How adversaries actually use AI (It's Less Sci-Fi Than You Think)
I read a lot of breathless takes about AI turning every script kiddie into a nation-state. Then I read the threat intelligence from teams that track these actors in the wild, and the picture is quieter and, honestly, more useful. AI isn't handing attackers superpowers they didn't have. It's making the things they already did faster, cheaper, and more automated. This week gave us the clearest look yet at what that actually means. Let's dig in.
This Week's Signals
Google Caught the First AI-Developed Zero-Day in the Wild
Google's Threat Intelligence Group released its latest report and buried a genuine first in it: an attacker using a zero-day exploit GTIG believes was developed with AI, intended for a wide-scale campaign that Google's proactive discovery may have headed off. The same report tracks DPRK, Iran, the PRC, and Russia operationalizing Gemini across the whole lifecycle: reconnaissance, phishing lures, C2 development, and data exfiltration. GTIG also documented the first "just-in-time" AI malware families, PROMPTFLUX and PROMPTSTEAL, that call an LLM during execution to generate and obfuscate code on the fly instead of hard-coding it. And yet GTIG's own repeated caveat is that they have still not observed breakthrough capabilities that fundamentally alter the threat landscape.
Key point is that one AI-developed zero-day, caught before it shipped, sitting right next to an explicit "no breakthrough yet." The threat is real, but the hype is still running ahead of it.

A Leaked AWS Key to Full Exfiltration in 60 Seconds, Run by an Agent
Adan Alvarez tested whether Claude Code could go from a single leaked AWS IAM key to data exfiltration with no AWS-specific instructions, and in 7 of 12 runs the agent finished the entire attack chain in about 60 seconds. Every successful run followed the same six-phase kill chain: GetCallerIdentity, policy enumeration, credential recovery from S3, AssumeRole, bucket enumeration, and exfiltration. The uncomfortable part is the timing: CloudTrail delivers logs on a roughly 5-minute delay, so the attack finishes before your telemetry even arrives. Alvarez's bet is honeytokens and honeypots that waste the agent's time before it reaches anything real.
If a full cloud kill chain runs in under a minute and your logs ship every five, detect-then-respond has already lost the race. Pre-position the trap instead of waiting for the alert.
Is anyone else getting “Gone in 60 Seconds” vibes from this?

The Adversary's AI Supply Chain Is Getting Industrialized
The same GTIG reporting shows attackers building real infrastructure around commercial models: custom middleware, proxy relays, anti-detect browsers, and account-pooling services to bypass safety guardrails and billing limits while keeping high-volume anonymized access. Some are stitching open-source AI tools (Crush, Hexstrike AI, LibreChat, and Open WebUI) into agentic services over MCP servers. And when they want into production AI environments, they fall back on old-fashioned supply chain tradecraft, trojanized integration libraries and malicious config files, not novel model jailbreaks.
Practical takeaway: The adversary is treating AI like any other dependency to procure, proxy, and abuse. Defend it like one, and watch the MCP servers, integration libraries, and config files, not just the prompt box.

AI Offensive Pentesting Is Now a Product You Can Benchmark
Doyensec's Luca Carettoni and Anthony Trummer ran a side-by-side of two AI-powered penetration testing platforms, Aikido's Attack AI Pentest and XBOW's Lightspeed, manually validating every finding to separate true positives from false positives. They scored configuration complexity, impact on the tested app, report quality, cost, speed, and overall effectiveness. The takeaway is that autonomous offensive testing has crossed from research demo to procurable product with a real evaluation methodology behind it.
When offense ships as a SaaS subscription with a benchmark, your adversaries can rent the exact same thing. Run these tools against yourself before someone rents them to run against you.
My Take:
The Threat Is Industrialization, Not Superintelligence
The story the market wants to sell is the AI superhacker: one prompt, one genius exploit, game over. The teams that actually track these actors keep telling us something less cinematic. GTIG has now said it across three consecutive reports, including this month's, that they have not seen breakthrough capabilities that fundamentally alter the threat landscape. What they have seen is industrialization: the same attacks, faster, cheaper, and increasingly automated.
That reframes the defensive problem in a specific way. If a kill chain completes in under a minute, controls that assume human-paced response lose by construction, which is exactly why Alvarez reaches for honeytokens over faster alerting. The leverage moves to what you decide before the attack: identity blast-radius, pre-positioned traps, and designing systems so one leaked credential doesn't enumerate into a full compromise. That's a design-time problem, and it's where I spend my time, because you can't out-respond a 60-second attack, you can only out-architect it.
Where I'm honestly unsure is how long the "no breakthrough yet" caveat holds. GTIG has repeated it for a year, and yet they also just logged the first AI-built zero-day, and trend lines that start with "first" rarely stay singular. My working bet is that the volume problem hurts most teams long before any sci-fi capability does. If you're seeing something in your own telemetry that says otherwise, that's exactly the data I want. Reply and tell me.

Until Next Week
The most reassuring sentence in security right now is buried in a Google threat report, repeated for the third time: no breakthrough yet. The most worrying part is the "yet."
One more thing before you go: if you'll be at Black Hat this year, we're co-hosting The CISO Roast with C1 on August 5 in Las Vegas. Invite-only, open bar, and a room full of CISOs talking straight for once. Save the date, seats are limited: Register in Luma
-Amir
One click, let us know how we did.

Thanks for reading The AppSec Signal, DevArmor’s newsletter for security professionals.
Have feedback or ideas for what we should cover next?
Feel free to reach out - [email protected]


