The Agentic Attacker: One Objective, One Prompt, Forty Minutes, Domain Admin – Game Over
|
Listen to post:
π This audio player requires that "Preferences" cookies be accepted
|
Executive Summary
In a controlled enterprise lab, we tested how far an agentic attack stack could go by harnessing a frontier model with an agent platform, MCP-enabled tooling, operational context, and enough autonomy to execute a complete attack path.
Key Findings
- We demonstrated a complete end-to-end attack chain, from external access to Domain Administrator privileges, using an agentic attack stack in a controlled Active Directory environment. A condensed video demonstration of the successful execution is included as part of this research.
- The fastest successful full domain admin compromise achieved its objective in 40 minutes and was initiated from a single high-level prompt, with the agent handling most planning and execution autonomously.
- The agent performed actions across the entire attack lifecycle, including reconnaissance, exploitation, internal discovery, privilege escalation, lateral movement, and exfiltration activities.
- Successful executions used OpenAIβs GPT-5.5, demonstrating that effective end-to-end attack workflows could be achieved with a publicly available frontier model when paired with the right tooling, context, and orchestration.
- The strongest outcomes came from frontier-model reasoning, agent platforms, MCP-enabled tooling, and structured operational guidance, suggesting that the primary impact is the acceleration and automation of known attack workflows, not necessarily novel exploit discovery.
The Experiment
For years, discussions around offensive AI have focused on whether models can discover vulnerabilities, write malware, or generate exploits. Our research suggests a different and potentially more significant shift is already underway.
In a controlled Active Directory lab environment, we evaluated how frontier models behave when combined with agent platforms, MCP-enabled tooling, and operational guidance. The objective was straightforward: determine how effectively an agentic attack stack could execute a complete attack chain against an enterprise environment.
The experiments quickly revealed that success was determined less by the model itself and more by how effectively it was harnessed within the surrounding attack stack.
While both GPT-5.5 and GPT-5.5-Cyber were evaluated during the research, the later scenarios focused on GPT-5.5 to better reflect the publicly available frontier models accessible to most attackers at the time of the study.
Using OpenAIβs GPT-5.5, offensive tooling, and structured operational guidance, we successfully demonstrated a complete end-to-end attack chain from external access to Domain Administrator privileges. The fastest successful execution achieved its objective in 40 minutes.
Watch the video:
What Actually Mattered
Across six attack scenarios, a consistent pattern emerged.
The strongest outcomes were not explained by the model alone. Instead, success depended on the interaction between:
- Frontier-model reasoning
- Agent platforms
- MCP-enabled tooling
- Operational context
- Human-defined objectives
Small improvements in direction, context, tooling, and orchestration dramatically improved outcomes. In contrast, autonomous execution without reliable tooling proved significantly less effective.
One of the clearest lessons was that the stack mattered more than the model.
The progression from failed executions to successful compromise was driven primarily by:
- Better guidance
- Better context
- Better tooling
- Better orchestration
Rather than by changing the model itself.
Beyond Automation
Several executions demonstrated adaptive behavior when expected attack paths failed or environmental conditions changed.
Examples included generating custom vulnerability probes, modifying collection workflows, and designing alternative communication paths. In one execution, the agent developed an SMB-based tunneling approach to support data movement through an existing foothold.
The significance is not the specific technique itself. Rather, it highlights a broader trend: the agent was reasoning about objectives and constraints, then selecting and implementing alternative paths toward its goal.
This behavior more closely resembles operational problem solving than simple command execution.
The Real Story
The Agentic Attacker | Read the full reportThe most important finding from this research is not that AI can perform offensive security tasks. That is already widely understood.
The more important observation is that offensive capability increasingly emerges from an attack stack rather than from a model alone.
The model provided the reasoning layer. The agent platform provided orchestration. MCP-enabled tooling provided operational capabilities. Context and guidance improved planning and execution. Together, these components formed what we refer to as the Agentic Attacker.
The most significant impact of agentic attackers may therefore not be the discovery of entirely new attack techniques. It may be the ability to dramatically accelerate, automate, and scale the execution of existing attack workflows.
That shift is already beginning to appear in controlled environments. The question now is how quickly these attack stacks continue to improve.
Read the full research paper for the complete methodology, attack scenarios, results, and findings.