In September 2025, Anthropic disclosed {that a} state-sponsored risk actor used an AI coding agent to execute an autonomous cyber espionage marketing campaign towards 30 international targets. The AI dealt with 80-90% of tactical operations by itself, performing reconnaissance, writing exploit code, and making an attempt lateral motion at machine pace.
This incident is worrying, however there is a situation that ought to concern security groups much more: an attacker who does not have to run via the kill chain in any respect, as a result of they’ve compromised an AI agent that already lives inside your setting. One which already has the entry, the permissions, and a respectable motive to maneuver throughout your techniques day by day.
A Framework Constructed for Human Threats
The standard cyber kill chain assumes attackers must earn each inch of entry. It is a mannequin developed by Lockheed Martin in 2011 to explain how adversaries transfer from preliminary compromise to their final goal, and it is formed how security groups take into consideration detection ever since.
The logic is easy: attackers want to finish a sequence of steps, and defenders can interrupt the chain at any level. Each stage an attacker has to go via is one other alternative to catch them.
A typical intrusion strikes via distinct levels:
- Preliminary entry (exploiting a vulnerability, and so forth.)
- Persistence with out triggering alerts
- Reconnaissance to grasp the setting
- Lateral motion to succeed in helpful information
- Privilege escalation when entry is not adequate
- Exfiltration whereas avoiding DLP controls
Every stage creates detection alternatives: endpoint security would possibly catch the preliminary payload, community monitoring would possibly spot uncommon lateral motion, id techniques would possibly flag a privilege escalation, and SIEM correlations would possibly tie collectively anomalous behaviors throughout techniques. The extra steps an attacker takes, the extra possibilities there are to journey a wire.
For this reason superior risk actors like LUCR-3 and APT29 make investments closely in stealth, spending weeks dwelling off the land and mixing into regular visitors. Even then, they depart artifacts: uncommon login places, odd entry patterns, slight deviations from baseline conduct. These artifacts are precisely what trendy detection techniques are engineered to seek out.
The issue right here, although, is that AI brokers do not actually comply with this playbook.
What an AI Agent Already Has
AI brokers function basically otherwise from human customers. They work throughout techniques, transfer information between purposes, and run constantly. If compromised, an attacker bypasses the complete kill chain – the agent itself turns into the kill chain.
Take into consideration what an AI agent sometimes has entry to. Its exercise historical past is an ideal map of what information exists and the place it resides. It most likely pulls from Salesforce, pushes to Slack, syncs with Google Drive, and updates ServiceNow as a part of its regular workflow. It was granted broad permissions at deployment, typically admin-level entry throughout a number of purposes, and it already strikes information between techniques as a part of its job.
An attacker who compromises that agent inherits all of it immediately. They get the map, the entry, the permissions, and a respectable motive to maneuver information round. Each stage of the kill chain that security groups have spent years studying to detect? The agent skips all of them by default.
The Menace Is Already Taking part in Out
The OpenClaw disaster confirmed us what this appears to be like like in observe:
Roughly 12% of expertise in its public market have been malicious. A vital RCE vulnerability allowed one-click compromise. Over 21,000 situations have been publicly uncovered. However the scarier half was what a compromised agent may entry as soon as it was related to Slack and Google Workspace: messages, recordsdata, emails, and paperwork, with persistent reminiscence throughout periods.
The primary drawback is that security instruments are designed to detect irregular conduct. When an attacker rides an AI agent’s present workflow, every little thing appears to be like regular. The agent is accessing the techniques it all the time accesses, shifting the information it all the time strikes, working on the instances it all the time operates.
That is the detection hole security groups are going through.
How Reco Closes the Visibility Hole
Defending towards compromised AI brokers begins with figuring out which brokers are working in your setting, what they hook up with, and what permissions they maintain. Most organizations don’t have any stock of the AI brokers touching their SaaS ecosystem. That is precisely the form of drawback Reco was constructed to unravel.
Uncover Each AI Agent in Play
Reco’s Agentic AI Safety discovers each AI agent, embedded AI function, and third-party AI integration throughout your SaaS setting, together with shadow AI instruments related with out IT approval.
 |
| Determine 1: Reco’s AI Brokers Stock, displaying found brokers and their connections to GitHub. |
Map Entry Scope and Blast Radius
For every agent, Reco maps which SaaS apps it connects to, what permissions it holds, and what information it may entry. Reco’s SaaS-to-SaaS visualization reveals precisely how brokers combine throughout your software ecosystem, surfacing poisonous combos the place AI brokers bridge techniques collectively via MCP, OAuth, or API integrations, creating permission breakdowns that no single software proprietor would authorize.
 |
| Determine 2: Reco’s Data Graph surfacing a poisonous mixture between Slack and Cursor through MCP. |
Flag Targets, Implement Least Privilege
Reco identifies which brokers characterize your largest publicity by evaluating permission scope, cross-system entry, and information sensitivity. Brokers related to rising dangers are robotically labeled. From there, Reco helps you right-size entry via id and entry governance, straight limiting what an attacker can do if an agent is compromised.
 |
| Determine 3: Reco’s AI Posture Checks with security scores and IAM compliance findings. |
Detect Anomalous Agent Exercise
Reco’s risk detection engine applies identity-centric behavioral evaluation to AI brokers the identical approach it does to human identities, distinguishing regular automation from suspicious deviations in actual time.
 |
| Determine 4: A Reco alert flagging an unsanctioned ChatGPT connection to SharePoint. |
What This Means for Your Group
The standard kill chain assumed that attackers needed to battle for each inch of entry. AI brokers upend that assumption fully.
One compromised agent may give an attacker respectable entry, an ideal map of the setting, broad permissions, and built-in cowl for information motion, and not using a single step that appears like an intrusion.
Safety groups which can be nonetheless targeted solely on detecting human attacker conduct are going to overlook this. The attackers shall be using your AI brokers’ present workflows, invisible within the noise of regular operations.
In the end, an AI agent in your setting shall be focused. Visibility is the distinction between catching it early and discovering out throughout incident response. Reco offers you that visibility, throughout your complete SaaS ecosystem, in minutes.
Be taught extra right here: Request a Demo: Get Began With Reco.
