On March 6, the White House released President Donald Trump’s Cyber Strategy for America. Among its commitments, the strategy pledges to “rapidly adopt and promote agentic AI in ways that securely scale network defense and disruption.” That sentence signals how far U.S. cyber policy has shifted—from AI as a cybersecurity tool to autonomous agents as instruments of both defence and offensive disruption.
The United States is not alone in recognizing the potential of agentic cyber capabilities. In November 2025, Anthropic assessed that a Chinese state-sponsored group had jailbroken Claude Code to launch cyber operations against roughly thirty global targets. Even though they risked exposure, Chinese actors used Anthropic’s software coding agent with custom scaffolding to automate eighty to ninety percent of the operation, marking the first known incident of a large-scale cyber campaign planned and executed primarily by an AI system rather than human operators.
As agentic capabilities advance, nation-states and other threat actors have powerful incentives to push towards what we, in a new report from the Institute for AI Policy and Strategy, term “highly autonomous cyber-capable agents” (HACCAs), or systems that independently conduct end-to-end cyber campaigns at the level of the most sophisticated criminal groups and nation-state hackers. Policymakers face three questions: how to assess a capability still taking shape, how to defend against it, and how to ensure their own use does not create new risks.
The Cybersecurity Capability Shift
There is a meaningful difference between AI systems that primarily assist a human operator and those that plan and execute operations from start to finish. We conceive of HACCAs as systems capable of conducting, at minimum, cyber operations that currently require roughly tens of experienced hackers working over several months, with operational budgets of at least a million dollars. This is the threshold where cyber operations transition from opportunistic attacks to sustained campaigns with strategic impacts, operations like the 2015 Office of Personnel Management data breach, in which Chinese intelligence spent months inside federal networks exfiltrating the security clearance files of millions of government employees and contractors.
Until recently, this threshold seemed distant. Most AI systems have been largely assistive, capable of helping human operators with discrete tasks but less reliable on complex, longer time-horizon activities. But Irregular, a leading AI security research firm, documented what it called a “capability shift” late last year. Frontier models scored near-zero on expert-level offensive security challenges until mid-2025, but reached a 60 percent success rate by late fall. In February 2026, OpenAI CEO Sam Altman confirmed that 5.3-Codex was the first of its systems to formally hit the “High” cybersecurity threshold in OpenAI’s Preparedness Framework—meaning OpenAI determined 5.3-Codex could develop working zero-day remote exploits against well-defended systems, or meaningfully assist with complex, stealthy intrusion operations. Extrapolating current trends, though such projections carry obvious limitations, HACCA-level systems could be technically feasible even before the end of the decade.
Fully autonomous cyber operations would be extraordinarily valuable to states and other actors. Cyber is already an indispensable tool for intelligence gathering and acquiring illicit finances, and is an increasingly important adjunct to kinetic operations, as Operation Epic Fury in Iran and Operation Absolute Resolve in Venezuela have made evident. One way to read the Anthropic-disclosed campaign is as a state tinkering with autonomous capabilities piecemeal. But the components being tested today are the building blocks of tomorrow’s HACCAs, and the incentives to experiment further will be difficult to resist.
What HACCAs Could Do
Cyberspace traditionally has been a domain of continuous, low-intensity competition between states, with operations typically calibrated to stay below the threshold of serious escalation. Most clearly, HACCAs could accelerate operational tempo, deepening an asymmetry that already favors attackers. Vulnerability discovery and exploitation have historically outpaced the patching and remediation on which defenders rely. HACCAs could also intensify this competition along additional dimensions by, for example, driving down the time scale or labor cost of launching an attack and making sophisticated operations (including those with destructive goals) more achievable.
Critically, HACCAs will enable cyber operations to scale at a speed humans cannot match. Today’s cyber operations are often constrained by the number of skilled operators available to plan, execute and adapt a campaign in real time. Jon Bateman of the Carnegie Endowment for International Peace has documented this in his analysis of Russian cyber operations in Ukraine. Within weeks of the invasion, Russian cyber activity declined sharply in sophistication as initial technical resources were exhausted and operators resorted to cruder, more opportunistic methods. HACCAs would relax that constraint considerably. A single deployment might perform the equivalent work of an entire organization, with many instances running in parallel. An attacker could set a HACCA loose against an entire sector—financial institutions, energy providers, defense contractors—and let it work through targets in parallel, unsupervised.
Beyond scale, HACCAs would introduce novel tactical possibilities that current operations cannot easily replicate. By continuously modifying their behavior and command-and-control structures, they could prove significantly harder to detect and disrupt than conventional intrusion tools. Further, they could deploy “agentic implants”—small AI models or scaffolding installed on compromised systems that make tactical decisions locally without requiring external guidance. As reported by Google’s Threat Intelligence Group, early versions of such AI-powered malware have already been seen in the wild. This could make intelligence gathering far easier for states. Rather than risk exposure by indiscriminately exfiltrating many large files, agentic implants could act as “forward-deployed analysts” filtering and processing data locally, and transmitting only the most valuable intelligence.
It is not yet clear precisely how HACCAs will shift the offense-defense balance in cyberspace. But defenders cannot assume the adjustment will be automatic. As inference costs and HACCA components like models and scaffolding become more widely available, these capabilities will be accessible to a growing number of actors. A mid-tier cybercriminal group might eventually acquire network exploitation skills that today would be reserved for the NSA’s elite Tailored Access Operations unit. Key institutions such as regional utilities, healthcare providers, and open-source software maintainers already struggle to keep pace with current best practices in defense, and could find themselves disproportionately vulnerable.
Strategic Surprises
The risks described above assume HACCAs behave roughly as intended: deployed deliberately by states, with recognizable objectives and meaningful control over their conduct. These assumptions may not hold. Policymakers should be prepared for low-probability, high-impact outcomes that could have significant implications for strategic stability.
Perhaps the most consequential risk is inadvertent nuclear escalation. Decades of offensive cyber operations between rival states have rarely produced serious escalation—in part because operations have been carefully calibrated, with human operators in charge and states retaining the ability to pause, redirect, or abort. HACCAs are not likely to change this calculus, but they will still enable more frequent and impactful attacks on military systems, while having failure modes that are less well understood than those of conventional cyber tools. An operation that spreads beyond its intended scope, or that is misinterpreted as targeting nuclear command-and-control infrastructure, could trigger a crisis between nuclear-armed states before anyone has had the opportunity to clarify intent. The faster operational tempo that gives HACCAs an advantage may also make inadvertent escalation more difficult to contain.
Another acute risk is that operators lose control of HACCAs once deployed—because design flaws lead to system drift from intended objectives, because adversaries find ways to subvert them, or because interactions between multiple agents produce effects that no one anticipates. A particularly capable HACCA may be able to coordinate instances, acquire key operational resources like compute, and resist shutdown attempts. In some ways, this possibility follows directly from the properties that make HACCAs effective cyber tools. Systems built to defeat adversary defenses and sustain operations in complex, adversarial environments would be most likely to have the capabilities to resist being switched off. There is the risk that a HACCA could become a threat actor in its own right, one that no one intended to create and that existing defenses were not designed to contain.
Policy Recommendations
The risks described above are serious, but not inevitable. Policymakers, industry, and other defenders have an opportunity to avoid the worst possible outcomes. Three priorities deserve attention now: developing a clearer understanding of the effects HACCAs could have, defending against adversarial deployment of these systems, and ensuring that a state’s own deployment will not introduce risks as serious as the ones they are designed to counter.
The first and most crucial step is understanding the threat that HACCAs might pose—who might gain access to them, what they can target, and when. Understanding the trajectory of HACCA capabilities and proliferation could help defenders greatly in deciding how to spend their time and money. Should they invest more in transformative efforts like refactoring codebases into memory-safe code at scale, or more in equipping vulnerable organizations with ready-to-adopt solutions? All of these will be valuable, but given that resources are limited, threat assessment should inform the relative weight between them—and the urgency of spending.
Policymakers should invest further in capability evaluations, as the Center for AI Standards and Innovation, companies, and academics are already doing—focusing even more tightly on the performance of AI systems in realistic multi-stage attack scenarios, not just idealized capture-the-flag tests. Because optimizing against evaluations risks accelerating the very capabilities they track, these evaluation procedures should be kept private or restricted to cleared stakeholders. They should also monitor proliferation dynamics to model how quickly these capabilities will reach different threat actors. One concrete step here could be designating HACCAs and adversarial use of agentic AI as a collection priority in the U.S. National Intelligence Priorities Framework.
Second, defenders must invest in capabilities and infrastructure to counter autonomous cyber operations. If offensive capabilities are indeed going to advance rapidly, then defensive R&D becomes crucial. This must be a layered approach, including delaying proliferation to malicious actors, decreasing the attack surface, detecting hostile activity, and disrupting active operations. There are already promising tools emerging, such as tools for automated vulnerability discovery and red teaming. But policymakers must grapple with a harder question. How can they design for the right defenders? Many of the most vulnerable defenders—lifeline infrastructure, open-source maintainers—are under-resourced and struggle to keep up with best practices, let alone adopt new technologies. Piling the wrong tools on top of them will do them no favors, as shown by how the open-source tool cURL had to end its bug bounty program after being inundated with low-quality AI-generated reports.
Supporting the creation of tools for under-resourced defenders is precisely where policymakers and philanthropists can have their biggest impact, because the market is least likely to solve this problem itself. To cover the whole vulnerability lifecycle, for example, research and development is needed for tools in asset inventory and patch prioritization. Here, policymakers should consider not just defenders who have traditionally been under-resourced, but also those who might be newly exposed in a rapidly automating world—financial and cloud compute providers that HACCAs might target for resources, or cyber-physical interfaces like household robots and cloud laboratories. Both new AI tools and tried-and-tested methods will be needed to harden such high-value targets.
Lastly, states should begin establishing guardrails for the development and deployment of autonomous cyber agents, before the first serious deployment forces the issue. A blanket prohibition on HACCAs is unlikely to succeed given the strength of the strategic incentives in question; attempts at “cyber arms control” have historically found little traction, and a binding international agreement on lethal autonomous weapons has yet to emerge. But guardrails short of prohibition can still meaningfully reduce risk.
Responsible deployment requires both technical and policy measures. To prevent loss of control over HACCAs, defense and intelligence agencies will want to invest in technical safeguards like agent integrity monitoring and fail-safe mechanisms. But relying purely on technical measures is fraught: HACCAs, after all, are designed explicitly to subvert such safeguards, and other states may take a keen interest in sabotaging them. As such, policy and legal safeguards would also be crucial. Given the escalation risks that HACCAs pose, states should commit internationally not to deploy them against nuclear command, control, and communications systems, and should also affirm that existing norms prohibiting attacks on critical infrastructure and civilian targets apply equally to autonomous cyber agents. In the U.S., high-risk offensive operations using HACCA-level systems should require executive-level authorization with documented risk assessments, much as covert action frameworks already require for other sensitive operations.
The operations that have already occurred, a state-sponsored espionage campaign run mostly by AI agents and a military cyber operation that helped set conditions for kinetic strikes, are just early experiments. The states deploying these systems are still learning what they can do. Policymakers, industry, and civil society have a narrowing window to shape what comes next—before capabilities increase further, incentives harden, and decisions get made by default rather than by design.
– Jam Kraprayoon and Shaun Ee, Published courtesy of Just Security.
