Highly Autonomous Cyber-Capable Agents: Anticipating Capabilities, Tactics, and Strategic Implications
This report was co-authored by Shaun Ee, Brianna Rosen, Yohan Matthew, Aditya Singh, Christopher Covino, and Asher Brass Gershovich.
Offensive cyber capabilities in frontier AI models are advancing fast. In a matter of months, models have gone from near-zero to meaningful success rates on expert-level security challenges, and leading AI developers have begun triggering their own internal risk thresholds for cybersecurity. Meanwhile, real-world cases have already emerged in which AI agents autonomously executed significant portions of state-sponsored cyber campaigns. These developments raise an increasingly urgent question: what happens when AI systems can plan, execute, and sustain sophisticated cyber operations entirely on their own?
Highly Autonomous Cyber-Capable Agents examines this question. The report introduces the concept of HACCAs — AI systems capable of autonomously conducting multi-stage cyber campaigns at a level comparable to today's top criminal hacking groups or state-affiliated threat actors — and analyzes the security implications of their emergence. The report:
Defines what HACCAs are and forecasts when they might arrive, establishing a clear framework for an autonomous cyber agent that can operate across the full attack lifecycle without meaningful human direction.
Identifies five core operational tactics, detailing how HACCAs could sustain themselves in the wild — from autonomous infrastructure setup and credential harvesting to detection evasion and adaptive shutdown avoidance.
Analyzes the strategic implications, including how HACCAs could intensify interstate cyber competition, lower the barrier to entry for sophisticated operations, and proliferate advanced offensive capabilities to criminal groups and less-resourced state actors.
Flags two tail risks that deserve serious attention: the potential for autonomous cyber operations to trigger inadvertent cyber-nuclear escalation, and the possibility of sustained loss of control over rogue HACCA deployments.
Proposes seven policy recommendations across three goals: understanding the emerging threat, defending against HACCAs, and ensuring their responsible development and deployment.
Explore the full set of materials:
Executive Summary: A concise overview of the report's key findings, risk assessment, and policy recommendations.
How Malicious Cyber Agents Could Sustain Themselves: An analysis of how autonomous cyber agents could acquire compute and financial resources needed to operate independently, from cryptojacking and fraud to exploiting cloud infrastructure.
Strategic Surprises: Escalation and Loss of Control: An analysis of two high-consequence tail risks — inadvertent cyber-nuclear escalation and sustained loss of control over rogue deployments.
Governing Autonomous Cyber Agents: Legal and Policy Guardrails for HACCAs: An examination of the legal and policy frameworks needed to govern the development and deployment of highly autonomous cyber-capable systems.