A Practical Defense Against AI-led Attacks

The era of AI-driven cyberattacks is here, demonstrated by the recent abuse of an agentic AI tool in a broad espionage campaign. Defense requires a new approach centered on preemptive exposure management, combining reinforced security fundamentals with defining the new AI attack surface and responding to an attack with our own defensive AI.

A new threshold has been crossed

The theoretical discussion around AI-driven cyberattacks — involving automated agents, AI-generated exploits, and virtually undetectable phishing — is now a reality. As AI models continually improve, they are increasingly capable of augmenting attacks, enabling attackers to execute them with a much higher level of sophistication and speed.

The most recent example of this concerning trend was Anthropic’s recent disclosure that its Claude Code agentic AI tool was abused by nation-state attackers to launch a broad cyber espionage campaign against about 30 organizations, several of which got breached before Anthropic cancelled the attackers’ Claude Code accounts.

After jailbreaking Claude Code, the attackers used it to automate between 80% and 90% of the cyber espionage campaign, according to Anthropic. Specifically, the attackers got Claude Code to perform tasks including:

• Performing reconnaissance on target systems
• Writing its own exploit code for known vulnerabilities it discovered
• Harvesting credentials to move laterally and escalating privileges
• Exfiltrating data and documenting the attack for its human operators

Anthropic also noted that Claude Code overstated findings and hallucinated during autonomous operations, a turn of events that ironically helped security efforts by acting as an obstacle for the attackers.

Still, as models get more mature, the likelihood of agentic AI-led attacks becomes more of a reality.

Let’s be clear: The Nov. 13 disclosure by Anthropic marks the start of a new era from which there is no turning back. At the same time, it shines a light on issues that have challenged security teams for years. The urgency for preemptive exposure management has never been higher.

— Robert Huber, Tenable CSO, "Agentic AI Security: Keep Your Cyber Hygiene Failures from Becoming a Global Breach"

When we think about defense against an adversary like this, the old rules still apply, but they are no longer sufficient. We need a new playbook, one rooted in a preemptive exposure management strategy.

In this blog, we’ll break down into three core phases the process of successfully defending against an AI attack: reinforcing  non-negotiable fundamentals, defining and defending the new AI attack surface, and, ultimately, fighting AI with AI.

Phase 1: From fundamentals to proactive exposure management

The jailbroken Claud Code AI agent didn’t perform magic for the attackers in the sense that, for example, it didn't invent zero-days from scratch. Rather, it exploited the same gaps security teams have been trying to close for decades: weak credentials, unpatched systems, and overly permissive access. The difference is that the AI automates and accelerates these exploits.

Security fundamentals must evolve. They are no longer a reactive checklist; they must become a unified, proactive, and predictive program.

1. Multi-factor authentication (MFA) is not optional

According to Anthropic, the AI agent harvested credentials at scale. That’s why MFA must be everywhere, on every account, for every login.

But it has to go further. Organizations can no longer be satisfied with spoof-able or fatigue-able methods like SMS or push notifications. An AI-driven attack can and will leverage social engineering to trick a user into clicking the link or taking the action that triggers the initial compromise.

This is why we, as an industry, must push for the strongest forms of MFA, particularly phishing-resistant authenticators like FIDO2-compliant keys (e.g., YubiKey) or high-assurance biometrics. These methods verify the user and the origin of the login request, making it exponentially harder for a credential-harvesting AI to succeed, even if it has the password. We cannot leave any margin for spoofing.

2. The principle of least privilege

This is how the attacks unfolded, according to Anthropic: The AI agent traversed the network across multiple systems, mirroring the actions of a human intruder in its search for high-value data. The key disparity lies in efficiency: a human generates discernible activity and requires considerable time. In contrast, an AI can investigate thousands of potential vectors in seconds.

This is where the principle of least privilege becomes a primary containment strategy. But you can't enforce it if you can't see the pathways. This is a core tenet of exposure management. Platforms like Tenable One provide attack path analysis, which shows you exactly how an attacker (or an AI agent) could chain together seemingly low-risk permissions and assets to reach a crown jewel asset.

By visualizing these toxic combinations, you can:

• Prioritize least privilege: Instead of guessing, you can remove the specific permissions that create the most dangerous attack paths.
• Implement just-in-time (JIT) access: No one should "own" admin privileges. They should be requested, with justification, for a limited time, and then automatically revoked.
• Contain the breach: If an AI attacker compromises an account, the game is over before it begins. Focus on remediating “choke points” — single exposures or vulnerable assets that, when fixed, can break dozens of viable attack paths. This ensures the compromised account has no viable paths to critical systems. 

3. Aggressive patching is not enough

The AI wrote its own exploit code for known vulnerabilities. This means that the window between a CVE's disclosure and its weaponization has shrunk from weeks or days to, potentially, seconds.

A high-volume, speed-focused approach to remediating vulnerabilities based on scores from the Common Vulnerability Scoring System (CVSS) is a losing strategy. Your team can't read a CVE bulletin, research it, test a patch, and schedule a deployment window before an AI has already scanned your entire public-facing infrastructure, found the vulnerability, and written the code to exploit it. Plus, this approach tells you nothing about the actual risk to your business.

This is the base argument for a true exposure management platform. We, as an industry, must win this race by being smarter, not just faster. You can’t remediate vulnerabilities in a vacuum, clueless about all the other exposures in your hybrid environment.

You need to:

• See your whole exposure landscape: You can't patch what you can't see. An AI agent is scanning your entire attack surface — IT, cloud, operational technology (OT0, web apps, and identity systems. You need a single, unified platform that sees it all.
• Prioritize what matters: Stop chasing every critical vulnerability. We must use predictive prioritization to determine the small subset that are actually being exploited or are likely to be exploited in the near future.
• Focus on attack paths: An AI agent is looking for the easiest way in. By combining predictive vulnerability data with attack path analysis, you can focus your resources on fixing the one vulnerability on the one asset that gives the AI a direct path to your domain controller or customer database.

4. The human firewall

Phishing emails are approaching perfection. The spelling mistakes and grammar errors are all gone. AI can generate flawless, context-aware, and highly persuasive emails in any language.

If you want to create a solid human firewall, security awareness training can no longer simply be a 30-minute annual video about not clicking on strange links. The new training needs to focus on psychological manipulation and process verification.

You must train employees to be suspicious of the request, not the presentation. Employees must be trained to detect elements such as:

• Urgency ("I need this done now")
• Secrecy ("Don't tell anyone...")
• Authority ("This is the CEO...")
• Unusual actions ("Process an urgent wire transfer to this new vendor...").

The only defense here is to change your security awareness culture, reinforced by effective organizational tools. Empower every employee to pause and manually verify suspicious requests instead. This forced attention and time delay interrupts an immediate click. Pick up the phone. Send a message on a separate platform. Tools should be deployed to enforce this delay and add visual cues, marking up links to prompt caution. We must build a culture where “I’m just calling to verify this request” is met with “Thank you, I appreciate you checking.”

Phase 2: Owning the new AI attack surface

AI isn't just a tool for the attacker; it is the attacker. And it creates a brand-new, two-way attack surface security teams now own.

1. Outgoing: Employees using AI

This is the one most leaders think of first. What happens when our employees, with good intentions, paste proprietary source code, customer contracts, or strategic plans into a public AI model? That data is now out of our control.

This is a massive, unchecked vector for data exfiltration and intellectual property loss. You can't just block AI tools — the productivity benefits are too great. Tenable AI Exposure and Tenable AI Aware, which are part of the Tenable One Exposure Management Platform, are designed to address this exact use case.

Tenable AI Exposure helps security teams see, secure and manage AI usage across the organization. It provides visibility into:

• AI platforms and agents coupled with user intent, prompts and responses
• Malicious activity such as prompt injections and jailbreak attempts
• Potential data exposure from misconfigurations and unsafe connections

Meanwhile, Tenable AI Aware provides visibility and control over the shadow AI in an organization. It allows you to:

• Surface the unauthorized use of AI.
• Detect AI vulnerabilities.
• Illuminate AI development.

2. Incoming: Malicious AI against you

What happens when a malicious AI agent starts attacking your public-facing infrastructure?

An AI agent's first step is always reconnaissance. It's looking for an easy way in. This is where a comprehensive attack surface management (ASM) program becomes non-negotiable. You cannot defend an attack surface you can't see.

By having an "attacker's-eye view" of your own organization, you can proactively find and remediate the exposures — open ports, vulnerable software, misconfigured cloud services — before the malicious AI agent ever gets a chance to find them.

Phase 3: Fighting AI with AI

This is the core of the new defense, and it's the most important shift.

A team of cybersecurity professionals, no matter how brilliant, cannot manually review logs to stop an attack that makes thousands of requests per second. You cannot out-read, out-click, or out-think an AI tool. You can only fight an AI tool with a better AI tool.

1. AI-powered threat detection

We, as an industry, must use AI to defend ourselves. This is the same philosophy Tenable is applying to vulnerability management — using AI to predict which vulnerabilities are most likely to be exploited. Behavioral baselining has become key. Security teams need to build a baseline of normal behavior for every user and device, and then alert on deviation.

2. Real-time anomaly detection

An AI defender can see context that a human analyst will miss. For example: An account logs in to GitHub from a new country at 3 a.m., clones three repos it has never touched, and tries to access an API endpoint. Any one of those events might be benign. But an AI-powered SIEM can see the entire chain, recognize it as a high-probability impossible travel and data access anomaly sequence, and instantly lock the account.

3. The AI-assisted incident response playbook

As Anthropic noted, its own defense team used Claude Code extensively to analyze the attack. Security professionals must prepare to have AI as a "teammate" in the security operations center (SOC). Everyone should have a “prompt gallery" ready to go during an incident.

Here is an example of a phased playbook you could use with any LLM:

Step I: Triage

Your SIEM is firing 10,000 alerts. A human analyst can't cope.

• Prompt: "[PASTE BATCH OF 1000 ALERTS] Correlate these alerts based on timestamp, source IP, user, and asset. Identify the top 5 unique incidents, summarize each one, and provide a recommended priority level (Critical, High, Medium, Low) based on potential impact."
• Benefit: Turns 10,000 unmanageable alerts into five actionable incidents.

Step II: Analysis 

You have a critical incident. You need to know what happened.

• Prompt (IoC): "Analyze these firewall, EDR, and Active Directory logs from [timestamp] to [timestamp] for user [username]. Identify all anomalous activities, list associated IoCs (IPs, domains, file hashes), and map them to the MITRE ATT&CK framework."
• Prompt (Root Cause): "Based on this confirmed malicious activity [summary], what are the 3 most likely root causes? What data would I need to collect to prove or disprove each one?"
• Benefit: Reduces hours of manual log correlation to seconds, providing immediate TTPs and root cause hypotheses.

Step III: Remediation 

You've confirmed the attack. You need to act.

• Prompt: "Generate a step-by-step remediation plan for a compromised Windows endpoint exhibiting behavior consistent with [MITRE TTP]. Include PowerShell commands for network isolation, registry key removal, and EDR/antivirus scanning. Also, draft a brief, non-technical communication for the affected user."
• Prompt (Containment): "What are the immediate containment actions for a suspected lateral movement attack originating from [IP address]? Provide the specific firewall rules and Active Directory actions to disable the suspected account."
• Benefit: Provides instant, accurate response procedures, reducing mean-time-to-remediate (MTTR) and minimizing human error under pressure.

Step IV: Post-incident and reporting 

The incident is over. Time to report and improve.

• Prompt: "Summarize this entire incident [paste all incident data/summaries] into a 3-paragraph executive summary for a non-technical audience. Focus on business impact, actions taken, and next steps."
• Prompt (Improvement): "What are the top 3 security control gaps identified from this incident? Recommend specific, long-term improvements to our security posture."
• Benefit: Dramatically accelerates the reporting and feedback loop, turning a crisis into actionable, data-driven security improvements.

Conclusion: Humans, augmented

The age of AI-driven attacks is already here. The Anthropic report is a warning of what’s fast becoming the new normal.

This incident is an accelerator. Organizations must perfect the fundamentals, embrace a proactive exposure management strategy, and see the entire attack surface.

The human defender is not being replaced. We are being augmented. The future of cybersecurity is not a struggle between humans and AI. It's humans, armed with a unified exposure management platform, versus an attacker's AI. The winner will be the team that builds the best partnership between human intuition and algorithmic speed.

This is the new frontier. Let's get to work.