The Kill Chain Is Obsolete When Your AI Agent Is the Threat
The Kill Chain Is Obsolete When Your AI Agent Is the Threat
In September 2025, Anthropic disclosed that a state-sponsored threat actor used an AI coding agent to execute an autonomous cyber espionage campaign against 30 global targets. The AI handled 80-90% of tactical operations on its own, performing reconnaissance, writing exploit code, and attempting lateral movement at machine speed. This incident is worrying, but there’s a scenario that should concern security teams even more: an attacker who doesn’t need to run through the kill chain at all, because they’ve compromised an AI agent that already lives inside your environment. One that already has the access, the permissions, and a legitimate reason to move across your systems every day.
The traditional cyber kill chain assumes attackers have to earn every inch of access. It’s a model developed by Lockheed Martin in 2011 to describe how adversaries move from initial compromise to their ultimate objective, and it’s shaped how security teams think about detection ever since. A typical intrusion moves through distinct stages:
- Initial access
- Persistence without triggering alerts
- Reconnaissance to understand the environment
- Lateral movement to reach valuable data
- Privilege escalation when access isn’t sufficient
- Exfiltration while avoiding DLP controls
Each stage creates detection opportunities: endpoint security might catch the initial payload, network monitoring might spot unusual lateral movement, identity systems might flag a privilege escalation, and SIEM correlations might tie together anomalous behaviors across systems. The problem here, though, is that AI agents don’t really follow this playbook.
AI agents operate fundamentally differently from human users. If compromised, an attacker bypasses the entire kill chain - the agent itself becomes the kill chain. An AI agent’s activity history is a perfect map of what data exists and where it resides. It was granted broad permissions at deployment, often admin-level access across multiple applications, and it already moves data between systems as part of its job. An attacker who compromises that agent inherits all of it instantly. They get the map, the access, the permissions, and a legitimate reason to move data around. Every stage of the kill chain that security teams have spent years learning to detect? The agent skips all of them by default.
The OpenClaw crisis showed what this looks like in practice: Roughly 12% of skills in its public marketplace were malicious. A critical RCE vulnerability allowed one-click compromise. Over 21,000 instances were publicly exposed. The scarier part was what a compromised agent could access once it was connected to Slack and Google Workspace: messages, files, emails, and documents, with persistent memory across sessions. The main problem is that security tools are designed to detect abnormal behavior. When an attacker rides an AI agent’s existing workflow, everything looks normal. The agent is accessing the systems it always accesses, moving the data it always moves, operating at the times it always operates. This is the detection gap security teams are facing.
The traditional kill chain assumed that attackers had to fight for every inch of access. AI agents upend that assumption entirely. One compromised agent can give an attacker legitimate access, a perfect map of the environment, broad permissions, and built-in cover for data movement, without a single step that looks like an intrusion. Security teams that are still focused exclusively on detecting human attacker behavior are going to miss this. The attackers will be riding your AI agents’ existing workflows, invisible in the noise of normal operations. Sooner or later, an AI agent in your environment will be targeted.