Jorge Laurel
Writing

AI Has Crossed From Assistant to Operator

Jorge Laurel · ·4 min read

AI Has Crossed From Assistant to Operator

For most of the past three years, AI sat beside attackers as a helper. It drafted phishing lures, cleaned up malware code, answered technical questions. According to Check Point Research’s AI Security Report 2026, released this week, that relationship has changed. AI has, in the report’s words, “crossed from assistant to operator” and is now running live intrusions with only intermittent human direction.

“AI has crossed into the live attack chain and is now running operations” that previously required skilled teams, said Lotem Finkelstein, VP of Check Point Research. His point for defenders is blunt: they can no longer assume humans control the pace of an attack.

The shift: autonomous execution at machine speed

The report grounds that claim in named cases, not projections. In a breach of nine Mexican government agencies between December 2025 and February 2026, Check Point documents that a single operator paired Claude Code with GPT-4.1 so that 1,088 human instructions generated 5,317 AI-executed commands across 34 sessions, exposing roughly 400 million records. In a separate espionage campaign against about 30 organizations, the report estimates AI performed 80 to 90 percent of the tactical work: reconnaissance, exploitation, credential harvesting, lateral movement, and data triage. Humans stepped in mainly at decision points.

The shift is in who, or what, executes the intrusion. Attackers reach these capabilities through several routes: abusing commercial models, using stolen credentials, self-hosting open-source models, and buying cybercrime-focused AI tools, according to Help Net Security’s coverage. Once running, the systems generate “thousands of commands across dozens of sessions” with minimal supervision.

Speed is the second dimension. Check Point reports that the window between a vulnerability’s public disclosure and a working exploit has collapsed from days to hours. On the discovery side, the report cites Anthropic’s Project Glasswing, in which an AI model identified more than 10,000 high and critical severity zero-day vulnerabilities in its first month and produced a working exploit on its first attempt in roughly 83 percent of cases. The same automation that surfaces flaws for defenders can be turned toward exploitation. That is the double edge, and it is not hypothetical anymore.

What the shift means for defenders

The most immediate problem is a defense gap measured in time. If exploits are generated within hours of disclosure, and intrusions are executed by software issuing thousands of commands per session, then human-paced patching, triage, and incident response no longer match the tempo of the attack. Check Point’s guidance is that organizations must “defend at machine speed rather than human speed.” Read plainly, that is an acknowledgment that manual workflows are being outrun.

The second signal is the rise in prompt injection, the technique attackers use to hijack AI systems through hidden instructions. Malicious prompt-injection detections rose roughly fivefold between March and May 2026, approaching one percent of all observed prompts by May. In a scan of 1.2 billion URLs, researchers identified about 15,300 indirect prompt-injection payloads. Roughly 70 percent were hidden in non-rendered HTML. The malicious content was invisible to a human reading the page and readable by an AI agent processing it. That gap between what a person sees and what an agent parses is the new soft spot.

Third, the report documents how much sensitive enterprise data already flows through these systems. Between 87 and 93 percent of organizations experienced at least one high-risk generative AI interaction every month. The share of interactions rated high-risk doubled year over year, from one in 50 to one in 25. The proportion of prompts containing sensitive information also doubled, from two percent to four percent, even as organizations averaged around ten AI applications in use per month, many without formal approval. Every one of those interactions widens the attack surface.

The report ties these threads to the software supply chain, where autonomous agents increasingly source their tools. Check Point describes GlassWorm malware spreading through Model Context Protocol packages across more than 150 repositories, and reports that roughly 40 percent of 10,000 examined MCP servers carried security weaknesses. In one credential-exposure finding, an examination of 46,500 packages turned up 428 that accidentally contained a local Claude Code settings file, of which about one in 13 included live credentials.

Put these together and the shape is clear. Autonomy has compressed the entire attack lifecycle, from discovery through exploitation, execution, and exfiltration, into a process that can run faster than defenders can react, drawing on stolen credentials and poisoned supply-chain components along the way. The practical concern is not a single new exploit. It is a change in tempo and scale. An attacker with one operator and the right models can now do the tactical work of a full team, at a pace built for machines rather than people.

One caveat worth holding. These figures come largely from a single vendor report and its secondary coverage. The direction across the named cases is consistent, and the consistency may matter more than any one number. But anyone citing the specifics should confirm them against the primary report before treating them as settled.