THREAT INTELLIGENCE | AI SECURITY
13 min read

Autonomous AI Security Agents in 2026: From Glasswing to the Next Generation of Offensive AI

What security practitioners need to understand about agentic AI, how it changes the attacker threat model, and what defenders must do now

Sources:Anthropic Claude Mythos and Project Glasswing|ExploitBench V8 ACE Benchmark Results|UK AI Security Institute Cyber Range Validation|Claude Security Public Beta Program|XBOW Published Evaluation of Autonomous AI Security Capability|SCONE-Bench Smart Contract Security Evaluation
21/41
V8 ACEs solved by Mythos (all other models: 0)
10,000+
Security findings from Project Glasswing
200+
Partner organizations assessed via Glasswing

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The dominant mental model most security practitioners use for AI in security is an LLM-assisted workflow: a human asks a question, the AI answers, the human decides what to do. That model is already obsolete for the frontier. Autonomous AI security agents do not wait for questions. They receive goals, form multi-step plans, execute actions using tools, observe results, revise their approach, and iterate until the task is complete or they exhaust their approach. Claude Mythos is the clearest current example of what this looks like in practice. It solved 21 of 41 V8 browser-engine arbitrary code execution challenges on ExploitBench. Every other AI model scored zero. Project Glasswing applied that capability to real organizations: 200-plus assessments, 10,000-plus findings, 9 confirmed CVEs. The agentic era of AI security is not coming. It is here. This post explains what autonomous AI agents actually are, how Mythos operates as one, and what defenders must do to stay ahead of the capability curve.

What Makes an AI Agent Autonomous

The word 'autonomous' is used loosely in AI marketing, but it has a specific technical meaning in the context of security agents. An autonomous AI agent has four properties that distinguish it from a prompted LLM: tool use, multi-step planning, feedback loops, and memory. Tool use means the agent can take actions in the world, not just generate text. It can run code, browse the web, call APIs, interact with a debugger, or execute system commands. Multi-step planning means the agent can break a complex goal into a sequence of subtasks and pursue them in order. Feedback loops mean the agent observes the results of each action and uses that information to revise its plan. Memory means the agent maintains state across steps, so what it learns in step three informs what it does in step seven. Put these together and you have a system that can pursue a complex security research objective from start to finish without human orchestration at each step. That is what separates Mythos from a security chatbot.

How Mythos Operates as an Autonomous Security Agent

Claude Mythos applies the autonomous agent architecture to security research tasks. A simplified workflow for a vulnerability research task looks like this: receive a target and objective, conduct reconnaissance using available tools to understand the attack surface, generate hypotheses about likely vulnerability classes based on code analysis, implement candidate exploits using code generation and execution tools, test those exploits in a sandboxed environment, observe what fails and why, revise the approach based on that feedback, and iterate until a working exploit is produced or the hypothesis is ruled out. This is the same cognitive workflow a skilled human vulnerability researcher follows, compressed into a machine-speed feedback loop. The ExploitBench result, 21 of 41 V8 ACEs where human researchers consider these extremely difficult, reflects what happens when that loop runs autonomously at scale.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The Capability Cliff Between Autonomous Agents and LLM-Assisted Tools

The ExploitBench results illustrate a capability cliff that practitioners need to internalize. Mythos scored 21 of 41 V8 arbitrary code execution challenges. Every other AI model, including every commercial AI security platform, scored zero. This is not a performance gap. It is a categorical difference between systems that can complete this class of task and systems that cannot. LLM-assisted security tools can help a human analyst work faster. They can explain a vulnerability, draft a proof-of-concept outline, or summarize a threat report. They cannot autonomously develop a working V8 browser exploit because that task requires sustained multi-step reasoning, tool use, feedback integration, and iteration over an extended chain of actions. Autonomous agents can. That capability cliff is the most important thing practitioners need to understand about where AI security capability actually sits in 2026.

Current State: ExploitBench and What It Measures

ExploitBench evaluates autonomous AI capability on V8 JavaScript engine arbitrary code execution vulnerabilities. V8 is the browser engine that powers Chrome and Node.js. ACEs in V8 require understanding compiler internals, JIT optimization behaviors, memory layout, and exploitation primitives in a way that is extremely technically demanding even for human researchers. The benchmark measures fully autonomous exploit development: no human hints, no per-step guidance, just the model operating as an agent against the target. Mythos solved 21 of 41 challenges. All other models scored zero. On ExploitGym, a related evaluation of broader exploit development capability, Mythos produced 10.5 times more working exploits than Opus 4.6, the next best performing model. These benchmarks exist specifically to measure the agentic capability gap, and the gap is larger than most practitioners realize.

What the Next Generation Looks Like

Current autonomous AI security agents operate as single agents pursuing tasks sequentially. The next generation involves multi-agent systems: coordinated networks of specialized AI agents that divide complex tasks, work in parallel, and synthesize results. In an offensive context, one agent handles reconnaissance, another handles exploit development, a third handles post-exploitation and lateral movement, and a coordinator synthesizes their outputs into a coherent attack campaign. This is not speculative. The infrastructure for multi-agent coordination is already available via model APIs and agentic frameworks. The limiting factor is task horizon: how long a coherent multi-agent system can sustain complex work without human intervention. That horizon is extending rapidly. Within the next 12 to 24 months, multi-agent offensive systems capable of end-to-end campaign execution against complex targets are likely to be accessible to well-resourced threat actors.

How Autonomous Agents Change the Attacker Threat Model

Autonomous AI agents change three fundamental parameters of the attacker threat model that defenders have historically relied on. First, dwell time decreases. Attacker reconnaissance and exploit development cycles that previously took days or weeks can be compressed to hours. The window between initial access and impact shrinks significantly. Second, exploit development speed collapses. Vulnerabilities that previously required rare expert human researchers to exploit can be developed autonomously, dramatically expanding the pool of exploitable vulnerabilities beyond what human attacker capacity can address. Third, breadth increases. A single autonomous agent system can simultaneously probe multiple targets, attack surfaces, and vulnerability classes at machine speed. This changes the economics of targeted attacks: breadth is no longer constrained by human attacker headcount.

The Defender's Response Framework

Defending against autonomous AI attacker capability requires updating three layers of your security program. Detection must shift from signature-based to behavioral. AI-generated exploits produce novel patterns that bypass signature matching, but the behavioral signatures of autonomous agent activity, rapid iterative probing, unusual tool chaining, machine-speed iteration, are detectable with the right instrumentation. Response must assume compressed timelines. If attacker dwell time is collapsing, detection-to-containment cycles must accelerate proportionally. Passive logging and weekly review cycles are no longer adequate. Prevention must assume that known vulnerability classes will be exploited faster than patching cycles allow. Exposure management, attack surface reduction, and micro-segmentation become more important as the time between disclosure and exploitation shrinks.

How Glasswing Demonstrates What Well-Resourced Attackers Can Build

Project Glasswing is the most important public proof point for what autonomous AI security capability looks like applied to real organizations. Glasswing assessed 200-plus partner organizations, produced 10,000-plus security findings, and identified 9 confirmed CVEs. This was not a theoretical exercise. These were real vulnerabilities in real production systems, found by an autonomous AI program operating at scale. Nation-state actors and well-resourced criminal organizations have the resources to build comparable programs. Glasswing tells you what they are likely already building. The 9 CVEs represent vulnerabilities that were found before attackers could exploit them because Glasswing ran first. Without that kind of proactive autonomous AI assessment capability, those 9 CVEs would have been available to attackers who could build similar systems.

The Future State and What to Prepare For

The trajectory of autonomous AI security capability is clear. Single-agent systems like current Mythos will give way to multi-agent systems with longer task horizons and specialized capabilities. Exploit development cycles will continue to compress. The vulnerability classes that autonomous agents can address will expand as model capability improves and agentic infrastructure matures. For defenders, the preparation imperative is to close known gaps now, before autonomous attacker capability makes them trivially exploitable. The 9 CVEs Glasswing found represent exactly the kind of critical vulnerabilities that autonomous attacker agents will target first: complex, hard-to-find, but highly impactful when exploited. Organizations that have not assessed their exposure at the depth autonomous AI enables are carrying risk they cannot quantify.

What the Mythos Brief Covers for Autonomous Agent Defense

The Mythos Brief provides the practitioner frameworks for building defenses against autonomous AI attacker capability, including the detection and response playbooks that do not fit in a blog post.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

Autonomous AI security agents represent a categorical shift in offensive capability, not an incremental improvement to existing tools. The ExploitBench result, 21 V8 ACEs for Mythos versus zero for every other model, is a benchmark, but it is also a preview of the threat model defenders are inheriting. Project Glasswing has already demonstrated what this capability finds when applied to real organizations: 10,000-plus findings and 9 CVEs that were closed before attackers could reach them. The organizations that prepare now, by updating their threat models, tightening their detection layers, and closing known gaps at the depth autonomous AI can expose, will be significantly better positioned as agentic attacker capability continues to expand. Start with the Mythos Brief at decryptiondigest.com/mythos-brief for the frameworks, detection strategies, and defender checklists built specifically for the autonomous AI threat model.

Frequently asked questions

What is an autonomous AI security agent?

An autonomous AI security agent is a multi-step tool-using AI system that can chain security tasks, including reconnaissance, vulnerability identification, exploit development, and post-exploitation, without requiring human input at each step. Unlike a chatbot that answers a single question, an autonomous agent takes actions in a feedback loop: it runs a tool, observes the output, revises its approach, runs another tool, and iterates until it reaches a goal or exhausts its approach. Claude Mythos is the current leading example in the security domain.

How is Mythos different from ChatGPT for security?

ChatGPT and similar general-purpose LLMs can assist with security tasks by answering questions, explaining concepts, or generating code snippets when prompted. Mythos operates as an autonomous agent: it takes goals, forms multi-step plans, executes those plans using tool calls, and iterates on results without per-step human guidance. The practical difference is that Mythos can complete a full vulnerability research workflow, from initial target analysis to working exploit code, while a general-purpose LLM requires a human to orchestrate each step. On ExploitBench, Mythos solved 21 V8 ACE challenges. General-purpose models scored zero.

Can attackers use autonomous AI agents today?

Yes. The underlying model capabilities that power Mythos are increasingly accessible. Nation-state actors and well-resourced threat groups are actively researching and deploying AI-assisted offensive tools. Project Glasswing, which assessed 200-plus organizations and produced 10,000-plus findings and 9 CVEs, demonstrates what a well-resourced autonomous AI program can do. The more important question for defenders is not whether attackers have these capabilities yet, but how to build detection and response capabilities that assume they do.

What is the difference between an agent and an LLM?

A large language model (LLM) is the underlying AI system that processes input and generates output. An agent is a system built on top of an LLM that adds tool use, memory, planning, and feedback loops. An LLM answers a question in one turn. An agent pursues a goal over multiple turns, using tools like web search, code execution, or API calls to take actions and update its plan based on what it learns. The distinction matters for security because agents can complete complex multi-step tasks autonomously, which is what makes them both powerful for defenders and dangerous as an attacker capability.

How do I detect AI-generated exploit attempts?

AI-generated exploit attempts are harder to detect through traditional signature-based methods because they can generate novel attack patterns without known signatures. Effective detection focuses on behavioral signals: unusual tool chaining patterns, rapid iterative probing that resembles automated fuzzing, exploit attempts targeting obscure code paths that human attackers rarely reach manually, and anomalous timing patterns consistent with machine-speed iteration. Behavioral detection, canary systems, and honeytokens that catch automated scanners are more effective than signature matching against AI-generated exploits. The Mythos Brief covers detection frameworks in depth.

What organizational controls should security teams put in place to govern how AI agents are used in offensive security testing before their capabilities outpace policy?

Governance of AI-powered offensive tools requires the same framework as any privileged security tooling: explicit authorization scope, audit logging, and defined handling procedures for findings. Before deploying an autonomous AI agent for security testing, document the authorized target scope (IP ranges, domains, accounts) the same way you would for a traditional penetration test authorization letter. Ensure the tool's actions are logged in a system your security team controls, not only in the vendor's platform, so you have an independent audit trail of what the agent tested and what it found. Classify AI-generated vulnerability findings at the same severity levels as human findings and route them through the same remediation SLA process. Restrict access to AI offensive tools to trained personnel who can review findings for exploitability context rather than treating automated severity scores as definitive. Finally, establish a policy on what happens to AI-generated findings that involve third-party systems or dependencies: autonomous agents can probe transitive attack surfaces that fall outside the original authorization scope if not properly bounded.

Sources & references

  1. Anthropic Claude Mythos and Project Glasswing
  2. ExploitBench V8 ACE Benchmark Results
  3. UK AI Security Institute Cyber Range Validation
  4. Claude Security Public Beta Program
  5. XBOW Published Evaluation of Autonomous AI Security Capability
  6. SCONE-Bench Smart Contract Security Evaluation

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.