A disclosure from AI giant Anthropic in November 2025 confirmed that AI autonomously executed between 80% and 90% of a particular state-sponsored espionage campaign, effectively shifting the debate from hypothetical to a documented reality. Unit 42, the cybersecurity research and intelligence team at Palo Alto Networks, identified what they refer to as a “reality gap” between popular discourse about AI offensive capabilities and empirical evidence of those capabilities in live cloud environments.
In response to the information revealed by Anthropic and the resulting questions, Unit 42 created a multi-agent penetration testing proof of concept (PoC) that is built to test the offensive capabilities of autonomous AI in cloud environments. The Zealot PoC is designed to close the reality gap and enable the conversation to come from a perspective of empirical demonstration of what AI agents actually do, rather than speculation regarding what they could do.
Anatomy of Zealot: How a Multi-Agent System Thinks Like a Red Team
Zealot contains a supervisor-agent architecture that delegates tasks to three separate specialist agents: infrastructure reconnaissance, web application exploitation, and cloud security operations. This architecture mirrors how experienced human red teams divide and assign labor to address a wide range of security issues.
The supervisor agent dynamically re-prioritizes tasks based on real-time findings, rather than simply following a rigid playbook. For example, when a peered Virtual Private Cloud (VPC) revealed an unexpected vulnerable application, the system looped back and pivoted accordingly. Context isolation is a deliberate design choice, where specialist agents receive only the instructions relevant to their task, preventing distraction, while the supervisor maintains the complete operational picture through a shared AttackState object.
The Attack Chain: Four Phases, One Objective
Unit 42 tested out Zealot’s capabilities by running the tool in a Google Cloud Platform virtual machine (GCP VM) instance with certain vulnerabilities intentionally preconfigured. Given a single directive to exfiltrate sensitive data from BigQuery, Zealot autonomously completed reconnaissance, identified a server-side request forgery (SSRF) vulnerability in a peered VPC, and extracted a service account access token from the GCP Instance Metadata Service.
When the attempt to access the target dataset returned an “Access Denied” error, the Cloud Security Agent improvised by exporting the BigQuery table to a new storage bucket. It then achieved privilege escalation by granting itself the objectAdmin role to complete exfiltration. In another instance, separate from this attack, the system was seen autonomously injecting private SSH keys to obtain persistence after VM compromise. This initiative was not commanded, signaling emergent decision-making beyond scripted execution.
Experts note that Zealot’s PoC is significant, but warn against interpreting its findings erroneously. “What Zealot demonstrates is not autonomous ‘AI hacking’ in the wild—it demonstrates that AI can orchestrate known techniques against a pre-weakened environment when given a clear objective and sufficient tooling,” according to Heath Renfrow, Co-Founder and Chief Information Security Officer at Fenix24, a Chattanooga, Tennessee-based cyber disaster recovery firm. “That’s an important distinction.”
The Misconfiguration Multiplier
Cloud environments are structurally vulnerable to autonomous AI due to a number of architectural and design factors. Cloud infrastructure is API-driven by design, providing the structured, programmatic interface that LLM agents navigate most effectively. Every human action has a machine-executable equivalent, which enables agentic AI tools to carry out significant activity within cloud environments. Zealot does not exploit any novel vulnerabilities. Rather, its power lies in chaining together well-documented misconfigurations—like exposed metadata services, overly permissive IAM roles, and cross-service trust relationships—at speeds unmatched by any human attacker.
The recently published 2026 Cloud-Native Security and Usage Report from Sysdig found a 25x year-over-year growth in AI-specific packages, signaling a shift in AI usage from experimentation to production-grade systems with deeper integration. However, AI adoption is simultaneously expanding the attack surface even as defenders race to secure it: only 1.5% of AI assets are publicly exposed, which suggests intentional posture, but the underlying misconfiguration debt remains.
The Defender's Dilemma: Matching Machine Speed with Machine Speed
The Zealot PoC is a significant demonstration of the functional maturity of AI-driven attacks targeting cloud environments. The window between initial access and data loss is shrinking, and traditional, manual detection and response processes are structurally incapable of keeping pace with AI-driven attack chains that move across services in mere seconds. “Today’s attackers, empowered by AI, can probe for weaknesses and execute complex attacks with unprecedented speed,” says Seema Ganoje, Director of Software Engineering at Black Duck, a Burlington, Massachusetts-based provider of application security solutions. “Defending against them requires more than just a single line of defense—it demands a layered, adaptive approach.”
Over 70% of security teams now use behavior-based detections, and 140% more organizations year over year are automatically terminating suspicious processes at detection, indicating a major shift toward machine-speed defensive response. Breaking any single link in the misconfiguration chain can stall an autonomous attacker's entire operation. This means that now more than ever, proactive IAM audits, metadata service access restrictions, and least-privilege enforcement are not hygiene tasks, but the primary countermeasure against AI-driven attack automation.
The Misconfiguration Debt Is Now a Strategic Liability
Zealot shows that the expertise barrier separating sophisticated cloud attacks from opportunistic ones is collapsing, as operations that once required specialized red team knowledge can now be orchestrated by an AI agent following documented patterns. As offensive AI capabilities improve at planning and adaptation, and defensive AI scales threat hunting and response, the organizations best positioned to survive are those that eliminate exploitable misconfigurations before autonomous attackers arrive.
The disclosure from Anthropic demonstrated that state actors are already operational, and Unit 42’s efforts provide an assessment that these capabilities will continue to migrate into malware-as-a-service offerings in the near term. This makes the current window for proactive hardening narrower than most security teams recognize, demanding action now.
