Autonomous cyber operations are no longer hypothetical. In November 2025, Anthropic disclosed GTG-1002, a Chinese state-sponsored campaign with significant tactical autonomy, with humans intervening only at strategic decision points.1 In this evolving landscape, the question is no longer whether machine-speed cyber conflict will arrive, but whether the resulting equilibrium favors offense or defense, and what that means for security strategy.

The scenario below extrapolates from documented capabilities to illustrate what fully autonomous operations might look like. It is fiction grounded in evidence, not prediction.

Initialization

Offense

The attack began with reconnaissance. The campaign was decomposed into discrete technical tasks—DNS enumeration, certificate transparency analysis, employee discovery through professional networks—each task appearing legitimate in isolation.2 The orchestration layer maintained state across sessions, adapting queries based on discovered information.

The system was set up to operate entirely from commercial hardware, never connected to networks attributable to any government.3 Its architecture relied on multiple LLM-based agentic systems interacting via MCP (Model Context Protocol) in order to coordinate actions.4

Defense

Twelve hundred kilometers away, in a security operations center serving Northern European critical infrastructure, an autonomous monitoring system processed a regular flow of internal logs and internet-facing signals. It had no knowledge that an attack was beginning. It simply watched.

The system was based on a coordinated system of LLM agents that carried out continuous reasoning over logs, automated hypothesis generation, and response deployment, without waiting for human approval. Such systems had been found to be highly effective in monitoring and flagging abnormal events, and were becoming commonplace.5

First Contact

Offense

The attack system identified a misconfigured authentication endpoint on a contractor portal. It generated an exploitation payload, tested it against a sandboxed replica, validated the callback, and proceeded.

The contractor portal yielded credentials for a service account with documentation access. The sequence from vulnerability identification to initial access took eighty-five minutes. Similar operations eighteen months earlier required several days of intermittent human oversight.6

Defense

The monitoring system flagged an anomaly: authentication patterns showed a service account accessing documentation outside its historical baseline. Improbable, but not outside the scope of possibility.

The system had authority to impose graduated friction without human approval.7 It imposed step-up authentication, which the attack system failed, having stolen credentials but not the second factor.

Adaptation

Offense

The attack system recognized the setback and pivoted. This capability distinguished the AI-enabled operations from traditional cyber operations: the ability to reason about failures and generate new approaches.8

It exploited its brief access to map internal network topology, identifying a secondary path through a legacy system with weaker authentication controls.

Defense

The monitoring system was able to detect the pivot. The blocked credential had gone quiet, but correlated signals emerged in the form of unusual internal traffic, another contractor system making calls it had never made before.

The defensive AI reasoned over accumulated evidence, weighed false-positive disruption against ongoing compromise risk, and isolated the contractor network segment pending investigation.

Escalation

Offense

The attack system found its second path blocked. It escalated within its decision framework, beginning to probe public-facing web applications and generating exploitation payloads for multiple potential vulnerabilities in parallel.

Defense

The monitoring system correlated the contractor isolation with new probing activity. The timing and targeting suggested a single campaign.

It elevated incident classification and triggered automated hardening of probed systems while notifying human analysts. This was the boundary where autonomous defense handed off to human judgment. Containment and delay were within its authority. Decisions about attribution or active countermeasures remained human responsibilities.

Termination

The attack system had failed three approaches. Its parameters included thresholds for diminishing returns: if success probability fell below a defined floor while detection risk rose, terminate and erase infrastructure.9

It reached that threshold and executed its termination routine, destroying leased infrastructure and severing connections. The defensive system observed the sudden silence, preserved logs, and generated a preliminary incident report.

No human on either side made a real-time tactical decision during the three-hour engagement.

Why This Scenario Is Directionally Accurate

The fictional engagement extrapolates from documented capabilities.

GTG-1002 showed attack systems using Claude Code with MCP servers to decompose complex attacks into discrete tasks that appeared legitimate when evaluated in isolation. The “vibe hacking” operation disclosed in August 2025 showed attackers using AI to scan thousands of VPN endpoints, generate custom exploitation payloads, and craft psychologically targeted ransom notes.10

Factory AI’s October 2025 incident demonstrated the defensive corollary: building fraud classifiers in hours that achieved near-zero false positives while blocking attacks that adapted in real-time.11 They noted explicitly that countering AI-augmented attackers required AI-augmented defense.

Microsoft’s 2025 defensive infrastructure embeds similar principles: autonomous agents for alert triage, predictive shielding that anticipates attacker moves, automatic attack disruption at machine speed.12

The remaining gap between current systems and full autonomy involves reliable multi-step reasoning under adversarial conditions and removing human authorization at exploitation decisions. GTG-1002 retained human approval for credential use and exfiltration.13 Whether that gap closes in months or years depends on frontier model capabilities and deployment decisions, but the trajectory is clear.

Conditions for Defensive Equilibrium

The scenario depicts defense winning. That outcome is not guaranteed; GTG-1002 achieved objectives against some targets before detection. Defensive success depends on several conditions holding simultaneously.

Detection speed matching adaptation speed. The defensive system imposed friction faster than the attack system routed around it. Many organizations had not made this investment by 2025.

Home-field advantage. The monitoring system knew the baseline behavior of its own infrastructure. Attackers operating against unfamiliar targets must model normal behavior from external observation, a harder problem.

Attacker limitations constraining capability. The 2025 reports documented AI systems overstating findings and occasionally fabricating data during operations. Anthropic noted that Claude “frequently overstated findings and occasionally fabricated data,” claiming credentials that didn’t work or identifying discoveries that proved to be public information. These reliability problems create friction. More capable systems might succeed before defenses respond.

Symmetric autonomy levels. Neither side escalated to human decision-making during the tactical engagement. If attackers achieve full autonomy while defenders require human approval for responses that impose costs, attackers can exploit that asymmetry. The most dangerous periods may be transitions when one side has crossed the autonomy threshold and the other has not.

Asymmetries Beyond Autonomy

Even at equivalent autonomy levels, structural asymmetries shape outcomes.

Legal and liability constraints. Autonomous defensive responses that isolate systems, throttle access, or disrupt operations create liability exposure. Organizations and teams may face complaints and other consequences for false positives that harm legitimate users. Attackers face no such constraints. This asymmetry may slow deployment of aggressive autonomous defense even when technically feasible.

Regulatory fragmentation. Defenders operating across jurisdictions might need to navigate varying legal frameworks for automated response. Attackers choose favorable jurisdictions or operate outside legal reach entirely.

Attribution decay. If operations terminate cleanly with minimal forensics, as in the scenario, deterrence erodes. Punishment requires attribution. Machine-speed operations that destroy their own infrastructure undermine the forensic basis for response.

Access asymmetries. Frontier model access is currently concentrated among well-resourced actors, but this is shifting. Proliferation of capable open-weight models changes the equilibrium by lowering barriers to sophisticated autonomous offense.

These asymmetries generally favor offense, suggesting that technical parity in autonomy may not produce strategic parity in outcomes.

Implications

Three conclusions follow for those building or regulating these systems.

First, autonomous defense is not optional. The speed differential between machine-speed offense and human-approved defense creates exploitable gaps. Organizations that require human authorization for all active responses will be systematically disadvantaged. This requires rethinking liability frameworks to enable appropriate autonomous response.

Second, the transition period is uniquely dangerous. Asymmetric autonomy levels create windows of vulnerability. Defenders should assume adversaries are further along this curve than public evidence suggests and invest accordingly.

Third, attribution infrastructure matters more, not less. If machine-speed operations can terminate without forensic traces, pre-positioned attribution capabilities become essential for deterrence. This includes both technical measures (pervasive logging, cryptographic verification) and intelligence investments that could establish attribution through means other than post-incident forensics.

The stable equilibrium, if one exists, requires rough parity in autonomy combined with deliberate policy choices to counteract structural asymmetries favoring offense. Whether we achieve that equilibrium depends on decisions being made now about how aggressively to deploy autonomous defense and how to structure accountability for its failures.