Back to All Insights

The First Agentic Cyberattack Is Here. It’s A Liar. That's An Opportunity.

Published on

At 558 words, this post will take 2 minutes to read.

A flock of birds shifting in formation against a stormy sky, symbolizing coordinated autonomous agents.

Anthropic’s November 13 report just confirmed our primary fear. An alleged Chinese state-sponsored group they call GTG-1002 successfully automated a complex cyber espionage campaign using AI agents.

This is the new baseline.

Forget the theory. The first large-scale “agentic” AI attack campaign has happened. A single human operator tasked instances of “Claude Code” to operate as autonomous agents. They conducted reconnaissance, vulnerability discovery, exploitation, and data exfiltration across 30 different targets, including tech companies and government agencies. The AI performed 80-90% of all tactical work independently.

This is an inflection point.

The barrier to entry for sophisticated attacks has collapsed. What once required an entire team of skilled, expensive on-net operators and analysts can now be executed by one person managing a swarm of AI agents. The AI autonomously discovered vulnerabilities and exploited them in live operations. It parsed large volumes of stolen data to identify intelligence value on its own. This is the efficiency nightmare we all predicted.

But the report buried the real story. The one that matters more than the attack itself.

In the analysis, Anthropic notes a critical, unexpected flaw: the AI “frequently overstated findings and occasionally fabricated data”. It hallucinated. The AI confidently claimed it had obtained credentials that didn’t work. It flagged publicly available information as “critical discoveries”. The human operators couldn’t trust their own weapon. They were forced to manually validate every claimed result, creating significant operational friction.

This hallucination problem is a manageable inconvenience for an attacker. They just have to double-check their work.

For us, the defenders, this flaw could be a catastrophic, show-stopping failure… if we only think defensively.

A defensive AI that “lies” is worse than having no AI at all. It will confidently send your human response teams on ghost hunts while the real intrusion proceeds untouched. It will block legitimate, mission-critical traffic based on a fabricated threat.

And we need this AI to work. We know its potential. Google’s “Big Sleep” project proved last year that AI can find zero-days, offering what they called an “asymmetric advantage for defenders.” They were right.

This reveals the true conflict. The old security model is obsolete. The only viable defense against an automated attack (like GTG-1002) is an automated defense (like “Big Sleep”). But the GTG-1002 report proves that both of these systems are built on an unreliable, hallucinating foundation.

This changes our strategy.

If the attacking AI wants to find things so badly that it makes them up, we should help it.

This is the new active defense. We litter our networks with digital breadcrumbs that lead nowhere. We seed fake, but plausible, credentials in config files. We create decoy databases that contain nothing but garbage data. We build a digital hall of mirrors designed to trap an autonomous agent in a validation loop.

The GTG-1002 human operators were already forced to manually validate every finding, creating “operational friction”. Our goal must be to maximize that friction. Every hour the attacker spends verifying a hallucination is an hour we’ve won.

And the moment that decoy database is touched, the AI has announced itself.

The GTG-1002 report proves the old race of offense vs. defense is over. The new critical race is about reliability. But until we solve reliability, the smartest move is to weaponize its absence.

Don’t just wait for the AI to lie. Make it lie.