The Mythos Second will be outlined because the second when business absolutely realized that human security has no likelihood of matching the velocity and quantity of AI-assisted cyberattacks.
The CSA responded to the Mythos Second with recommendation in The ‘AI Vulnerability Storm’: Constructing a ‘Mythos-ready’ Safety Program. It wrote, “Introduce AI brokers to the cyber workforce throughout the board enabling defenders to match attackers’ velocity and start closing the hole.”
That is good recommendation if you are able to do it. From inside the hundreds of vulnerabilities being discovered, just some can be related to anybody atmosphere, and even fewer can be exploitable inside that configuration. These are the vulnerabilities that have to be remediated quick – the remaining will be safely ignored (a minimum of in the intervening time).
The issue is discovering and fixing exploitable vulnerabilities whereas protecting tempo with the brand new vulnerabilities being repeatedly found or launched. Agentic AI Crimson Teaming presents a theoretical resolution however would require a deep data of every infrastructure involved.
Frontier fashions are good generalists, however they don’t know particular person clouds. So, an agentic system have to be designed particularly for its person’s personal atmosphere. Safety groups then have the extra downside of sustaining the brokers’ contextual knowledgebase.
Candy Safety is providing a possible resolution, concurrently offering automated steady agentic pink teaming constructed on an automated and detailed data of every consumer’s personal infrastructure – Candy Attack.
“Since day one, Candy has been indexing runtime information straight from inside our prospects’ environments: runtime topology, unencrypted Layer 7 publicity, deployed supply code, id paths, and reside utility conduct,” Candy explains. “That index is the substrate the agent causes over. A frontier mannequin by itself can hypothesize about an atmosphere; Candy Attack is aware of the atmosphere.”
Candy Safety routinely gives and maintains the total context crucial for Candy Attack to function. The agent doesn’t must guess on assault paths by the atmosphere to use the vulnerability. It could actually see, says Candy, “The roads most traveled, the place the water really runs – not theoretical paths with no information behind them. There’s a heuristic guiding which choices and traversals are value exploring, and which aren’t. It solely goes the place there’s a path value strolling.”
Since that is performed by a machine at machine velocity repeatedly, there’s no ready for the following scheduled human pink group operation, nor concern over tiredness, boredom, stress or another human situation that might end in one thing current being missed.
“Different instruments enumerate each potential path. Candy Attack finds those an attacker would really take,” Yigael Berger, chief AI officer at Candy Safety, instructed information.killnetswitch, “as a result of it’s reasoning over the actual atmosphere, not a mannequin of 1.”
This actual atmosphere is the entire atmosphere, together with any shadow IT and shadow AI which may be unknown to the human Crimson Workforce. Candy Attack discovers runtime belongings and behaviors which may not be formally documented, together with shadow AI parts, AI brokers, MCP servers, instruments, packages, APIs, and different infrastructure parts – together with itself.
It does this repeatedly and quickly. If DevOps introduces a brand new vibe coded app, or if an worker quietly downloads a SaaS app, Candy Attack will reevaluate potential assault paths as quickly as any new part seems within the runtime atmosphere.
Realizing which vulnerabilities will be exploited by understanding any and all assault paths that may attain them gives a timetable for vulnerability remediation. Inconsequential vulnerabilities will be ignored, figuring out they may repeatedly be reevaluated if new additions to the infrastructure create new assault paths.
One beta tester, the CISO at Forged & Crew, commented that his atmosphere had employed third get together pink teamers yearly, at all times leading to clear stories. “Candy Attack ran for 3 days and surfaced absolutely exploitable assault chains these engagements by no means got here close to. It didn’t finish there – Candy Attack gave us a concrete mitigation and remediation motion plan that had us fully safe inside two hours.”
The aim of Candy Attack is to do what the CSA recommends: “start closing the hole” between AI-assisted attackers and AI-assisted defenders. It’s accessible now to Candy Safety prospects.
