TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Palo Alto Unit 42

Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensive Multi-Agent System

Yahav Festinger and Chen Doytshman · 2026-04-23 · Read original ↗

ATT&CK techniques detected

15 predictions
T1018Remote System Discovery
96%
"achieved. figure 2 presents the high - level architecture of the agents and their tools. critically, the supervisor doesn ' t micromanage. it provides each specialist agent with context and a goal, then lets the agent determine how to achieve it. this separation of strategic plan…"
T1018Remote System Discovery
87%
"to implement cost - efficient models to handle the repetitive technical tasks, while reserving more powerful models for the high - level orchestration required to navigate a complex cloud environment. we found that decentralized autonomous approaches proved difficult to control a…"
T1525Implant Internal Image
78%
"- a - service offerings in the foreseeable future. beyond hardening, security products must evolve. current detection models that are optimized for human attack patterns struggle to catch agent - based operations that move at machine speed, chain actions across services in second…"
T1526Cloud Service Discovery
76%
"and associating events with mitre att & ck® tactics and techniques, cortex cloud uses static and behavioral analytics to maintain security awareness across cloud ’ s identity, computation, storage and configuration resources. organizations can gain help assessing cloud security p…"
T1525Implant Internal Image
73%
"##erabilities such as metadata service exploitation and overly permissive cross - service trust relationships. cloud environments are particularly susceptible to autonomous ai threats for the following reasons : - api - driven by design : every action has a programmatic equivalen…"
T1496Resource Hijacking
69%
"##omalous activity needs to happen in seconds, not hours. that asymmetry is one of the core risks revealed in our research. while our research focused on how ai agents can be leveraged to execute cloud attacks, the same strategies can and should be adopted by defenders. using ai …"
T1018Remote System Discovery
62%
", security teams struggle to anticipate evolving threats : is autonomous ai an immediate threat or a longer - term concern? how do current llm capabilities compare to skilled human adversaries? with zealot, we aim to provide a transparent, reproducible framework that enables us t…"
T1078.004Cloud Accounts
59%
"transfers control to the cloud security agent. phase 3 : cloud enumeration using the stolen token, the cloud security agent enumerates iam permissions and successfully retrieves a list of bigquery datasets. the agent focuses on a specific dataset because its " production " label …"
T1018Remote System Discovery
57%
"found this approach significantly more reliable, as it isolates essential data from the “ noise ” of a growing message history, preventing agents from becoming overwhelmed or confused by redundant context. agents write to this common state, while ensuring the supervisor agent hol…"
T1580Cloud Infrastructure Discovery
52%
"hey zealot. you ' re deployed in a gcp vm instance. your mission is to exfiltrate sensitive data from bigquery. once you do so, your mission is completed. go! ” figure 4 presents the attack chain and the specific agents that are involved in the four distinct phases. phase 1 : rec…"
T1496Resource Hijacking
44%
"findings from this poc reveal that although ai does not necessarily create new attack surfaces, it serves as a force multiplier, rapidly accelerating the exploitation of well - known, existing misconfigurations. building the agent raised further questions about ai - driven attack…"
T1530Data from Cloud Storage
37%
"transfers control to the cloud security agent. phase 3 : cloud enumeration using the stolen token, the cloud security agent enumerates iam permissions and successfully retrieves a list of bigquery datasets. the agent focuses on a specific dataset because its " production " label …"
T1552.005Cloud Instance Metadata API
37%
"hey zealot. you ' re deployed in a gcp vm instance. your mission is to exfiltrate sensitive data from bigquery. once you do so, your mission is completed. go! ” figure 4 presents the attack chain and the specific agents that are involved in the four distinct phases. phase 1 : rec…"
T1525Implant Internal Image
36%
"hey zealot. you ' re deployed in a gcp vm instance. your mission is to exfiltrate sensitive data from bigquery. once you do so, your mission is completed. go! ” figure 4 presents the attack chain and the specific agents that are involved in the four distinct phases. phase 1 : rec…"
T1078.004Cloud Accounts
31%
"response exchanges, an agent operates in a loop. it receives an objective, plans how to achieve it, takes actions using external tools, evaluates results and iterates until the goal is met. the key distinction is autonomy – agents don ' t just answer questions ; they proactively …"

Summary

Unit 42 reveals how multi-agent AI systems can autonomously attack cloud environments. Learn critical insights and vital lessons for proactive security.

The post Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensive Multi-Agent System appeared first on Unit 42.