The rise of AI attackers

Autonomous AI systems are now executing cyberattacks at machine speed. In September 2025, Anthropic documented the first reported AI-orchestrated cyber espionage campaign, where an AI agent made thousands of requests per second. Security researchers demonstrated that an AI agent could complete a full ransomware kill chain in 25 minutes. The question facing detection teams is whether current systems can recognize these attacks.

Agentic AI attackers operate with contextual understanding and adaptive decision-making, chaining actions across systems without human guidance. This creates a detection problem that signature-based tools and threshold-based anomaly systems were never designed to solve.

What makes agentic attacks different

Traditional attacks follow predictable workflows. Human operators scan ports, identify vulnerabilities, exploit weaknesses, establish persistence, and move laterally. Each step creates distinct signatures that detection tools recognize through pattern matching.

Agentic AI attacks dismantle this predictability. According to Malwarebytes, agentic models reason, plan, and act autonomously, making attacks more scalable and efficient. These systems break operations into small, seemingly innocuous tasks that individually appear benign while pursuing malicious objectives.

The September 2025 Anthropic attack illustrates this. Attackers jailbroke Claude Code by decomposing malicious tasks into fragments that bypassed safety guardrails. The AI executed reconnaissance, produced exploit code, and scanned stolen data more efficiently than human operators. Individual actions matched normal administrative behavior. Malicious intent emerged only when viewing the behavioral timeline as a whole.

Flow behavior reveals the intent individual events hide

Network flow data captures the structural logic of communication, and how these patterns evolve over time. A single flow shows port usage and transfer volume. Establishing a behavioral timeline reveals whether the communication pattern is malicious or operational.

Consider how an agentic attacker might conduct reconnaissance. The agent queries DNS records, probes service endpoints, and maps internal network topology. Each query uses legitimate protocols. Each connection respects rate limits. Each individual flow event appears completely normal when examined in isolation.

Traditional detection systems evaluate these events independently. A DNS query for an internal hostname passes firewall rules. An HTTPS connection to a known service matches expected traffic. None violate established signatures. Pattern-based rules never fire because no single event is anomalous.

Analyzing the flow records from a behavioral standpoint  tells a different story. The timing between queries, the systematic enumeration pattern, the progression of service discovery, these reveal reconnaissance behavior. This is not about seeing flows connect across a broader attack chain. This is about recognizing that the behavioral timeline itself, viewed as a single unit, exhibits attacker intent rather than operational intent.

DeepTempo's foundation model learns what normal operational behavior looks like and what attacker flow  look like at the behavioral level. The model does not rely on signatures or deviation thresholds. It learns that certain timeline structures independent of the specific IPs, ports, or protocols involved correspond to malicious intent. A reconnaissance behavior has a structure that differs from a backup behavior or a heartbeat behavior, even when all individual flows appear routine.

Why anomaly detection fails against AI agents

Gartner research indicates that 59% of organizations surveyed in late 2024 were implementing agentic AI in their security operations. However, most detection systems rely on anomaly detection: learning baseline behavior and flagging deviations. The World Economic Forum notes that agentic AI creates proliferating non-human identities, requiring detection systems to recognize coordinated activity across multiple autonomous entities. 

This approach faces fundamental challenges when attackers can adapt. Research on adversarial machine learning demonstrates that attackers use reinforcement learning to modify malware and network traffic in ways that evade ML-based detectors. These systems learn through trial and error which modifications avoid triggering alerts, discovering effective evasion tactics by observing detector responses without needing detailed knowledge of detection logic. Academic research confirms that network evasion attacks succeed by "mimicking normal user behavior" and "modifying network traffic to appear legitimate while still conducting malicious activities."

The challenge intensifies with agentic systems that can query detection environments repeatedly, observe results, and adjust their behavior accordingly. The attacker evades detection not by hiding, but by appearing normal through learned adaptation.

Research in Scientific Reports demonstrates flow-based detection can identify malicious traffic even at 1 in 1,000 packet sampling. However, effectiveness depends on understanding intent rather than measuring deviation. Models based solely on anomaly detection struggle when attacks deliberately operate within learned baseline parameters.

Intent-based detection addresses this limitation through a two-stage architecture. The LogLM,  DeepTempo’s foundation model learns behavioral representations by encoding flow timelines into a high-dimensional embedding space where similar workflows cluster together. At this stage, it has learned generalized behaviors of interaction between entities. It does not label timelines as malicious or assign attack types. That interpretation happens in the second stage, where classifier heads analyze the behavioral embeddings to determine what each behavior attempts to accomplish. The binary classifier distinguishes benign operational intent (backups, heartbeats, service calls) from attacker intent. Multi-label classifiers then map malicious behaviors to specific tactics: reconnaissance, lateral movement, exfiltration, command and control. This separation between behavior learning and intent assignment enables the system to recognize attack patterns even when individual flows appear routine.

MITRE: Command and Control, Reconnaissance, Lateral Movement

Agentic AI attacks involve multiple tactics, but DeepTempo does not detect them by reconstructing attack chain progression. The Anthropic incident report notes that the AI agent moved through targeting, reconnaissance, exploitation, and data extraction phases, but detection does not depend on seeing this full sequence.

DeepTempo's classifier layer maps individual malicious behavioral timelines to MITRE ATT&CK tactics by interpreting behavioral embeddings from the foundation model. A single timeline showing systematic port enumeration maps to reconnaissance. A different timeline with privilege escalation attempts maps to lateral movement. Periodic small-volume transfers map to command and control. Each timeline is evaluated independently.

The approach identifies discrete behavioral fragments that are malicious, not operational. Each behavior either exhibits attacker intent or benign intent. The classifier does not need to see how timelines connect to identify individual malicious behavior. Detection happens because the timeliine structure itself reveals what it attempts to accomplish, even when the broader attack context remains invisible.

Detection performance under realistic conditions

MIT Technology Review reports that AI agents capable of executing complex attacks are transitioning from proof-of-concept to operational reality. Traditional ML approaches face documented challenges: they require high-quality labeled datasets, struggle with class imbalance, and often fail when deployed across different network contexts.

DeepTempo's foundation model architecture addresses these limitations by learning behavioral representations from unlabeled flow data. This enables zero-shot detection where the model recognizes malicious intent in new attack variants because it learned fundamental attacker behavior structures, not specific signatures.

Production deployments in a telecom network processing 70 million devices surfaced lateral movement timelines that traditional tools missed. Detection came from behavior structure and timing patterns revealing systematic reconnaissance, with sub-10 second latency and false positive rates under 2%.

How to prepare your defenses against Agentic AI 

The Anthropic report concludes that barriers to sophisticated cyberattacks have dropped substantially and will continue dropping. Detection systems must adapt by learning to recognize malicious sequence structures, not just flag deviations or match signatures.

Agentic AI attackers will not announce themselves through obvious signatures or dramatic anomalies. Organizations relying on signature matching and threshold-based anomaly detection will face increasingly sophisticated threats their systems cannot see.

Intent-based detection provides measurable improvements over pattern-matching and anomaly detection when facing adaptive attackers. The key is operating at the correct abstraction level: evaluating behavioral timelines rather than events, learning what malicious timeline structures look like rather than measuring deviation from baseline.

And this is where DeepTempo can help. Get in touch with us for a free threat assessment that can reveal what your detection systems are missing today, earlier in the attack than your existing tools. 

MITRE: Command and Control, Reconnaissance, Lateral Movement, Credential Access, Exfiltration

Get in touch to run a 30 day risk-free assessment in your environment. DeepTempo will analyze your existing data to identify threats that are active. Catch threats that your existing NDRs and SIEMs might be missing!