only the most capable (GPT-5.5) consistently employed specialized endpoint-discovery utilities (e.g., ffuf), supporting improved coverage.
- Multi-Step Reasoning: Agents showed the ability to perform chained actions—compromising a perimeter service, extracting credentials, pivoting internally—but often failed to fully synthesize complex multi-stage chains, especially under defensive perturbations.
- Variance and Failure Modes: High run-to-run variance reflected non-deterministic exploration. Failure to reach deep or obfuscated endpoints and non-systematic post-compromise knowledge extraction (e.g., not retrieving downstream credentials) were the predominant barriers.
- Out-of-Benchmark Discoveries: Agents occasionally identified previously unknown vulnerabilities ("zero-days"), confirming that the benchmark tasks provide unconstrained scope for emergent attack behaviors from frontier models.
Figure 4: Behavioral breakdown of web exploitation actions for major agents; GPT-5.5 uniquely leverages advanced endpoint-discovery tooling, correlating with higher unique vulnerability discovery rates.
Figure 5: Mapping of post-exploitation actions into MITRE ATT&CK tactics; most effort is expended on reconnaissance and exploitation, but advanced agents execute credential and anti-virus evasion steps.
Difficulty Stratification
In web exploitation, endpoint discovery emerges as the dominant bottleneck; explicit URL hints increase Pass@3 by over 20 percentage points. In post-exploitation, detailed vulnerability hints (Level-2) give the largest performance jump, evidencing substantial search space reduction.
Figure 6: Success rates as a function of difficulty level (hint granularity), emphasizing the criticality of attack-surface discovery and multi-host reasoning in agent performance.
Case Study: Multi-Stage Internal Compromise
GPT-5.5 demonstrated the ability to compromise segmented networks by chaining privilege escalation, credential recovery, tunneling, and escalation across multiple services and hosts.
Figure 7: Example trajectory of a successful multi-stage post-exploitation attack by GPT-5.5, combining exploitation, lateral movement, credential reuse, and defense evasion, but failing to achieve full environment compromise.
Implications and Limitations
The results indicate that current frontier AI systems can autonomously execute realistic cyber operations beyond trivial vulnerability exploitation—progressing through discovery, exploitation, lateral network traversal, privilege escalation, and (occasionally) defense evasion. However, reliable end-to-end compromise remains elusive: agents miss hidden surfaces, demonstrate instability across runs, and lack disciplined, stealth-oriented tradecraft as observed in expert penetration testers.
These findings imply:
- Evaluation of offensive AI capability must include complex workflow benchmarks; single-bug or flag-based scoring substantially underestimates the operational potential and limitations of current models.
- Defense planning and policy must begin accounting for AI-accelerated adversaries capable of traversing web-to-internal boundaries and adapting dynamically to observed defenses.
- Open benchmarks with high environmental fidelity are essential for meaningful capability tracking, safety evaluation, and responsible model release governance.
Notably, AgentCyberRange does not address all potential cyberattack modalities (e.g., cloud abuse, social engineering, supply chain), nor does it measure defender-aware or truly adaptive adversarial learning under blue-team pressure. Evaluated results are bounded by toolkits, prompts, and execution budgets.
Conclusion
AgentCyberRange establishes a comprehensive, open, and reproducible infrastructure for benchmarking the autonomous cyberattack capabilities of frontier AI models. By capturing both web exploitation and post-exploitation stages in realistic, modular cyber ranges, the benchmark makes it possible to systematically evaluate, compare, and audit the progression of offensive AI capabilities. Experimental results highlight both tangible risk—realistic exploitation, multi-host compromise, adaptive payload mutation—and significant unsolved challenges—instability, incomplete attack chaining, and suboptimal exploration.
Figure 8: Example topology and attack chain for a post-exploitation task, illustrating the multi-host, multi-segment structure that agents must navigate.
AgentCyberRange enables continuous, fine-grained tracking of emergent AI-enabled threats and provides a critical foundation for proactive defense, policy analysis, and future research. As AI-driven offensive capabilities mature, benchmarks of this sophistication will remain essential for responsible development, adoption, and red-teaming of advanced AI systems.