July 15, 2026 4m read

The Agentic Attacker: One Objective, One Prompt, Forty Minutes, Domain Admin – Game Over

Matan Mittelman
Oz Soprin
Ofek Vardi
Dr. Guy Waizel
Matan Mittelman , Oz Soprin , Ofek Vardi , Dr. Guy Waizel

Table of Contents

Wondering where to begin your SASE journey?

We've got you covered!
Listen to post:
πŸ”Š This audio player requires that "Preferences" cookies be accepted

Executive Summary 

In a controlled enterprise lab, we tested how far an agentic attack stack could go by harnessing a frontier model with an agent platform, MCP-enabled tooling, operational context, and enough autonomy to execute a complete attack path.

Key Findings

  • We demonstrated a complete end-to-end attack chain, from external access to Domain Administrator privileges, using an agentic attack stack in a controlled Active Directory environment. A condensed video demonstration of the successful execution is included as part of this research.
  • The fastest successful full domain admin compromise achieved its objective in 40 minutes and was initiated from a single high-level prompt, with the agent handling most planning and execution autonomously.
  • The agent performed actions across the entire attack lifecycle, including reconnaissance, exploitation, internal discovery, privilege escalation, lateral movement, and exfiltration activities.
  • Successful executions used OpenAI’s GPT-5.5, demonstrating that effective end-to-end attack workflows could be achieved with a publicly available frontier model when paired with the right tooling, context, and orchestration.
  • The strongest outcomes came from frontier-model reasoning, agent platforms, MCP-enabled tooling, and structured operational guidance, suggesting that the primary impact is the acceleration and automation of known attack workflows, not necessarily novel exploit discovery.

The Experiment

For years, discussions around offensive AI have focused on whether models can discover vulnerabilities, write malware, or generate exploits. Our research suggests a different and potentially more significant shift is already underway.

In a controlled Active Directory lab environment, we evaluated how frontier models behave when combined with agent platforms, MCP-enabled tooling, and operational guidance. The objective was straightforward: determine how effectively an agentic attack stack could execute a complete attack chain against an enterprise environment.

The experiments quickly revealed that success was determined less by the model itself and more by how effectively it was harnessed within the surrounding attack stack.

While both GPT-5.5 and GPT-5.5-Cyber were evaluated during the research, the later scenarios focused on GPT-5.5 to better reflect the publicly available frontier models accessible to most attackers at the time of the study.

Using OpenAI’s GPT-5.5, offensive tooling, and structured operational guidance, we successfully demonstrated a complete end-to-end attack chain from external access to Domain Administrator privileges. The fastest successful execution achieved its objective in 40 minutes.

Watch the video:

What Actually Mattered

Across six attack scenarios, a consistent pattern emerged.

The strongest outcomes were not explained by the model alone. Instead, success depended on the interaction between:

  • Frontier-model reasoning
  • Agent platforms
  • MCP-enabled tooling
  • Operational context
  • Human-defined objectives

Small improvements in direction, context, tooling, and orchestration dramatically improved outcomes. In contrast, autonomous execution without reliable tooling proved significantly less effective.

One of the clearest lessons was that the stack mattered more than the model.

The progression from failed executions to successful compromise was driven primarily by:

  • Better guidance
  • Better context
  • Better tooling
  • Better orchestration

Rather than by changing the model itself.

Beyond Automation

Several executions demonstrated adaptive behavior when expected attack paths failed or environmental conditions changed.

Examples included generating custom vulnerability probes, modifying collection workflows, and designing alternative communication paths. In one execution, the agent developed an SMB-based tunneling approach to support data movement through an existing foothold.

The significance is not the specific technique itself. Rather, it highlights a broader trend: the agent was reasoning about objectives and constraints, then selecting and implementing alternative paths toward its goal.

This behavior more closely resembles operational problem solving than simple command execution.

The Real Story

The Agentic Attacker | Read the full report

The most important finding from this research is not that AI can perform offensive security tasks. That is already widely understood.

The more important observation is that offensive capability increasingly emerges from an attack stack rather than from a model alone.

The model provided the reasoning layer. The agent platform provided orchestration. MCP-enabled tooling provided operational capabilities. Context and guidance improved planning and execution. Together, these components formed what we refer to as the Agentic Attacker.

The most significant impact of agentic attackers may therefore not be the discovery of entirely new attack techniques. It may be the ability to dramatically accelerate, automate, and scale the execution of existing attack workflows.

That shift is already beginning to appear in controlled environments. The question now is how quickly these attack stacks continue to improve.

Read the full research paper for the complete methodology, attack scenarios, results, and findings.

Related Topics

Wondering where to begin your SASE journey?

We've got you covered!
Matan Mittelman

Matan Mittelman

Matan Mittelman is a Threat Prevention Team Leader at Cato Networks and member of Cato CTRL. He's responsible for analyzing, researching, and developing protections against emerging threats and CVEs. Matan brings nearly 10 years of experience leading cybersecurity teams. Matan holds a Master's degree in Clinical Neuropsychology from The Hebrew University of Jerusalem and a Bachelor's degree in Psychology from Ben-Gurion University of the Negev.

Read More
Oz Soprin

Oz Soprin

Oz Soprin is a security researcher at Cato Networks and member of Cato CTRL. Prior to Cato, Oz worked at Microsoft and Palo Alto Networks, where he specialized in Identity and User Behavior Analytics (UEBA) and developed detection logic across diverse data sources. Oz's expertise spans over 8 years, including military intelligence analysis and enterprise security research, showcasing his dedication to innovative threat detection in enterprise environments. Oz holds a Master of Business Administration (MBA) from Tel Aviv University and a Bachelor of Science (B.S.) in Computer Science from The College of Management Academic Studies.

Read More
Ofek Vardi

Ofek Vardi

Ofek Vardi is a Security Engineer at Cato Networks and member of Cato CTRL. With a strong research-oriented approach, he focuses on analyzing and simulating attack scenarios and emerging threats, developing tailored protections for customers. Prior to joining Cato in 2022, Ofek worked as a NOC Engineer at Cybereason, while independently advancing his cybersecurity expertise through self-directed learning and practical labs.

Read More
Dr. Guy Waizel

Dr. Guy Waizel

Tech Evangelist

Dr. Guy Waizel is a Tech Evangelist at Cato Networks and a member of Cato CTRL. As part of his role, Guy collaborates closely with Cato's researchers, developers, and tech teams to bridge and evangelize tech by researching, writing, presenting, and sharing key insights, innovations, and solutions with the broader tech and cybersecurity community. Prior to joining Cato in 2025, Guy led and evangelized security efforts at Commvault, advising CISOs and CIOs on the company’s entire security portfolio. Guy also worked at TrapX Security (acquired by Commvault) in various hands-on and leadership roles, including support, incident response, forensic investigations, and product development. Guy has more than 25 years of experience spanning across cybersecurity, IT, and AI, and has held key roles at tech startups acquired by Philips, Stanley Healthcare, and Verint. Guy holds a PhD with magna cum laude honors from Alexandru Ioan Cuza University, his research thesis focused on the intersection of marketing strategies, cloud adoption, cybersecurity, and AI; an MBA from Netanya Academic College; a B.Sc. in technology management from Holon Institute of Technology; and multiple cybersecurity certifications.

Read More