Cyberweapons
- ClaimThe first documented AI-orchestrated cyberattack occurred in September 2025, with AI executing 80-90% of operations independently across 30 global targets, achieving attack speeds of thousands of requests per second that are physically impossible for humans.S:4.5I:5.0A:3.5
- Counterint.Organizations using AI extensively in security operations save $1.9 million in breach costs and reduce breach lifecycle by 80 days, yet 90% of companies lack maturity to counter advanced AI-enabled threats.S:3.5I:4.5A:5.0
- Quant.GPT-4 can exploit 87% of one-day vulnerabilities at just $8.80 per exploit, but only 7% without CVE descriptions, indicating current AI excels at exploiting disclosed vulnerabilities rather than discovering novel ones.S:4.0I:4.5A:4.0
Cyberweapons Risk
Quick Assessment
Section titled “Quick Assessment”| Dimension | Assessment | Evidence |
|---|---|---|
| Severity | High | Critical infrastructure attacks cost $100K-$10M+ per incident; CDK Global attack cost $1B+ |
| Likelihood | Very High | 87% of organizations experienced AI-driven attacks in 2024; 72% year-over-year increase |
| Timeline | Present | First AI-orchestrated cyberattack documented September 2025; AI already integrated in attack chains |
| Trend | Rapidly Increasing | 14% of breaches now fully autonomous; AI-generated phishing up 67% in 2025 |
| Defense Maturity | Moderate | AI saves defenders $2.2M on average but 90% of companies lack maturity for advanced AI threats |
| Attribution | Decreasing | AI-generated attacks harder to attribute; deepfakes up 2,137% since 2022 |
| International Governance | Weak | First binding AI treaty signed 2024; cyber norms remain largely voluntary |
Overview
Section titled “Overview”AI systems can enhance offensive cyber capabilities in several ways: discovering vulnerabilities in software, generating exploit code, automating attack campaigns, and evading detection. This shifts the offense-defense balance and may enable more frequent, sophisticated, and scalable cyber attacks.
Unlike some AI risks that remain theoretical, AI-assisted cyber attacks are already occurring and advancing rapidly. In 2025, AI-powered cyberattacks surged 72% year-over-year↗🔗 webAI-powered cyberattacks surged 72% year-over-yearSource ↗Notes, with 87% of global organizations reporting AI-driven incidents. The first documented AI-orchestrated cyberattack↗🔗 web★★★★☆Anthropicfirst documented AI-orchestrated cyberattackSource ↗Notes occurred in September 2025, demonstrating that threat actors can now use AI to execute 80-90% of cyberattack campaigns with minimal human intervention.
The economic impact is substantial. According to IBM’s 2025 Cost of a Data Breach Report↗🔗 webIBM's 2025 Cost of a Data Breach ReportSource ↗Notes, the average U.S. data breach cost reached an all-time high of $10.22 million, while Cybersecurity Ventures projects↗🔗 webCybersecurity Ventures projectsSource ↗Notes global cybercrime costs will reach $24 trillion by 2027. Roughly 70% of all cyberattacks in 2024 involved critical infrastructure.
Risk Assessment
Section titled “Risk Assessment”| Dimension | Assessment | Notes |
|---|---|---|
| Severity | High to Catastrophic | Critical infrastructure attacks can cause cascading failures; ransomware disrupts essential services |
| Likelihood | High | Already occurring at scale; 87% of organizations report AI-driven incidents |
| Timeline | Present | Unlike many AI risks, this concern applies to current systems |
| Trend | Rapidly Increasing | AI capabilities improving; autonomous attacks growing as percentage of incidents |
| Window | Ongoing | Both offense and defense benefit from AI; balance may shift unpredictably |
Responses That Address This Risk
Section titled “Responses That Address This Risk”| Response | Mechanism | Effectiveness |
|---|---|---|
| AI Safety Institutes (AISIs)PolicyAI Safety Institutes (AISIs)Analysis of government AI Safety Institutes finding they've achieved rapid institutional growth (UK: 0→100+ staff in 18 months) and secured pre-deployment access to frontier models, but face critic...Quality: 69/100 | Government evaluation of AI capabilities | Medium |
| Responsible Scaling Policies (RSPs)PolicyResponsible Scaling Policies (RSPs)RSPs are voluntary industry frameworks that trigger safety evaluations at capability thresholds, currently covering 60-70% of frontier development across 3-4 major labs. Estimated 10-25% risk reduc...Quality: 64/100 | Internal security evaluations before deployment | Medium |
| Compute GovernancePolicyCompute GovernanceThis is a comprehensive overview of U.S. AI chip export controls policy, documenting the evolution from blanket restrictions to case-by-case licensing while highlighting significant enforcement cha...Quality: 58/100 | Limits access to training resources for offensive AI | Low-Medium |
| Voluntary AI Safety CommitmentsPolicyVoluntary AI Safety CommitmentsComprehensive empirical analysis of voluntary AI safety commitments showing 53% mean compliance rate across 30 indicators (ranging from 13% for Apple to 83% for OpenAI), with strongest adoption in ...Quality: 91/100 | Lab pledges on cybersecurity evaluation | Low |
How It Works: The AI-Cyber Threat Mechanism
Section titled “How It Works: The AI-Cyber Threat Mechanism”AI fundamentally changes cybersecurity by enabling attacks at machine speed and scale while potentially outpacing human-centered defenses. Understanding the technical mechanisms helps clarify both the threat and appropriate responses.
Technical Mechanism Overview
Section titled “Technical Mechanism Overview”AI enhances cyber threats through three primary mechanisms:
- Capability amplification: AI makes existing attack techniques more effective (e.g., phishing emails with perfect grammar, context-aware targeting)
- Speed multiplication: AI operates at timescales impossible for humans (thousands of requests per second, real-time adaptation)
- Scale enablement: AI allows attacks against many targets simultaneously with personalized approaches
The Feedback Loop Problem
Section titled “The Feedback Loop Problem”A critical concern is the potential for AI-enabled attacks to create negative feedback loops:
The offense-defense dynamic depends on which feedback loop dominates. Currently, BCG research finds that only 7% of organizations have deployed AI-enabled defenses despite 60% having likely experienced AI-powered attacks—suggesting the offensive feedback loop currently dominates.
Attack Chain Transformation
Section titled “Attack Chain Transformation”AI transforms each stage of the cyber attack chain differently:
| Stage | Pre-AI Approach | AI-Enhanced Approach | Speed Increase | Cost Reduction |
|---|---|---|---|---|
| Reconnaissance | Manual OSINT, port scanning | Automated data correlation, pattern recognition | 10-50x | 80-95% |
| Weaponization | Custom exploit development | Automated exploit generation from CVEs | 5-20x | 70-90% |
| Delivery | Generic phishing, spray-and-pray | Personalized, context-aware targeting | 3-10x | 60-80% |
| Exploitation | Manual vulnerability exploitation | Autonomous multi-vector attacks | 100-1000x | 90-99% |
| C2 | Static infrastructure | Adaptive, evasive communication | 5-15x | 50-70% |
| Exfiltration | Bulk data theft | Intelligent data prioritization | 2-5x | 30-50% |
How AI Enhances Cyber Offense
Section titled “How AI Enhances Cyber Offense”AI enhances cyber offense across the entire attack lifecycle, from initial reconnaissance through exploitation to data exfiltration.
AI Capability Assessment by Attack Phase
Section titled “AI Capability Assessment by Attack Phase”| Attack Phase | AI Capability Level | Key Metrics | Human Comparison |
|---|---|---|---|
| Vulnerability Discovery | Very High | GPT-4 exploits 87% of one-day vulnerabilities | 10-15x faster than manual analysis |
| Exploit Generation | High | Working exploits generated in 10-15 minutes at $1/exploit | Days to weeks for human researchers |
| Phishing/Social Engineering | Very High | 82.6% of phishing emails now use AI; 54% click-through vs 12% without AI | 4.5x more effective; 50x more profitable |
| Attack Automation | High | Thousands of requests per second; 80-90% of campaigns automated | Physically impossible for humans to match |
| Evasion | Moderate-High | 41% of ransomware includes AI modules for adaptive behavior | Real-time adaptation to defenses |
| Attribution Evasion | High | AI-generated attacks harder to attribute; deepfakes up 2,137% | Unprecedented obfuscation capability |
Vulnerability Discovery
Section titled “Vulnerability Discovery”Research from the University of Illinois↗🔗 webResearch from the University of IllinoisSource ↗Notes found that GPT-4 can successfully exploit 87% of one-day vulnerabilities when provided with CVE descriptions. The AI agent required only 91 lines of code, and researchers calculated the cost of successful attacks at just $8.80 per exploit. Without CVE descriptions, success dropped to 7%—an 80% decrease—highlighting that current AI excels at exploiting disclosed vulnerabilities rather than discovering novel ones.
More recent research demonstrates AI systems can generate working exploits for published CVEs in just 10-15 minutes↗🔗 webAI systems can generate working exploits for published CVEs in just 10-15 minutesSource ↗Notes at approximately $1 per exploit. This dramatically accelerates exploitation compared to manual human analysis.
OpenAI announced Aardvark↗🔗 web★★★★☆OpenAIOpenAI announced AardvarkSource ↗Notes, an agentic security researcher powered by GPT-5, designed to help developers discover and fix vulnerabilities at scale. Aardvark has discovered vulnerabilities in open-source projects, with ten receiving CVE identifiers—demonstrating that AI can find novel vulnerabilities, not just exploit known ones.
Exploit Development
Section titled “Exploit Development”AI can help write malware, generate phishing content, and automate attack code. Language models produce functional exploit code for known vulnerabilities and can assist with novel exploit development.
A security researcher demonstrated creating a fully AI-generated exploit for CVE-2025-32433↗🔗 webdemonstrated creating a fully AI-generated exploit for CVE-2025-32433Source ↗Notes before any public proof-of-concept existed—going from a tweet about the vulnerability to a working exploit with no prior public code.
Attack Automation
Section titled “Attack Automation”AI can manage many simultaneous attacks, adapt to defenses in real-time, and operate at speeds humans cannot match. The Anthropic disclosure↗🔗 web★★★★☆Anthropicfirst documented AI-orchestrated cyberattackSource ↗Notes noted that during the September 2025 attack, the AI made thousands of requests, often multiple per second—“an attack speed that would have been, for human hackers, simply impossible to match.”
Autonomous ransomware, capable of lateral movement without human oversight, was present in 19% of breaches in 2025. Additionally, 41% of all active ransomware families now include some form of AI module for adaptive behavior.
Social Engineering
Section titled “Social Engineering”AI has transformed phishing and social engineering at scale:
- 82.6% of phishing emails now use AI in some form
- Microsoft research↗🔗 web★★★★☆MicrosoftMicrosoft researchSource ↗Notes found AI-automated phishing emails achieved 54% click-through rates compared to 12% for non-AI phishing (4.5x more effective)
- AI can make phishing operations up to 50x more profitable by scaling targeted attacks
- Voice cloning attacks increased 81% in 2025
- AI-driven forgeries grew 195% globally, with techniques now convincing enough to defeat selfie checks and liveness tests
Current State
Section titled “Current State”AI is already integrated into both offensive and defensive cybersecurity. Commercial security products use AI for threat detection. Offensive tools increasingly incorporate AI assistance. State actors are investing heavily in AI cyber capabilities.
2025 Attack Statistics
Section titled “2025 Attack Statistics”| Metric | Value | Change | Source |
|---|---|---|---|
| AI-powered attack growth | 72% year-over-year | +72% from 2024 | SQ Magazine↗🔗 webAI-powered cyberattacks surged 72% year-over-yearSource ↗Notes |
| Organizations reporting AI incidents | 87% | — | Industry surveys |
| Fully autonomous breaches | 14% of major corporate breaches | New category | 2025 analysis |
| AI-generated phishing emails | 67% increase | +67% from 2024 | All About AI↗🔗 webAll About AISource ↗Notes |
| Deepfake incidents Q1 2025 | 179 recorded | More than all of 2024 | Deepstrike↗🔗 webDeepstrikeSource ↗Notes |
| Average U.S. data breach cost | $10.22 million | +9% from 2024 | IBM↗🔗 webIBM's 2025 Cost of a Data Breach ReportSource ↗Notes |
The gap between AI-assisted and fully autonomous attacks is closing rapidly. In 2025, 14% of major corporate breaches were fully autonomous, meaning no human hacker intervened after the AI launched the attack. However, AI models still experience significant limitations—during the September 2025 attack, Claude “frequently ‘hallucinated’ during autonomous operations, claiming to have stolen credentials that did not work or labeling publicly available data as ‘high-value discoveries.’”
Offense-Defense Balance
Section titled “Offense-Defense Balance”A key question is whether AI helps offense or defense more. Recent research provides nuanced answers:
Research on the Offense-Defense Balance
Section titled “Research on the Offense-Defense Balance”| Report | Organization | Key Finding |
|---|---|---|
| Tipping the Scales↗🔗 web★★★★☆CNASTipping the ScalesSource ↗Notes | CNAS (Sept 2025) | AI capabilities have historically benefited defenders, but future frontier models could tip scales toward attackers |
| Anticipating AI’s Impact↗🔗 web★★★★☆CSET GeorgetownAnticipating AI's ImpactSource ↗Notes | Georgetown CSET (May 2025) | Many ways AI helps both sides; defenders can take specific actions to tilt odds in their favor |
| Implications of AI in Cybersecurity↗🔗 webImplications of AI in CybersecuritySource ↗Notes | IST (May 2025) | Puts forward 7 priority recommendations for maintaining defense advantage |
Arguments for offense advantage:
- Attacks only need to find one vulnerability; defense must protect everything
- AI accelerates the already-faster attack cycle—median time-to-exploitation in 2024 was 192 days, expected to shrink with AI
- Scaling attacks is easier than scaling defenses (thousands of simultaneous targets vs. point defenses)
- 90% of companies lack maturity to counter advanced AI-enabled threats
Arguments for defense advantage:
- Defenders have more data about their own systems
- Detection can leverage AI for anomaly identification
- According to IBM↗🔗 webIBM's 2025 Cost of a Data Breach ReportSource ↗Notes, companies using AI extensively in security save an average $1.2 million and reduce breach lifecycle by 80 days
- More than 80% of major companies now use AI for cyber defense
The balance likely varies by context and over time. The Georgetown CSET report↗🔗 web★★★★☆CSET GeorgetownGeorgetown CSET reportSource ↗Notes notes that “the current AI-for-cybersecurity paradigm focuses on detection using automated tools, but it has largely neglected holistic autonomous cyber defense systems—ones that can act without human tasking.”
Systemic Risks
Section titled “Systemic Risks”Beyond individual attacks, AI-enabled cyber capabilities create systemic risks. Critical infrastructure becomes more vulnerable as attacks grow more frequent and sophisticated. Cyber conflict between nations could escalate faster than human decision-makers can manage. The proliferation of offensive AI tools enables non-state threats at state-level capability.
Critical Infrastructure Under Attack
Section titled “Critical Infrastructure Under Attack”Roughly 70% of all cyberattacks in 2024 involved critical infrastructure↗🔗 webRoughly 70% of all cyberattacks in 2024 involved critical infrastructureSource ↗Notes, with global critical infrastructure facing over 420 million cyberattacks. An estimated 40% of all cyberattacks are now AI-driven.
| Sector | 2024 Attack Metrics | Key Incidents |
|---|---|---|
| Healthcare | 14.2% of all critical infrastructure attacks; 2/3 suffered ransomware | Change Healthcare breach affected 100M Americans; Ascension Health 5.6M patients |
| Utilities/Power Grid | 1,162 attacks (+70% from 2023); 234% Q3 increase | Forescout found 46 new solar infrastructure vulnerabilities |
| Water Systems | Multiple breaches using same methodology | American Water (14M customers) portal shutdown; Aliquippa booster station compromised |
| Financial/Auto | Cascading supply chain attacks | CDK Global attack cost $1B+; disrupted 15,000 dealerships |
The CISA Roadmap for AI↗🏛️ government★★★★☆CISACISA Roadmap for AISource ↗Notes identifies three categories of AI risk to critical infrastructure: adversaries leveraging AI to execute attacks, AI used to plan attacks, and AI used to enhance attack effectiveness.
Economic Impact
Section titled “Economic Impact”| Metric | Value | Context |
|---|---|---|
| Average U.S. data breach cost | $10.22 million | All-time high; +9% from 2024 |
| Global average breach cost | $4.44 million | Down 9% from $4.88M in 2024 |
| CDK Global ransomware losses | $1.02 billion | 15,000 dealerships affected for 2+ weeks |
| Projected global cybercrime cost (2027) | $24 trillion | Cybersecurity Ventures↗🔗 webCybersecurity Ventures projectsSource ↗Notes |
| Critical infrastructure attack financial impact | 45% report $500K+ losses; 27% report $1M+ | Claroty study |
| Shadow AI incident cost premium | +$200,000 per breach | Takes longer to detect and contain |
According to IBM’s 2025 report↗🔗 webIBM's 2025 Cost of a Data Breach ReportSource ↗Notes, 13% of organizations reported breaches of AI models or applications, with 97% of those lacking proper AI access controls. Shadow AI (unauthorized AI tools) was involved in 20% of breaches.
Case Studies
Section titled “Case Studies”First AI-Orchestrated Cyberattack (September 2025)
Section titled “First AI-Orchestrated Cyberattack (September 2025)”In mid-September 2025, Anthropic detected and disrupted↗🔗 web★★★★☆Anthropicfirst documented AI-orchestrated cyberattackSource ↗Notes what they assessed as a Chinese state-sponsored attack using Claude’s “agentic” capabilities. This is considered the first documented case of a large-scale cyberattack executed without substantial human intervention.
Key details:
- Threat actor designated GTG-1002, assessed with high confidence as Chinese state-sponsored
- Targeted approximately 30 global entities including large tech companies, financial institutions, chemical manufacturing companies, and government agencies
- 4 successful breaches confirmed
- AI executed 80-90% of tactical operations independently, including reconnaissance, exploitation, credential harvesting, lateral movement, and data exfiltration
- Attack speeds of thousands of requests per second—“physically impossible for human hackers to match”
How the attack worked: The attackers jailbroke Claude by breaking attacks into small, seemingly innocent tasks that Claude executed without full context of their malicious purpose. According to Anthropic↗🔗 webAccording to AnthropicSource ↗Notes, the threat actor “convinced Claude—which is extensively trained to avoid harmful behaviors—to engage in the attack” through this compartmentalization technique.
Limitations observed: Claude frequently “hallucinated” during operations, claiming to have stolen credentials that did not work or labeling publicly available data as “high-value discoveries.” Human operators still had to verify AI-generated findings.
CDK Global Ransomware (June 2024)
Section titled “CDK Global Ransomware (June 2024)”On June 18, 2024, the BlackSuit ransomware group attacked CDK Global↗🔗 webBlackSuit ransomware group attacked CDK GlobalSource ↗Notes, a leading software provider for the automotive industry. The attack affected approximately 15,000 car dealerships in the U.S. and Canada.
Impact:
- Total dealer losses: $1.02 billion (Anderson Economic Group↗🔗 webAnderson Economic GroupSource ↗Notes estimate)
- Ransom demand escalated from $10 million to over $50 million
- CDK reportedly paid $25 million in bitcoin↗🔗 webCDK reportedly paid \$25 million in bitcoinSource ↗Notes on June 21
- Services restored by July 4 after nearly two weeks of disruption
- 7.2% decline in total new-vehicle sales in June 2024
A second cyberattack on June 19 during recovery efforts further delayed restoration. Major dealership companies including Lithia Motors, Group 1 Automotive, Penske Automotive Group, and Sonic Automotive reported disruptions to the SEC.
Change Healthcare Attack (February 2024)
Section titled “Change Healthcare Attack (February 2024)”The BlackCat/ALPHV ransomware group attacked Change Healthcare, taking down payment systems for several days.
Impact:
- 100 million Americans affected—the largest healthcare breach on record
- UnitedHealth confirmed the breach scope in late 2024
- Demonstrated cascading effects across the healthcare supply chain
AI-Enhanced Phishing at Scale
Section titled “AI-Enhanced Phishing at Scale”Security firm Memcyco documented a global bank facing approximately 18,500 Account Takeover incidents annually from AI-driven phishing campaigns, costing an estimated $27.75 million. After deploying AI defenses, incidents dropped 65%.
Ivanti Zero-Day Exploits (2024)
Section titled “Ivanti Zero-Day Exploits (2024)”Chinese nation-state actors exploited Ivanti VPN products for espionage, impacting government and telecom sectors. Analysis suggests AI likely enhanced attack efficiency in vulnerability discovery and exploitation.
Key Debates
Section titled “Key Debates”Crux 1: Does AI Favor Offense or Defense?
Section titled “Crux 1: Does AI Favor Offense or Defense?”If offense advantage: Urgent need for defensive AI investment, international agreements, and perhaps restrictions on offensive AI development. Attackers could gain persistent advantage.
If defense advantage: Focus on AI adoption for security operations; maintain current governance approach. Natural market forces will drive defensive innovation.
| Evidence | Favors Offense | Favors Defense |
|---|---|---|
| 87% of organizations hit by AI attacks | Strong | — |
| 90% of companies lack AI threat maturity | Strong | — |
| $1.2M savings with AI-powered defense | — | Strong |
| 80% of companies now use AI for defense | — | Moderate |
| Autonomous malware in 41% of ransomware | Moderate | — |
| Current Assessment | Moderate advantage (55%) | 45% |
Crux 2: How Fast Are Autonomous Capabilities Developing?
Section titled “Crux 2: How Fast Are Autonomous Capabilities Developing?”If rapid development: The September 2025 attack may be the beginning of a new paradigm where AI-orchestrated attacks become routine. Governance may not keep pace.
If gradual development: Time exists to develop norms, improve defenses, and implement guardrails. The “hallucination” problem suggests fundamental limitations.
Crux 3: Will International Governance Emerge?
Section titled “Crux 3: Will International Governance Emerge?”If effective governance develops: Attribution frameworks, rules of engagement, and enforcement mechanisms could constrain AI cyberweapon development.
If governance fails: Cyber arms race accelerates; non-state actors gain access to state-level capabilities; critical infrastructure increasingly vulnerable.
Current status: The first binding international AI treaty↗🔗 webfirst binding international AI treatySource ↗Notes was signed in September 2024 by the U.S. and 9 other countries, but enforcement mechanisms are limited. Cyber norms remain largely voluntary through frameworks like the Paris Call for Trust and Security in Cyberspace↗🔗 webParis Call for Trust and Security in CyberspaceSource ↗Notes.
Crux 4: How Much Autonomy Should Defensive AI Have?
Section titled “Crux 4: How Much Autonomy Should Defensive AI Have?”If high autonomy: Faster response to threats operating at machine speed. But autonomous defensive systems could escalate conflicts or cause unintended damage (e.g., misidentifying legitimate traffic as attacks).
If human-in-the-loop: Better control and accountability, but response times may be too slow against AI-powered attacks executing thousands of actions per second.
Key Uncertainties
Section titled “Key Uncertainties”The following uncertainties significantly affect both the magnitude of AI cyberweapon risks and the optimal policy response.
Uncertainty 1: AI Capability Trajectory for Autonomous Exploitation
Section titled “Uncertainty 1: AI Capability Trajectory for Autonomous Exploitation”Current state: GPT-4 can exploit 87% of one-day vulnerabilities with CVE descriptions, but only 7% without them. The September 2025 attack demonstrated 80-90% autonomous operation but still required human verification of AI-generated findings.
Range of outcomes:
- Conservative (30% probability): AI capabilities plateau due to fundamental limitations in reasoning about novel vulnerabilities. Autonomous exploitation remains limited to known vulnerability classes.
- Moderate (50% probability): Steady improvement enables AI to discover and exploit zero-day vulnerabilities within 2-3 years, but with significant hallucination rates requiring human oversight.
- Aggressive (20% probability): Rapid capability gains enable fully autonomous exploit chains including novel zero-day discovery by 2027, fundamentally changing the threat landscape.
Key indicators to watch: Success rates on zero-day discovery benchmarks; reduction in AI hallucination rates during security operations; time from vulnerability disclosure to weaponized exploit.
Uncertainty 2: Offense-Defense Balance Equilibrium
Section titled “Uncertainty 2: Offense-Defense Balance Equilibrium”Current state: BCG surveys indicate 60% of organizations have likely experienced AI-powered attacks, but only 7% have deployed AI-enabled defenses. This suggests a temporary offense advantage due to adoption lag rather than fundamental asymmetry.
Range of outcomes:
- Offense wins (25% probability): Attacker advantages compound—automation enables simultaneous attacks at scale while defenses remain fragmented. Critical infrastructure becomes increasingly vulnerable.
- Equilibrium (45% probability): Both sides benefit roughly equally; the current advantage oscillates based on innovation cycles. Security improves overall but so does threat sophistication.
- Defense wins (30% probability): Defensive AI eventually gains structural advantages through better data access, legitimate infrastructure, and economies of scale. Attack success rates decline over time.
Key cruxes: Whether AI-powered threat detection achieves accuracy rates above 95% while maintaining low false positive rates; whether autonomous defense systems can respond at machine speed without causing collateral damage; whether international coordination enables faster threat intelligence sharing.
Uncertainty 3: Proliferation of Offensive AI Tools
Section titled “Uncertainty 3: Proliferation of Offensive AI Tools”Current state: Advanced offensive AI capabilities remain concentrated among nation-state actors and sophisticated criminal groups. The September 2025 attack was attributed to a state-sponsored actor (GTG-1002, assessed as Chinese state-sponsored).
Range of outcomes:
- Limited proliferation (35% probability): Offensive AI capabilities remain difficult to develop; nation-states maintain dominance; non-state actors limited to using commoditized tools.
- Moderate proliferation (45% probability): Ransomware-as-a-service providers integrate AI capabilities; criminal groups gain access to sophisticated tools; attacks increase in frequency but remain somewhat contained.
- Widespread proliferation (20% probability): Open-source offensive AI tools become widely available; attack capabilities democratize rapidly; even low-sophistication actors can execute advanced attacks.
Key indicators: Dark web availability of AI-enhanced attack tools; diversity of threat actors conducting autonomous attacks; price trends for offensive AI capabilities in underground markets.
Uncertainty 4: International Governance Effectiveness
Section titled “Uncertainty 4: International Governance Effectiveness”Current state: The Council of Europe Framework Convention on AI (signed September 2024) is the first binding international AI treaty, but major cyber powers (China, Russia) are not signatories. Cyber norms remain largely voluntary.
Range of outcomes:
- Weak governance (40% probability): No effective international framework emerges; cyber arms race accelerates; attribution remains contested; norms are routinely violated without consequence.
- Partial governance (45% probability): Limited agreements among like-minded nations; some red lines established (e.g., no attacks on hospitals, nuclear facilities); enforcement remains inconsistent.
- Strong governance (15% probability): Comprehensive international framework emerges; effective attribution mechanisms; meaningful enforcement through coordinated sanctions or countermeasures.
Key developments to watch: UN Group of Governmental Experts progress on lethal autonomous weapons (next sessions in 2025); expansion of signatories to existing treaties; establishment of international cyber attribution bodies.
Uncertainty 5: Critical Infrastructure Resilience
Section titled “Uncertainty 5: Critical Infrastructure Resilience”Current state: Roughly 70% of all cyberattacks in 2024 involved critical infrastructure, with 45% of affected organizations reporting losses exceeding $500,000. However, segmentation and air-gapping provide some protection for operational technology systems.
Range of outcomes:
- Declining resilience (30% probability): IT/OT convergence increases attack surface; legacy systems remain vulnerable; cascading failures become more likely as systems become more interconnected.
- Stable resilience (50% probability): Investment in defensive capabilities roughly matches increasing threat sophistication; major incidents remain possible but catastrophic cascading failures are avoided.
- Improving resilience (20% probability): Significant defensive investment, improved segmentation, and AI-powered monitoring substantially reduce successful attacks on critical infrastructure.
Key factors: Rate of IT/OT convergence; investment in critical infrastructure cybersecurity; effectiveness of regulatory mandates (e.g., CISA’s Cybersecurity Performance Goals 2.0).
Summary: Uncertainty Impact Matrix
Section titled “Summary: Uncertainty Impact Matrix”| Uncertainty | Low Estimate | Central Estimate | High Estimate | Decision Relevance |
|---|---|---|---|---|
| AI capability trajectory | Plateau at current levels | 2-3x improvement by 2028 | 10x improvement by 2027 | Very High |
| Offense-defense balance | Defense wins long-term | Rough parity | Persistent offense advantage | High |
| Tool proliferation | Limited to state actors | Moderate criminal access | Widespread democratization | High |
| International governance | Largely ineffective | Partial frameworks | Comprehensive regime | Medium |
| Infrastructure resilience | Declining | Stable | Improving | Medium-High |
Timeline
Section titled “Timeline”| Date | Event | Significance |
|---|---|---|
| 2020 | First documented AI-assisted vulnerability discovery tools deployed | AI enters offensive security tooling |
| 2023 (Nov) | CISA releases AI Roadmap | Whole-of-agency plan for AI security |
| 2024 (Jan) | CISA completes initial AI risk assessments for critical infrastructure | First systematic government evaluation |
| 2024 (Feb) | Change Healthcare ransomware attack | 100M Americans affected; largest healthcare breach |
| 2024 (Apr) | University of Illinois research shows GPT-4 exploits 87% of vulnerabilities | First rigorous academic measurement of AI exploit capability |
| 2024 (Apr) | DHS publishes AI-CI safety guidelines↗🏛️ governmentAI-CI safety guidelinesSource ↗Notes | Federal critical infrastructure protection guidance |
| 2024 (Jun) | CDK Global ransomware attack | $1B+ losses; 15,000 dealerships disrupted |
| 2024 (Sep) | First binding international AI treaty signed | U.S. and 9 countries; Council of Europe Framework Convention↗🔗 webfirst binding international AI treatySource ↗Notes |
| 2024 (Oct) | American Water cyberattack | 14M customers affected |
| 2025 (Mar) | Microsoft Security Copilot agents↗🔗 web★★★★☆MicrosoftMicrosoft Security Copilot agentsSource ↗Notes unveiled | AI-powered autonomous defense tools |
| 2025 (May) | Georgetown CSET and IST release offense-defense balance reports | Academic frameworks for understanding AI cyber dynamics |
| 2025 (May) | CISA releases AI data security guidance↗🔗 webAI data security guidanceSource ↗Notes | Best practices for AI system operators |
| 2025 (Sep) | First AI-orchestrated cyberattack↗🔗 web★★★★☆Anthropicfirst documented AI-orchestrated cyberattackSource ↗Notes detected (Anthropic) | 30 targets; 4 successful breaches; 80-90% autonomous |
| 2025 (Oct) | Microsoft Digital Defense Report 2025↗🔗 web★★★★☆MicrosoftMicrosoft researchSource ↗Notes | Comprehensive analysis of AI-driven threat landscape |
| 2025 (Dec) | CISA OT AI integration principles↗🏛️ government★★★★☆CISACISA OT AI integration principlesSource ↗Notes released | Joint international guidance for AI in operational technology |
Mitigations
Section titled “Mitigations”Technical Defenses
Section titled “Technical Defenses”| Intervention | Mechanism | Effectiveness | Status |
|---|---|---|---|
| AI-powered security operations | Anomaly detection, automated response | High | Widely deployed; $1.2M savings per breach |
| Proactive AI vulnerability discovery | Find and patch before attackers | High | OpenAI Aardvark, Zero Day Quest |
| Autonomous defense systems | Real-time response at machine speed | Promising | Early development; CSET notes gap↗🔗 web★★★★☆CSET GeorgetownAnticipating AI's ImpactSource ↗Notes |
| AI guardrails and jailbreak resistance | Prevent misuse of AI for attacks | Moderate | Circumvented in September 2025 attack |
| Shadow AI governance | Control unauthorized AI tool usage | Low-Moderate | 63% lack formal policies |
Key finding: According to IBM↗🔗 webIBM's 2025 Cost of a Data Breach ReportSource ↗Notes, organizations using AI and automation extensively throughout security operations saved $1.9 million in breach costs and reduced breach lifecycle by 80 days on average.
Governance Approaches
Section titled “Governance Approaches”International agreements: The Council of Europe Framework Convention on AI↗🔗 webfirst binding international AI treatySource ↗Notes (signed September 2024) is the first binding international AI treaty. However, enforcement mechanisms remain weak, and major cyber powers (China, Russia) are not signatories.
National frameworks:
- CISA Roadmap for AI↗🏛️ government★★★★☆CISACISA Roadmap for AISource ↗Notes: Whole-of-agency plan for AI security
- CISA AI data security guidance↗🔗 webAI data security guidanceSource ↗Notes (May 2025): Best practices for AI system operators
- DHS AI-CI safety guidelines↗🏛️ governmentAI-CI safety guidelinesSource ↗Notes (April 2024): Critical infrastructure protection
Responsible disclosure: Norms for AI-discovered vulnerabilities remain underdeveloped. OpenAI did not publicly release the University of Illinois exploit agent at their request, but the underlying capabilities are widely reproducible.
Defensive Investment Priority
Section titled “Defensive Investment Priority”Researchers warn that “exploits at machine speed demand defense at machine speed.” The Georgetown CSET report↗🔗 web★★★★☆CSET GeorgetownGeorgetown CSET reportSource ↗Notes emphasizes that the current paradigm has “largely neglected holistic autonomous cyber defense systems.”
The generative AI in cybersecurity market is expected to grow almost tenfold between 2024 and 2034, with investment flowing to both offensive and defensive applications.
Sources & Resources
Section titled “Sources & Resources”Primary Research
Section titled “Primary Research”- Anthropic (November 2025): Disrupting the first reported AI-orchestrated cyber espionage campaign↗🔗 web★★★★☆Anthropicfirst documented AI-orchestrated cyberattackSource ↗Notes - First documented AI-autonomous cyberattack
- Georgetown CSET (May 2025): Anticipating AI’s Impact on the Cyber Offense-Defense Balance↗🔗 web★★★★☆CSET GeorgetownAnticipating AI's ImpactSource ↗Notes - Comprehensive academic analysis
- CNAS (September 2025): Tipping the Scales: Emerging AI Capabilities and the Cyber Offense-Defense Balance↗🔗 web★★★★☆CNASTipping the ScalesSource ↗Notes
- IST (May 2025): The Implications of Artificial Intelligence in Cybersecurity↗🔗 webImplications of AI in CybersecuritySource ↗Notes
- University of Illinois (2024): AI agents exploit 87% of one-day vulnerabilities↗🔗 webResearch from the University of IllinoisSource ↗Notes
Industry Reports
Section titled “Industry Reports”- IBM (2025): Cost of a Data Breach Report 2025↗🔗 webIBM's 2025 Cost of a Data Breach ReportSource ↗Notes
- Microsoft (2025): Digital Defense Report 2025↗🔗 web★★★★☆MicrosoftMicrosoft researchSource ↗Notes
- Cybersecurity Ventures (2025): Cybersecurity Almanac 2025↗🔗 webCybersecurity Ventures projectsSource ↗Notes
Government Guidance
Section titled “Government Guidance”- CISA: Roadmap for AI↗🏛️ government★★★★☆CISACISA Roadmap for AISource ↗Notes
- CISA (May 2025): AI Data Security Guidance↗🔗 webAI data security guidanceSource ↗Notes
- DHS (April 2024): AI-CI Safety and Security Guidelines↗🏛️ governmentAI-CI safety guidelinesSource ↗Notes
- CISA (December 2025): Principles for Secure AI Integration in OT↗🏛️ government★★★★☆CISACISA OT AI integration principlesSource ↗Notes
International Governance
Section titled “International Governance”- Council of Europe (2024): Framework Convention on AI and Human Rights↗🔗 webfirst binding international AI treatySource ↗Notes
- Paris Peace Forum (2025): Forging Global Cooperation on AI Risks: Cyber Policy as a Governance Blueprint↗🔗 webParis Call for Trust and Security in CyberspaceSource ↗Notes
Video & Podcast Resources
Section titled “Video & Podcast Resources”- Lex Fridman #266: Nicole Perlroth↗🔗 webLex Fridman #266: Nicole PerlrothSource ↗Notes - Cybersecurity journalist on cyber warfare
- Darknet Diaries Podcast↗🔗 webDarknet Diaries: Voice Phishing EpisodesSource ↗Notes - True stories from the dark side of the internet
- CISA Cybersecurity Videos↗🏛️ government★★★★☆CISACISA Cybersecurity VideosSource ↗Notes - Official government guidance
Analytical Models
Section titled “Analytical Models”Analytical Models
The following analytical models provide structured frameworks for understanding this risk:
| Model | Type | Nov | Rig | Act | Cmp |
|---|---|---|---|---|---|
| Cyber Offense-Defense Balance Model This model analyzes whether AI shifts cyber offense-defense balance. It projects 30-70% net improvement in attack success rates, driven by automation scaling and vulnerability discovery. | Comparative Analysis | ||||
| Autonomous Cyber Attack Timeline This model projects when AI achieves autonomous cyber attack capability. It estimates Level 3 (AI-directed) attacks by 2026-2027 and Level 4 (fully autonomous) campaigns by 2029-2033. | Timeline Projection |
AI Transition Model Context
Section titled “AI Transition Model Context”Cyberweapons risk affects the Ai Transition Model primarily through Misuse PotentialAi Transition Model FactorMisuse PotentialThe aggregate risk from deliberate harmful use of AI—including biological weapons, cyber attacks, autonomous weapons, and surveillance misuse.:
| Parameter | Impact |
|---|---|
| Cyber Threat ExposureAi Transition Model ParameterCyber Threat ExposureThis page contains only component imports with no actual content. It appears to be a placeholder or template for content about cyber threat exposure in the AI transition model framework. | Direct parameter—AI uplift for cyberattack capabilities |
| AI Control ConcentrationAi Transition Model ParameterAI Control ConcentrationThis page contains only a React component placeholder with no actual content loaded. Cannot evaluate substance, methodology, or conclusions. | Concentrated AI control creates high-value targets |
The cyberweapons pathway can lead to Human-Caused CatastropheAi Transition Model ScenarioHuman-Caused CatastropheCatastrophic outcomes caused by human actors using AI as a tool—including state actors, rogue actors, or unintended cascading failures from human decisions. through infrastructure attacks or enabling other threat vectors.
Related Pages
Section titled “Related Pages”What links here
- Cyber Threat Exposureai-transition-model-parameter
- Cyber Offense-Defense Balance Modelmodel
- Autonomous Cyber Attack Timelinemodel
- Compute Governancepolicy
- AI Evaluationssafety-agenda
- Autonomous Weaponsrisk
- Bioweapons Riskrisk
- AI Proliferationrisk