CVE-2025-7775, a critical remote code execution flaw in Citrix NetScaler, was a shocking shift in the way attacks work. Historically, exploiting such vulnerabilities required skilled operators spending days or weeks understanding memory operations, authentication bypasses, and architecture peculiarities. Organizations had a patching window measured in weeks before widespread exploitation. Within 12 hours of the August 2025 disclosure, attackers claimed successful exploitation using Hexstrike-AI, an LLM-powered offensive security framework. The window between disclosure and mass exploitation collapsed from weeks to minutes.
This represents a fundamental shift in threat velocity. Hexstrike-AI integrates with over 150 security tools through Model Context Protocol, allowing AI agents (Claude, GPT, Copilot) to autonomously run reconnaissance, craft exploits, deliver payloads, and maintain persistence without human micromanagement. The framework translates high-level commands like "exploit NetScaler" into sequenced technical workflows. Failed attempts automatically retry with variations until successful. The time-to-exploit for CVE-2025-7775 compressed from weeks to under 10 minutes. Organizations face attacks before patches deploy.
What LLMs enable in offensive operations
LLMs transform vulnerability exploitation by handling the cognitive tasks that previously required expert operators. Given a CVE description, these systems generate working exploit code, adapt it to target environments, troubleshoot failures, and iterate until successful. The technical barrier that protected organizations (the specialized knowledge required to weaponize vulnerabilities) effectively disappears.
The automation operates at multiple stages. During reconnaissance, LLM agents systematically enumerate targets, test attack surfaces, identify software versions, and map network topology. The systems don't just scan, they understand what they find and make tactical decisions about next steps. During exploitation, they generate payloads tailored to specific environments, adjust parameters based on failure messages, and maintain persistence through multiple fallback mechanisms. Hexstrike-AI includes retry loops and failure recovery ensuring operations continue reliably without human intervention.
The framework approach matters because it provides adversarial capability at scale. A single operator can now orchestrate attacks against thousands of targets simultaneously. Dark web posts documented attackers using Hexstrike-AI to scan for vulnerable NetScaler instances, generate tailored exploits, drop webshells, and offer compromised systems for sale within hours of CVE disclosure. The parallelization means that patch deployment races against automated exploitation campaigns operating 24/7 across global infrastructure.
How exploitation behavioral timelines remain visible
The critical point is that LLM automation changes attack velocity but not attack structure. The network flows reveal the same reconnaissance, exploitation, and post-exploitation patterns regardless of whether a human operator or AI agent orchestrates them. Automated attacks still generate distinctive behavioral timelines at the network level that indicate malicious intent.
Consider the complete Hexstrike-AI exploitation chain against vulnerable NetScaler instances. Reconnaissance produces systematic connection attempts across IP ranges, service enumeration following predictable patterns, version detection queries to multiple endpoints. The behavioral timeline shows structured discovery activity, not random traffic. Exploitation generates targeted connections to vulnerable services, specific request patterns characteristic of memory corruption attempts, payload delivery flows with unusual timing and volume characteristics. Post-exploitation creates command and control communications (even if encrypted), lateral movement attempts to adjacent systems, data staging and exfiltration patterns.
Network flow data captures these behavioral timelines regardless of automation. The LLM orchestrates actions faster, but each action creates network flows between endpoints. Those flows, when analyzed as behavioral timeline structures, reveal reconnaissance patterns (systematic enumeration), exploitation patterns (targeted attacks against specific services), lateral movement patterns (privilege escalation across systems), and exfiltration patterns (bulk data transfers to external destinations). The automation compresses the timeline but cannot eliminate the structural patterns that indicate malicious intent.
Why speed defeats traditional detection methods
Traditional detection methods operate on different time assumptions. Signature-based systems require analysts to reverse engineer attacks, extract indicators, and distribute signatures. This process takes days or weeks. By the time signatures exist, automated exploitation campaigns have already compromised thousands of systems. Rule-based systems require security teams to understand new attack patterns and encode detection logic. Anomaly detection requires baseline establishment and depends on attacks deviating from normal behavior.
LLM-automated attacks specifically bypass these methods by operating within normal parameters. The reconnaissance uses legitimate scanning tools (Nmap, Masscan) at rates indistinguishable from security research. The exploitation attempts use standard protocols and services. The lateral movement leverages authorized tools (RDP, SSH, PowerShell). Individual flows appear normal. Signatures don't exist yet. Rules don't trigger because thresholds aren't violated. Anomalies don't fire because the behavior mimics legitimate security testing.
The velocity problem compounds detection challenges. Organizations using AI automation reduced attack response times from three weeks to 19 minutes, a 99.9% improvement. But attackers using the same automation compress exploitation from weeks to 10 minutes. The asymmetry means defenders must detect and respond within the initial exploitation window or face compromised systems before patches deploy. Traditional detection methods built for slower attack timelines cannot adapt to this compressed velocity.
Why patching windows effectively disappeared
Nearly 8,000 NetScaler endpoints remained vulnerable to CVE-2025-7775 as of September 2025, down from 28,000 the previous week. Organizations patched aggressively but still faced widespread exploitation. The fundamental problem is that patching requires coordination (testing, deployment windows, change management) while exploitation requires only automation. Attackers scan continuously, exploit immediately upon CVE disclosure, and compromise systems faster than patch processes complete.
Research documents that LLM-powered tools can generate exploit code from vulnerability descriptions in under 15 minutes. For web-based vulnerabilities, this automation produces working exploits ready for deployment. Combined with frameworks like Hexstrike-AI that handle reconnaissance and payload delivery, the complete attack chain from CVE publication to system compromise operates in minutes. Organizations cannot patch thousands of systems in minutes. The traditional security model (patch vulnerabilities before exploitation) breaks down when exploitation happens faster than patching.
Detection becomes the primary defense layer. Organizations must assume vulnerable systems exist in their environment at any given time and focus on detecting exploitation attempts through behavioral timeline analysis. This shifts the security model from preventing exploitation (impossible when patching windows disappear) to detecting and responding to exploitation behavioral timelines as they occur. Network flow analysis provides this capability because reconnaissance and exploitation create distinctive patterns regardless of automation speed.
What detection requires against automated exploitation
The solution is analyzing behavioral timeline structures that remain visible regardless of automation. When network flows exhibit systematic reconnaissance patterns (connections to multiple services testing for specific vulnerabilities, version detection across IP ranges, enumeration following CVE-specific sequences), that structure indicates exploitation attempts. When flows show targeted exploitation patterns (connections to vulnerable services with characteristics matching known attack vectors, payload delivery timing and volume consistent with exploitation, retry patterns indicating automated failure handling), that structure reveals active attacks. When post-exploitation flows appear (command and control establishment, lateral movement to adjacent systems, privilege escalation sequences), that structure confirms compromise.
DeepTempo analyzes network flow data to identify these behavioral timeline structures. The foundation model learns what reconnaissance behavioral timelines structurally look like (systematic enumeration patterns), what exploitation behavioral timelines look like (targeted attack sequences), what lateral movement behavioral timelines look like (privilege escalation progressions), and what normal operational activity looks like (legitimate security testing, patch validation, system administration). Classifiers interpret these patterns to determine what each behavioral timeline attempts to accomplish.
This approach addresses the velocity problem because detection doesn't depend on prior knowledge of specific vulnerabilities or attack tools. Automated exploitation campaigns using Hexstrike-AI or similar frameworks still generate reconnaissance behavioral timelines before exploitation, exploitation behavioral timelines during active attacks, and post-exploitation behavioral timelines during lateral movement. The structural patterns exist regardless of how fast the automation operates or what specific CVE gets exploited. Detection operates at the behavioral timeline level where automation cannot hide intent through speed or tool selection.
The broader implication is that as LLMs automate more of the attack chain, the network behavioral timelines become the only reliable detection layer. Signatures will always lag exploitation. Rules will always miss attacks operating within thresholds. Anomaly detection will always struggle with attacks mimicking normal behavior. But systematic reconnaissance creates distinctive flow patterns. Targeted exploitation generates characteristic connection sequences. Lateral movement produces recognizable behavioral timelines. These structures remain visible at the network level regardless of whether a skilled human operator or an AI agent orchestrates the attack.
Closing note
LLM automation compressed exploitation timelines from weeks to minutes. Hexstrike-AI demonstrated that CVE disclosure to widespread exploitation now operates at machine speed, not human speed. Organizations face attacks before patches deploy. Traditional detection methods built for slower timelines cannot adapt to this velocity. Signature-based systems lag exploitation by days. Rule-based systems miss attacks operating within thresholds. Anomaly detection struggles with attacks mimicking normal behavior.
The critical insight is that automation changes attack velocity but not attack structure. Reconnaissance still creates systematic enumeration patterns. Exploitation still generates targeted attack sequences. Lateral movement still produces privilege escalation behavioral timelines. These structures remain visible in network flow data regardless of whether humans or AI agents orchestrate attacks. Behavioral timeline analysis detects malicious intent based on structural patterns that exist independent of automation speed or tool selection. As LLMs automate more of the attack chain, network flow analysis becomes the only reliable detection layer operating at speeds matching automated exploitation.
MITRE: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Lateral Movement
Related reading:
- Living off the land: Why your network sees attacks as normal traffic
- Attackers don't use indicators and detection shouldn't either
- From packets to patterns: How foundation models detect network threats
Get in touch to run a 30 day risk-free assessment in your environment. DeepTempo will analyze your existing data to identify threats that are active. Catch threats that your existing NDRs and SIEMs might be missing!
