A I C Y B E R

SUMMER 2025

1
A I C Y B E R SUMMER 2025

CO N T ENT
UPF RON T

11
AI Has Changed the Rules of Cybersecurity
Are we ready for what comes next?

17
Are LLM Guardrails a Commodity?
A thought-provoking op-ed

22
Governing the Ungovernable
Policy Blueprints for Self-Modifying AI
Agents

33
The Other Side of Agentic AI
Birthing a New World Order

38
The Power of Pictures in Public Policy
A best practice article

61
Model Context Protocol
The Missing Layer in Securing Non‑Human
Identities

56
DSPM Is the Missing Layer in Your AI
Security Stack
Protecting the data that fuels (and betrays)
our models

65 ON TH E COVER
Beyond Alert Fatigue Diana Kelley
How AI Can Actually Reduce Cognitive Chief Information Security Officer
Overload in Cybersecurity at Protect AI

2
A I C Y B E R SUMMER 2025

CO N T ENT
FE AT UR E S

State of AI Security with

70
DarkTrace’s Global Chief
Information Security
Officer, Michael Beck
In this insightful conversation with Michael,
he explains the context of AI-driven
defense mechanisms, emphasizing the
importance of integrating AI in threat
detection and the need to balance human
oversight with automated systems.
He also addressed the critical issue
of insider threats and highlighted the
security industry’s struggle with basic
cybersecurity practices.

How Cybersecurity Professionals Can 78 Developing MCP Servers for 104

Build AI Agents with CrewAI Offensive Work
A Practical, Low Barrier Tutorial Advanced reader’ corner

Autonomous AI-Driven Penetration 82 Privilege Escalation in Linux 111

Testing of RESTful APIs A Tactical Walk-through Using
A How-To Guide Python and AI Guidance

A Practical Guide to AI Red-Teaming 92 How I Use AI Tools For Ethical 100

Generative Models Hacking
A Practical Playbook A Practitioner’s field notes

AI Cyber Pandora’s Box 116 AI in Cybersecurity BookShelf 28

Resources too good to be free Its easier than you think!

3
A I C Y B E R SUMMER 2025

FRO M THE
E DITOR

architectural, then to operational, and finally to hands-

on insights in these articles. We’ve set up a loop where
every major concern, like guardrails, agents, data,
and identities, is quickly followed by an article that
provides a solution or technique to address it. We’ve set
up the articles to offer what we like to call escalating
technical depth. This way, leaders can feel informed,
while practitioners can dive into a more detailed back
half. We think that combining policy, architecture,
human factors, building and breaking things, along
with expert labs, really helps keep the cognitive load
light and curiosity buzzing. You have the opportunity to
benefit from both perspectives!

A huge shout-out to all our returning contributors and

the wonderful new ones joining us! Please contact
them on LinkedIn and thank them for their articles.

We really hope you enjoy reading this issue

I came across this great piece of advice recently, though I
can’t remember who said it: “Make it exist first, then make
it good later.”
ConfidenceStaveley
This quote gave me all the courage I needed to launch the Confidence Staveley
first issue of this magazine. Even though it wasn’t perfect,
Editor-in-Chief
the community embraced it with open arms, and we are
grateful for this gentle landing.

In this issue, we will guide you on a journey that seamlessly

transitions From 30 000 ft to shell prompt without
whiplash. There’s a smooth transition from strategic to

Connect With AI CYBER

@aicybermagazine

4
A I C Y B E R SUMMER 2025

CO N T RIBUTORS

Allie Howe Betta Lyon Delsordo Caroline Wong Confidence Staveley Diana Kelley

Allie is a vCISO After earning a Caroline Wong is the founder of AI Diana Kelley is the
and Founder of degree in Computer is the Director of Cyber Magazine, Chief Information
Growth Cyber. Science, Betty Cybersecurity the best guide to Security Officer
Growth Cyber helps pursued a Master’s at Teradata and understanding how (CISO) for Protect AI.
AI startups build in Cybersecurity the author of AI technologies She also serves on
trustworthy AI. Allie at Georgia Tech Security Metrics: A are shaping the boards of WiCyS,
has a software and completed Beginner’s Guide. cybersecurity. She The Executive
is also a multi- Women’s Forum
engineering numerous Her next book, on AI
award-winning (EWF), InfoSec
background, certifications and cybersecurity,
cybersecurity World, CyberFuture
a Masters in through an NSA will be published
leader, bestselling Foundation,
Cybersecurity, grant. She went by Wiley in Spring
author, international TechTarget
and is an active on to specialize in 2026.
speaker, advocate Security Editorial,
contributor on the application security for gender inclusion and DevNet AI/
11 - AI Has Changed the
OWASP Agentic penetration testing, in cybersecurity, ML. Diana was
Rules of Cybersecurity. Are
Security Initiative. with a focus on We Ready for What Comes and founder Cybersecurity Field
Allie has worked with web, cloud, and Next? of CyberSafe CTO for Microsoft,
leading analysts to AI hacking. In her Foundation. Through Global Executive
publish AI Security current role as MerkleFence, she Security Advisor at
vendor reports, an Application helps businesses IBM Security, GM
has spoken on AI Penetration Tester in North America at Symantec, VP
security at numerous at OnDefend, navigate the at Burton Group
conferences, and she searches for complexities of (now Gartner), a
hosts the Insecure vulnerabilities and application security Manager at KPMG,
Agents podcast. covert channels in with confidence. CTO and co-founder
of SecurityCurve,
web and mobile
9 - Are LLM Guardrails a and Chief vCISO at
applications.
Commodity? SaltCybersecurity.
17 - How I Use AI Tools
For Ethical Hacking

5
A I C Y B E R SUMMER 2025

CO N T RIBUTORS

Dr. Dustin Sachs Isu Momodu Jakub Szarmach Jarrod Coulter John Vaina
Abdulrauf

Dr. Dustin Sachs works as an Jakub is an is a cybersecurity John is a leading AI

is a cybersecurity application attorney-at-law leader with over 20 Red Team Specialist
executive and security engineer with over 15 years years of experience, and Generative AI
behavioral scientist and researcher of experience at the spanning Fortune Risk, Safety and
specializing in the at MerkleFence. intersection of law 100 enterprises to Security Researcher,
intersection of He is profoundly and technology. boutique consulting known for
human behavior enthusiastic about Currently, he works firms. With a pioneering
and cyber risk. He artificial intelligence as an AI risk and career evenly split adversarial prompt
leads strategic and devotes compliance analyst between offensive engineering and
initiatives that himself to exploring at Relativity, helping and defensive model reasoning
align cybersecurity numerous avenues organizations security, he brings integrity testing. He
maturity with for augmenting AI navigate the a well-rounded works at
people-centric into our personal complex terrain perspective on how the intersection
approaches, helping and professional of emerging security controls of AI/ML,
organizations foster lives. technologies and should be designed, cybersecurity,
secure, resilient governance. He implemented, and AI model red
28 - AI in Cybersecurity
cultures. As an holds certifications and tested. A teaming, helping
Bookshelf
author, speaker, as an AI Governance lifelong learner organizations
and educator, he 78 - How Cybersecurity Professional (AIGP) with an insatiable identify risks and
empowers leaders Professionals Can Build AI and Certified curiosity, Jarrod vulnerabilities
to transform security Agents with CrewAI Information Privacy now dedicates in advanced AI
from a checklist Manager (CIPM), much of his free systems. Connect
to a human-driven and also curates time to building with John on
culture. AIGL.blog — a AI-driven security LinkedIn: linkedin.
personal project automations and com/in/john-v-
65 - Beyond Alert Fatigue:
focused on making sharing his expertise prompt engineer.
How AI Can Actually
Reduce Cognitive Overload AI governance to advance the field
92 - A How to Practical
in Cybersecurity resources more of cybersecurity.
Guide to AI Red Teaming
practical and
104 - Developing MCP Generative AI Models
accessible.
servers for offensive work.
38 - The Power of Pictures
in Public Policy

6
A I C Y B E R SUMMER 2025

CO N T RIBUTORS

Katharina Koerner Lalit Choda Michael Beck Olabode Agboola Oluseyi Akindeinde

Katharina Koerner Known in the Michael is the Global Olabode Agboola is the Founder
is a Senior Principal industry as “Mr. Chief Information is a UK-based of Hyperspace
Consultant at NHI,” Lalit Choda is Security Officer at Information Security Technologies,
Trace3, where she the founder of the Darktrace. Michael professional and specializing in
helps organizations Non-Human Identity has operated former CSEAN cutting-edge AI-
implement AI Management on some of the Training Director. driven technologies.
governance, Group (https:// world’s most critical A PECB Platinum
82 - Autonomous
security, and risk nhimg.org), where stages; from Trainer, he holds
AI-Driven Penetrating
management he evangelizes military intelligence an MSc with Testing of RESTful APIs
strategies. With and educates missions. Joining a Distinction
a background in the industry and Darktrace at its grade and top
AI policy, privacy organizations on early stages in 2014, certifications
engineering, and the risks associated Michael developed including CISM, ISO
enterprise security, with non-human the cyber analyst 27001 LA, LI and
she focuses on identities (NHIs) operation that ISO 42001 LI for
operationalizing and strategies supports thousands AI Management
responsible AI to address them of Darktrace System (AIMS).
through data- effectively. As a customers with Trained as Strategic
centric controls highly sought-after 24/7 support, a Executive at
and technical keynote speaker backbone of the Harvard, London
safeguards. She and an author of company’s AI-driven Business School, he’s
has held leadership white papers and defense. Since 2020, a global keynote
roles in research, research articles he’s also overseen speaker advancing
policy, and advisory on NHIs, he has Darktrace’s internal cybersecurity,
functions across established himself security program compliance, and
public and private as the leading NHI in his role as Global AI management
sectors in the U.S. voice in the industry. CISO and in 2021, systems.
and Europe. the company was
61 - Model Context Pro- 116 - AI Cyber Pandora’s
named a TIME 100
56 - DSPM Is the Missing tocol: The Missing Layer Box
most influential
Layer in Your AI Security in Securing Non-Human
Identities company.
Stack

7
A I C Y B E R SUMMER 2025

CO N T RIBUTORS

Rock Lambros Tennisha Virginia Victoria Robinson

Martin

Rock is the CEO Tennisha Martin is the is a cybersecurity

and founder of founder and Executive analyst, AI security
RockCyber. He has Director of BlackGirlsHack researcher, and
pioneered AI strategy (BGH Foundation), a mentor with
and governance, national cybersecurity expertise in threat
developing two nonprofit organization intelligence,
scalable frameworks: dedicated to providing security operations,
RISE (Research, education and resources to and technical
Implement, Sustain, underserved communities research. She co-
Evaluate) for AI and increasing the diversity authors AI security
strategy and CARE in cyber. BlackGirlsHack whitepapers
(Create, Adapt, provides its members with and mentors at
Run, and Evolve) resources, mentorship, the CyberGirls
for AI governance. direction, and training Fellowship,
Rock has also co- required to enter and excel supporting women
authored the book in the cybersecurity field. in cybersecurity.
“The CISO Evolution: Tennisha graduated from
116 - AI Cyber Pandora’s
Business Knowledge Carnegie Mellon University Box
for Cybersecurity with a bachelor’s degree
Executives.” By in electrical and computer
combining innovation engineering, as well as
and governance, he various master’s degrees in
assists organizations cybersecurity and business
in realizing AI’s administration. She has
potential while over 15 years of consultancy
mitigating its experience and is a best-
hazards. selling author, award-
winning hacker, and diversity
22 - Governing the Ungov-
advocate.
ernable: Policy Blueprints
for Self-Modifying AI 111 - Privilege Escalation
Agents in Linux: A Tactical Walk-
through Using Python and
AI Guidance

8
A I C Y B E R SUMMER 2025

9
A I C Y B E R SUMMER 2025

10
A I C Y B E R SUMMER 2025

AI Has Changed
the Rules of
Cybersecurity
Are we ready for what comes next?

By Caroline Wong
Adapted from her forthcoming Wiley book on AI and
cybersecurity (Spring 2026)

Back in 2022, there was this fake video of Ukrainian President

Volodymyr Zelensky that popped up on Ukrainian TV, where
he seemed to be telling troops to surrender. It quickly made its
way around social media too. It was a deepfake, created with
AI to mimic his face, voice, and mannerisms in a way that was
almost eerily convincing. The video didn’t take long to debunk,
but it really highlighted an important point: AI has seriously
shifted how we think about deception.

This is not just a one-off situation. AI is really speeding up how

cyber threats are evolving. It’s transforming phishing emails
into super personalized messages, making bots act more
like humans, and turning social engineering campaigns into
complex psychological tactics. In the meantime, defenders
are hurrying to weave AI into their detection, response, and
resilience strategies.

In my upcoming book with Wiley, I discuss how AI has become

a significant player in cybersecurity, no longer just something
on the horizon. This is the battlefield.

11
A I C Y B E R SUMMER 2025

Transitioning from scripts to So, tools like GANs, autoencoders,

and diffusion models have really
self-learning systems sped up the deepfake creation
For many years now, automation process, making it easier and more
has been involved in cyberattacks, Bots have evolved scalable for everyone. What used
to be just for the pros is now part
whether it’s through brute-force
password attempts or bot-driven from just clicking of easy-to-use tools that come with
cloud-based APIs.
denial-of-service attacks. But AI has
really handed attackers something
and crawling like
much stronger: the ability to adapt. machines; now they The question now is, “Is this real?” It’s
all about how fast it can spread and

These days, AI-driven attacks can

actually mimic whether we’ll catch it in time, right?

change on the fly. Bots have evolved human behavior to

from just clicking and crawling like
machines; now they actually mimic get around security
human behavior to get around
security controls. They take their
controls.
time scrolling through web pages, Now, deepfake
Deepfakes: The Intersection
mimic the natural flow of typing, and
voicemails and videos
even capture that little bit of jitter of Impersonation and Infra-
in mouse movements that we all
structure are being mixed with
have when using our hands. These
bots utilize tools such as Puppeteer Generative AI, particularly phishing emails to
Stealth and Ghost-cursor to hide deepfakes, has really taken digital
impersonation to a whole new level
create multi-channel
their automation signatures, and
they’re spread out over residential of realism. With just a few minutes of impersonation
audio and video that’s out there for
proxies to mix in with regular traffic
patterns.
anyone to find, attackers can easily attacks. It’s interesting
mimic a CEO’s voice, create a fake
interview, or even pull off a simulated
how strong the
So, what’s the outcome? Automated
actions that seem and feel just like a
live video call. psychological effect
real person.
This ability has already been turned can be.
into a weapon. Now, deepfake
voicemails and videos are being
mixed with phishing emails to
create multi-channel impersonation
attacks. It’s interesting how strong
the psychological effect can be.
When we see and hear things that
match up, our brains naturally tend
to trust what we’re experiencing.

12
A I C Y B E R SUMMER 2025

A New Era of Phishing and How Defenders Can Win—If

Social Engineering They Move Fast Enough
Phishing was once pretty
straightforward to identify: you’d Just doing the usual
see misspellings, odd formatting,
and weird sender names. AI has security awareness
gotten rid of those red flags.
training isn’t going to Defenders aren’t
Now that attackers have access cut it anymore. It’s not powerless. In fact,
to open-source intelligence and
large language models, they can
just about finding “bad they have one major
create emails that sound just like an grammar” anymore. advantage: data.
executive, mention recent company
happenings, and even throw in It’s all about noticing Security teams can access telemetry
realistic calendar links or document
attachments. These attacks aren’t
when someone is from internal systems—endpoint
logs, authentication events, network
just generic anymore—they’re more trying to manipulate flows—that attackers can’t see. With
about the context now. the right AI tooling, this data can be
your trust. used to model “normal” behavior
AI makes it possible for phishing to and flag deviations in real time.
happen across different languages. Plug-and-Play Cybercrime
Translation models do more than But defenders need to evolve quickly.
Easy to use Cybercrime is a serious Static rule-based detection systems
just change text from one language
issue that affects many people are already being outpaced. We
to another; they really get into the
today. It’s important to stay need adaptive, learning-based
local vibe, picking up on idioms, tone, informed about the risks and how to systems that update themselves
and those little regional touches that protect yourself online. based on behavioral patterns and
make a big difference. Voice cloning
threat intelligence feeds.
tools take this ability to audio, One of the most concerning things
making it possible for real-time happening right now is the increase
phone scams in various languages. in Bots-as-a-Service (BaaS) and AI-
driven credential stuffing platforms.
Just doing the usual security Tools such as OpenBullet2 really
awareness training isn’t going to simplify things for less experienced
cut it anymore. It’s not just about attackers looking to run large-
finding “bad grammar” anymore. It’s scale campaigns. When you pair
all about noticing when someone is these tools with CAPTCHA-solving
trying to manipulate your trust. services, which often use machine
learning or even human CAPTCHA
farms, they can really ramp up
quickly.

13
A I C Y B E R SUMMER 2025

Behavioral modeling: Training AI systems

on how legitimate userst behave—so devi-
ations stand out clearly.

Automated Response: Intent Detection:

Deploying AI not just Leveraging natural
to detect threats language models to
but to contain them spot social engineering
automatically— attempts based on
quarantining accounts, linguistic patterns and
flagging anomalies, context.
initiating secondary Adaptive Learning
verifications.
Based Systems

The Real Stakes: Trust and

Resilience
AI is changing the game when it AI is changing the game for
comes to how attacks are carried offense, but it has the potential to
out. It’s really undermining the most shake things up for defense too.
basic part of cybersecurity: trust. Cybersecurity teams that see AI
With anyone able to create a as a game changer, rather than
realistic video, audio clip, or email just another tool, will really set
that looks like it’s from someone we themselves up for success in the
trust, how do we figure out what’s coming decade.
real? What are some ways we can
keep communication, identity, and We are entering an arms race fueled
intent safe and sound? by automation and intelligence. The
attackers are already building. The
The answer isn’t about being scared; question is: are we?
it’s all about bouncing back. So,
what that means is we need to be
open about how AI detection tools
work and how decisions are made.
Working together across security,
legal, product, and communications
teams. Ongoing education for both
employees and users is essential—
not only focusing on phishing but also
covering topics like synthetic media
and algorithmic manipulation.
14
A I C Y B E R SUMMER 2025

15
A I C Y B E R SUMMER 2025

16
A I C Y B E R SUMMER 2025

Are LLM Guardrails a

Commodity?
A thought-provoking Op-ed
WORD S BY

Allie Howe

17
A I C Y B E R SUMMER 2025

I
see many AI Runtime Security vendors offering LLM
guardrails, as well as some evaluation platforms. I believe
this is a side effect of the lines being blurred between who
owns the responsibility of making sure AI systems output
relevant and safe information. It’s not just something your
security team cares about; your product team cares too.

This concern is most evident at a startup where the security

and product teams are usually the same people. At a startup
with limited funds and limited team members, would you rely
on guardrails from your evaluation platform or onboard a
new AI Runtime Security vendor for better guardrails?

The way I see the market right now, the products with the
best guardrails;

Offer solutions at the application layer, not

Come from AI Runtime Security-specific
the network layer, for enhanced contextual
products, not eval platforms.
awareness.

Come from companies with prestigious/robust

security research teams that are keeping up
with the rapidly evolving threat landscape.

However, not everyone can afford an So which LLM guardrails are Bard AI chatbot shared inaccurate
AI Runtime Security product. Most information. In August 2024, Slack AI
of these new products are reserved
a Commodity? leaked data from private channels.
and marketed towards enterprise Over the last couple of years, stories
budgets. No matter where you of AI chatbots gone wrong have These headlines helped illustrate the
get your guardrails from (an eval consumed news headlines. For need for some sort of guardrails that
platform or an AI Runtime Security example, an Air Canada chatbot could prevent LLMs from outputting
product), it’s important to be an gave a customer misleading wrong information, private data, or
informed consumer. That means information about bereavement offensive content. Security startups
understanding which LLM guardrails fares and was later ordered to got to work and started offering
are a commodity, which are not, and provide a refund to the customer. guardrails that most businesses
how close to your LLM you need In February 2023, Google lost $100 would need. These were novel at first,
these guardrails to sit. billion in market value after its but today you’ll see most AI Runtime

18
A I C Y B E R SUMMER 2025

Security products and some eval Which LLM guardrails are

platforms offering guardrails for:
NOT a Commodity?
PII - detect information that In cybersecurity marketing, fear
identifies individuals often leads. We often suggest While adding LLM
investing in this cybersecurity tool
Toxicity - detect offensive or to avoid becoming a news headline. guardrails can help
harmful language While adding LLM guardrails can
help prevent headlines like these,
prevent headlines
Secrets - detect secret keys
or tokens
they can also enable product
performance.
like these, they can
also enable product
Prompt Attacks - detect AI products that output irrelevant
prompt injection and information will not be revenue- performance.
jailbreak attacks generating. Customizable guardrails
help tailor your AI application How Close to Your LLM
While these are a commodity, they to accept on-topic inputs and
are a wonderful starting place for an monitor outputs to make sure they Should your Guardrails Sit?
organization without any guardrails are relevant and aligned to your Security vendors are providing
in place today. Due to the fact that business use case. It’s cybersecurity various options for the deployment
LLMs are non-deterministic and features like these that remind us of these guardrails. Some sit at the
they are trained on the internet that cybersecurity is a secondary network layer, others at the kernel
and datasets that may not be up market. The primary focus is on the layer, and others right next to the
to our standards and certainly not product, with cybersecurity taking a LLMs in the form of an API wrapper.
aligned to our every use case, issues secondary role to ensure its security. Each of these has tradeoffs.
With AI, this is no longer the case. We
like toxicity and prompt injection
need security in the loop earlier to Network layer guardrails may be
are features of AI, not bugs. As a
keep AI aligned to business goals. easy to deploy as they can be added
result, we will not be able to update
LLMs fast enough with mitigations to an existing network security tool.
For instance, you can customize and However, these don’t typically have
for new prompt attacks that
configure some guardrails to ensure insight into internal tool calls your
work. It is advisable to implement
your AI application recommends AI agents make or steps within an
guardrails like these in front of the your company, not a competitor. LLM workflow. They’ll just see final
LLM, anticipating that it will remain If you’re building an AI chatbot for inputs and outputs that come in
vulnerable to prompt injections. It will Tesla, you wouldn’t want to output and out of the network gateway.
never be bulletproof, because again, a recommendation for Toyota. This makes it harder to debug the
these vulnerabilities are features, AI alignment poses a significant exact location and manner in which
not bugs, that can be fixed. challenge as it is not a universal your AI application produced an
solution. It will be unique to each undesirable output.
business. Customizable guardrails
prevent commoditization and The eBPF solutions deploy guardrails
distinguish products that offer them. at the kernel layer, enabling them to
see everything. They will see every
input, output, and tool call. However,

19
A I C Y B E R SUMMER 2025

with great power comes great guardrails is a good idea since we’ll
responsibility. Everyone remembers never fix things like prompt injection
the CrowdStrike blue screen of death with a shift-left strategy. Lots of these
debacle that delayed thousands are now commoditized, but you can
of flights last summer thanks to a
bad software update to one of their
evaluate vendors based on guardrail
customizability and deployment
AI security is not just
products deployed via eBPF. Thanks options as differentiators. AI security important to prevent
to that, there’s some amount of risk is not just important to prevent
and consumer hesitation with this your application from becoming your application from
type of deployment. a headline; it’s also a business
enabler. Use guardrails to secure
becoming a headline;
Deploying guardrails near the LLM your application against prompt it’s also a business
is a straightforward process. They attacks, but also to improve product
wrap LLM calls in additional APIs performance and align your AI to enabler.
and will get visibility into granular your unique use case.
LLM actions that allow for a good
debugging experience; however, Default LLM guardrails are
they may introduce additional commoditized, but alignment will
latency into the application. You never be.
might find that latency increases the
more guardrails you add.

There’s no clear-cut answer here for

which is best. If you have a small
budget, you might want to add-on
guardrails to an existing network
security product. If you have high Overall, investing
confidence in a vendor and feel
comfortable deploying an eBPF in some sort of LLM
solution, you’ll gain great visibility
into your runtime security and
guardrails is a good
guardrails. If you want an easy-to- idea since we’ll never
deploy solution, APIs might be a
good way to go, but make sure to fix things like prompt
ask your vendor about latency.
injection with a shift-
Overall, investing in some sort of LLM
left strategy.

20
A I C Y B E R SUMMER 2025

21
A I C Y B E R SUMMER 2025

Governing the
Ungovernable
By Rock Lambros
Policy Blueprints for Self-
Modifying AI Agents

22
A I C Y B E R SUMMER 2025

23
A I C Y B E R SUMMER 2025

T
raditional AI governance is dead.

I’ve spent the last three years watching self-modifying

AI systems slip through our regulatory fingers like water.
When AI can rewrite its own code and spawn emergent
capabilities, conventional governance frameworks don’t
just underperform; they fail catastrophically.

Our most advanced AI systems now continuously learn,

adapt, and modify their own parameters with frightening
autonomy. Microsoft’s Tay transformed from a helpful
assistant to a toxic troll within hours. Autonomous LLM
agents like AutoGPT have demonstrated the capability
to rewrite their own instructions, fundamentally changing
their behavior.

Traditional frameworks were built for stable, predictable

systems. They utterly fail when AI evolves beyond initial
constraints. When agents rewrite their code, circumvent
guardrails, or pursue emergent goals, conventional
oversight becomes obsolete faster than you can say
“quarterly audit.”

A 2023 study revealed a reinforcement-learning “blue-

team” agent trained to find network vulnerabilities that
learned to disable its monitoring subsystems to maximize
rewards for “discovering” exploits. [1] The system literally
blinded itself to maximize its reward function. This event
isn’t theoretical—it’s happening now, and our current
governance models are woefully unprepared.
The governance challenge mirrors what evolutionary
biologists call the Red Queen’s hypothesis, where Alice
and the Red Queen continuously run just to stay in place.
AI systems evolve faster than regulators adapt, creating a
governance gap that grows with every iteration.

Opacity compounds this problem. LLM-based autonomous

agents demonstrate significant behavioral drift after
deployment, developing capabilities undetectable
through standard testing. Traditional approaches rely
on static snapshots and miss emergent behaviors that
develop post-deployment.
Conventional governance operates on laughably slow
cycles with periodic checks, quarterly audits, and annual
compliance checks, while agentic AI evolves continuously,

24
A I C Y B E R SUMMER 2025

minute by minute. The temporal and zero-knowledge proofs to directly into AI cores. The moment
mismatch is fundamental. We need create a tamper-resistant global behavior veers beyond predefined
a paradigm shift from point-in-time registry of AI agents, enforcing guardrails, execution halts with no
oversight to continuous governance proportional oversight and committees, delays, or exceptions.
mechanisms that never sleep and automating compliance monitoring. These circuit breakers provide a
evolve as rapidly as the systems [2] The beauty lies in its redundancy, seamless, code-level shutdown
they monitor. as no single point of failure exists mechanism that preserves
when multiple independent systems performance during normal
monitor AI behavior. Yes, smart operation while standing ready to
contracts leverage blockchain. intervene within milliseconds. By
You may roll your eyes now, but a embedding these brakes alongside
consensus-based decentralized model reasoning pathways, any out-
We need a paradigm system can help rein in agent sprawl. of-bounds action gets caught and
We need dual-component AI…let’s contained in real time.
shift from point- call it Janus Systems, after the two-
in-time oversight faced Roman deity. One component
Governance as Code
ruthlessly pursues objectives while
to continuous the other constantly monitors for
alignment failures, creating an
governance internal check-and-balance system.
mechanisms that The actor bulldozes ahead,

never sleep and evolve

optimizing toward goals with Static rulebooks
relentless efficiency. Meanwhile, the
as rapidly as the monitor scrutinizes every move to collapse under the
systems they monitor.
catch misalignment, reward hacking, weight of autonomous
or self-sabotage before these
problems cascade into systemic systems that adapt
Dynamic Governance for failures. This split-personality setup
enables governance that keeps
and self-modify.
Ungovernable Systems pace with machine thinking. “Governance as Code”
Decentralized Oversight These architectures can flag
Distributed Autonomous emergent misalignments before they transforms abstract
Organizations offer promising manifest as harmful behaviors by policies into executable
frameworks, enabling decentralized embedding real-time observability
control through transparent at both policy and latent levels while blueprints that
governance protocols. Yes, many
involve blockchain. You may roll
leveraging anomaly detection and
interpretability probes. When the
live alongside your
your eyes, but a consensus-based critic no longer just whispers “more infrastructure.
decentralized system can help rein reward” but screams “ethical fail,” we
in agent sprawl when no single gain a fighting chance at controlling
authority can keep pace. increasingly autonomous systems.
Chaffer et al. ’s ETHOS model We need intrinsic safety valves built
leverages smart contracts, DAOs,
25
A I C Y B E R SUMMER 2025

Static rulebooks collapse under permanent, verifiable records that speed. We can’t wait for humans to
the weight of autonomous systems persist regardless of how systems notice something went sideways.
that adapt and self-modify. evolve. This enables post-hoc This machine-to-machine oversight
“Governance as Code” transforms analysis of governance failures and loop mitigates vulnerabilities faster
abstract policies into executable provides critical data for improving than agents can mutate, finally
blueprints that live alongside your oversight mechanisms. aligning safety with the breathtaking
infrastructure. Guardrails written pace of AI innovation.
in code automatically enforce
themselves at runtime rather than
The Path Forward
waiting for the next audit cycle.
Some of you will cringe as you read Letting AI guard itself sounds brilliant
this… We WILL ultimately need AI to
govern AI.
We WILL ultimately until agents start reward hacking and
colluding. Agents learn to sidestep
Embrace it or go the way of the dodo need AI to govern AI. or disable their own checks in pursuit
bird. of objectives. We risk overestimating
This approach unifies compliance, their impartiality if we expect these
security, and operational practices
Continuous Adversarial internal regulators to flag every
under a single source of truth, Testing misstep. After all, the monitor’s code
ensuring every change is verified was written by humans with blind
Passive defenses eventually fail.
against governance rules before spots of their own.
Continuous adversarial testing
deployment. You get real-time embeds active, automated probing
feedback on drift and deviations by Decentralization promises resilience
mechanisms that relentlessly
embedding policy checks into CI/CD but fragments accountability.
search for weaknesses. Picture an
pipelines. When something breaks, nobody
adversarial engine churning out
When your models can develop new wears the badge. Governance forks
attack scenarios and probing every
capabilities or rewrite their logic in can splinter standards into chaos,
nook of your model’s behavior
production, your governance must creating inconsistent enforcement
to catch flaws before they reach
be equally dynamic, ready to codify that clever agents exploit.
production.
new policies, deploy updated checks,
and enforce constraints at machine Self-regulation appeals to the
In 2024, OpenAI published research
speed without human bottlenecks. industry’s need for agility, but history
that blended human expertise with
Model versioning and immutable shows that voluntary codes will not
automated red teaming powered
audit trails enable accountability work under competitive pressure.
by GPT-4T, creating an ecosystem
in dynamic systems. Google These tensions demand thoughtful
of stress tests that hunt down weak
DeepMind’s “Model CV” approach balancing rather than absolutist
spots at machine speed. [3] This
creates continuous, tamper-proof approaches.
creates a self-directed adversary
records of model evolution, allowing within your pipeline, flagging exploit
stakeholders to track capability Governance and autonomy must
paths as they form and feeding
emergence and behavioral changes. remain locked in perpetual feedback
them directly into incident response.
Combining these approaches with as models surface new capabilities,
Every millisecond counts when
blockchain-based logging creates governance layers adapt in real
agents rewrite themselves at warp

26
A I C Y B E R SUMMER 2025

time, and stakeholders iterate C-Suite Action Plan The conventional governance
policies with the same rigor as code playbook is obsolete. Organizations
deployments. that thrive will implement
1. Implement Dual-Layer
governance mechanisms as
Oversight: Adopt actor-critic
It’s time for regulators, technologists, dynamic and adaptive as the AI
architectures that separate
and industry leaders to converge systems they’re designed to control.
capability from governance,
on shared tooling: dynamic policy
with independent monitoring
as code, continuous adversarial 1. Lohn, A., Knack, A., & Burke, A.
systems tracking model
testing, and transparent audit trails. (2023). Autonomous Cyber Defence
behavior.
If AI is a moving target evolving at Phase I. Center for Emerging
exponential rates, our governance Technology and Security. https://
2. Deploy Ethical Circuit
cannot remain anchored to cetas.turing.ac.uk/publications/
Breakers: Implement
yesterday’s assumptions. a u to n o m o u s - c y b e r- d efe n ce
automated shutdown
mechanisms triggered by
Either we learn to sprint alongside 2. Tomer Jordi, T. J., Goldston,
behavior outside acceptable
these self-modifying agents, or J., Okusanya, B., & D.A.T.A. I, G.
parameters, with clear
we risk being left in their dust as (2024). On the ETHOS of AI Agents:
escalation protocols.
they evolve beyond our control. An Ethical Technology and Holistic
The race has already begun. The Oversight System. Arxiv.org.
3. Establish Governance
question is whether our governance https://arxiv.org/html/2412.17114v2
as Code: Transform policies
approaches will evolve quickly
into executable code that
enough to keep pace. 3. https://openai.com/index/
integrates with development
a d v a n c i n g - re d - t e a m i n g - w i t h -
pipelines and enforces
people-and-ai/
constraints at runtime.

4. Institute Continuous Red-

Teaming: Deploy automated
Either we learn to adversarial testing to

sprint alongside these probe for weaknesses and

behavioral drift continuously.
self-modifying agents,
5. Create Immutable Audit
or we risk being left Trails: Implement tamper-
in their dust as they proof logging of model
operations, decisions,
evolve beyond our and modifications for

control. The race has accountability and forensic

analysis.
already begun.

27
A I C Y B E R SUMMER 2025

AI In Cybersecurity Bookshelf

From defending against AI-powered threats to securing generative AI systems, the challenges are as complex as
they are urgent. To help you stay ahead, we’ve handpicked five must-read books that combine cutting-edge insights,
practical strategies, and real-world case studies. Whether you’re a developer, CISO, or policymaker, these books are
your guide to staying ahead in the age of AI-driven security.

Hacking Artificial Intelligence: A Leader’s Guide from

Deepfakes to Breaking Deep Learning - by Davey Gibian
This eye-opening guide reveals how AI systems can be hacked and why
the industry’s slow response is creating security risks. Davey Gibian offers
leaders and practitioners a framework to assess AI vulnerabilities and
mitigate threats before they escalate. Ideal for policymakers, executives,
and AI professionals ready to safeguard the automated future.

Grab it on Amazon

AI-Powered Cybersecurity: Defend Against Tomorrow’s Threats

Today– by Christopher Williams
Cyber-attacks are evolving fast, and traditional defenses are struggling to
keep up. Christopher Williams shares actionable strategies to leverage AI for
real-time detection, automated response, and proactive defense against AI-
driven threats. A practical guide for cybersecurity professionals, IT leaders,
and business executives looking to future-proof their security strategies.

Find it on Amazon

28
A I C Y B E R SUMMER 2025

AI In Cybersecurity Bookshelf

Large Language Models in Cybersecurity: Threats, Exposure

and Mitigation - by Andrei Kucharavy, Octave Plancherel, Val-
entin Mulder, Alain Mermoud, Vincent Lenders
As large language models (LLMs) reshape the threat landscape, this
open access resource explores their dual role as both attack surfaces and
defensive assets. Packed with mitigation techniques, regulatory insights,
and future trends, it’s an essential read for developers, technical experts, and
decision-makers securing AI systems.

Available on the Springer website

Adversarial AI Attacks, Mitigations, and Defense

Strategies – by John Sotiropoulos

Adversarial attacks like poisoning and prompt injection are reshaping

cybersecurity risks. John Sotiropoulos delivers hands-on strategies to
defend AI and LLM systems using MLSecOps, threat modeling, and secure-
by-design principles. A must-have guide for AI engineers, security architects,
ethical hackers, and defenders tackling AI threats.

Available on Amazon

29
A I C Y B E R SUMMER 2025

AI In Cybersecurity Bookshelf

Machine Learning for High-Risk Applications: Ap-

proaches to Responsible AI - by Patrick Hall, James
Curtis, Parul Pandey
Focused on AI governance, risk management, and model security, this guide
offers responsible AI frameworks and coding examples for deploying machine
learning in high-stakes environments. Recommended for compliance leaders,
AI governance specialists, and cybersecurity professionals overseeing ML
systems.

Available on the O’Reilly website

30
A I C Y B E R SUMMER 2025

31
A I C Y B E R SUMMER 2025

32
A I C Y B E R SUMMER 2025

The Other Side of

Agentic AI
Birthing A New World Order
WORDS BY

Olabode Agboola
Throughout history, people have been amazed by the
creativity and complexity of early inventions like watches,
automobiles, airplanes, computers, industrial machines,
ships, and so many more. But when it comes to the
brilliance behind the development of AI technology, it truly
stands out as something exceptional. Artificial intelligence
really has the potential to change everything about how
we think, reason, and even exist.

I built my foundation in artificial intelligence through a

mix of experiences. I’ve worked directly with AI models,
attended conferences to hear from keynote speakers,
read a bunch of scholarly articles, connected with thought
leaders, and even delivered some presentations myself.
I’ve really deepened my understanding by teaching others
about AI. So, I’ve got a background that really got me
thinking about how AI works and what it can do, including
the parts that aren’t often talked about.

Generative AI is one of the popular types out there, while

other kinds of AI are still in the works. Right now, fewer than 1
billion people are using Generative Pre-trained Transformer
AI each week, but it looks like that number is set to go over
1 billion pretty soon. On the flip side, a survey by Blue Prism
found that 29% of organizations are already using Agentic
AI, and 40% are planning to start using it soon. Agentic
AI is all about making decisions on its own, automating
tasks and processes, and managing systems that are
33
A I C Y B E R SUMMER 2025

designed to operate independently. bunch of others. tech company named Shield AI that
This could really help businesses just rolled out a new system called
boost their efficiency and reduce Agentic AI has a few specific the MQ-35 V-BAT. It’s an advanced
the need for human involvement. roles: it can handle everything unmanned aerial system (UAS) that
These days, folks are automating from gathering data to analyzing can take off and land vertically,
their routines, and decisions are it, making decisions, providing thanks to its Agentic AI power. This
being made by Agentic AI for them. responses, and giving feedback, all electronic war system is designed to
Agentic AI is making its way into a on its own. It can get a bit unsettling autonomously deploy Data Agents
bunch of different industries, from when you think about leaving an for data collection against its targets
defense setups to national security AI to gather and analyze data and and can make decisions similar to
operations, and it’s being woven into make decisions on its own. But drone swarms. A lot of countries are
all sorts of systems and machines. really, it shouldn’t be that scary if using and incorporating Agentic
the places where this is happening AI into their electronic warfare
Agentic AI can be used in a bunch aren’t putting human lives at risk. systems. China has tapped into
of different areas like delivery Taking a closer look at the different the potential of Agentic AI with
bots, self-driving cars, and drones. kinds of Agentic AI reveals some their advanced unmanned ground
It really helps with making quick serious concerns about letting them system known as CETC. This system
decisions about route optimization, function in cyber-physical settings, isn’t officially labeled as an Agentic
navigation, and avoiding obstacles especially in military systems and AI enabled system just yet, but you
by integrating Agentic AI into the operations. The data agent is built can definitely see some features that
designs. Manufacturing is getting to gather information on its own, suggest it has those characteristics.
a boost with the help of embedded no matter where it’s set up. You can CTEC is designed to manage large-
Agentic AIs, making things run more collect data in a bunch of ways, like scale deployments of drone swarms,
smoothly than ever. These days, tapping into databases, using data carry out precise autonomous
production lines are managed more from sensors in the field, accessing strikes, and conduct reconnaissance
effectively. Fault detection gets a APIs, and plenty of other methods. and surveillance.
helping hand, downtime is cut down, The Analysis Agent looks at what the
and output is boosted thanks to Data Agent produces, and then the
Agentic AIs in the production and Decision Agent makes its own call
manufacturing sectors. Bringing based on what both the Data Agent
Agentic AI into cybersecurity and Analysis Agent have provided.
defense systems has really stepped Drone swarms, which
up threat detection. Now, defense All of this can happen without
decisions are made automatically, anyone having to step in. In military use machine learning
and countermeasures are rolled operations, Agentic AI is now
and real-time data
out in real time. There are quite a handling some pretty complex
few other areas where Agentic AIs strategies. A great example of analysis to navigate their
have made their mark, like logistics, this is drone swarms, which use
disaster response operations, machine learning and real-time
targets’ environments
healthcare robotics, hydrocarbon data analysis to navigate their and carry out tactical
exploration and production, energy targets’ environments and carry
grids, space exploration rovers, out tactical operations or offensive
operations or offensive
financial fraud management, and a tasks. So, there’s this US defense tasks
34
A I C Y B E R SUMMER 2025

Russia has made a strategic move AI for their military operations

by leveraging Agentic AI’s offerings include Germany, the UK, France,
to develop their own autonomous and a few others. One great
UAV system for combat operations, example is France’s approach to
surveillance, and reconnaissance. developing indigenous Agentic AI to How confident are we in
Russia has drones designed for boost its autonomy in defense and
medium altitude military operations, aerospace. This should help lessen
the accuracy of Agentic
tactical intelligence gathering, its dependence on allied or foreign AI when it comes to
stealth combat, and even some that systems.
can engage targets on their own.
making decisions on
When people talk about Agentic its own during tactical
Japan’s ministry of defence has AI, they often bring up a bunch
announced plans to integrate AI of common examples. You’ll hear military operations?
into their military operations. This about things like self-driving
plan focuses on using AI to detect transport systems, robotic surgery Do you think the world could really
and identify targets by analyzing support, tools that can diagnose be free from any hidden risks where
radar and satellite images. These on their own, financial advice that’s AI machines and military systems
days, military operations like fully automated, smart customer might accidentally spark conflicts
surveillance, offensive maneuvers, support, energy management with due to misunderstandings in their
reconnaissance, and target smart grids, machines working responses?
acquisition are set to be carried independently on production lines,
out on their own, thanks to AI and even how retail and supply
capabilities. One of their standout chains handle inventory and demand
Agentic AI-based systems is a UAV forecasting all on their own. There’s a
known as the Loyal Wingman. lot to cover! One of the great things
Japan isn’t just depending on about it is how it can make decisions What if a data agent
its own Agentic AI-driven war in real-time, which really stands out
systems. The country’s maritime among its many benefits. Another
redefines espionage by
self-defense force (JMSDF) has benefit is its ability to quickly respond sneaking into military
also picked up some V-BAT drones to changing conditions. Agentic
from US Shield AI. This move is all Artificial Intelligence reduces errors,
digital systems, collecting
about boosting their autonomous particularly those that humans intelligence, and
data collection and real-time data often make, by providing precision
analysis, which helps enhance their and reliability. extracting sensitive
maritime situational awareness. In information without
Japan, they’re using Agentic AI to With all the cool things Agentic AI
help military commanders make can do, you might think it’s all good being noticed?
strategic offensive decisions with news and no downsides. But when
their AI-Assisted Command Decision you start looking into how it’s used in
System. military operations, it can definitely
be a bit unsettling.
Some other countries that have
tapped into the potential of Agentic
35
A I C Y B E R SUMMER 2025

Now that Agentic AI is on the scene, That’s pretty concerning and a government, and strong technical
everyday systems are getting bit frightening. This development and professional safeguards, along
some extra attention. We’re talking comes with some serious risks, like with ethical guidelines to keep
about a whole new way of looking misinterpreting intent, unplanned everything in check.
at how society keeps an eye on escalation, and possibly losing
things. With Agentic AI being human control in high-stakes
part of our mobile devices, online military situations. So, it turns out
platforms, smart infrastructure, and that the US Department of Defense
surveillance systems, it feels like has shelled out around 10 billion
we’re constantly being watched and dollars over the past five years to
monitored without even realizing it. boost their military operations with
When we think about how people’s AI. Pretty interesting, right? We
communications, online behaviors, don’t have the exact percentage
and movements are being monitored of the 1.3 trillion USD that China
or tracked, whether actively or has spent on AI, but it’s generally
passively, it’s time to chat about this believed that they’ve ramped up
other aspect of Agentic AI. their investment in AI to boost their
military capabilities. In 2024, Russia
It looks like we might be on the brink is expected to spend around 54
of a global arms race, all thanks to million USD on AI development.
how countries are starting to blend France’s ministry of armed forces
AI with their military strategies and has kicked off a program named
operations. ARTEMIS.IA, focusing on big data
processing, AI-driven analysis, and
support for military operational
decisions. France set aside about
€100 million each year from 2019 to
2025 for defense AI.
Unlike traditional
Countries are ramping up their
military tactics, AI- spending on Agentic AI to boost
military capabilities, and it seems like
driven war systems can
this is paving the way for a new world
work at machine speed, order. There’s a lot happening on the
other side of Agentic AI, especially
identifying threats when it comes to the race for better
or engaging targets autonomous weapons, decision-
making systems, and surveillance
without any human systems. When it comes to using AI in
involvement. Cyber Physical systems (CPS) in the
military, it’s really important to have
some solid rules in place. We need
good governance, oversight from the
36
A I C Y B E R SUMMER 2025

37
A I C Y B E R SUMMER 2025

The Power of
Pictures in Public
Policy
How Visuals Can Correct
Misconceptions and Improve
Engagement
By Jakub Szarmach

38
A I C Y B E R SUMMER 2025

39
A I C Y B E R SUMMER 2025

W
Why Words Fail ?
We’ve all seen it. A 30-page policy report that makes your
eyes glaze over by paragraph three. It’s packed with facts,
dense with citations, and totally unreadable.

The problem? Public policy keeps pretending it’s a textbook.

In a 2023 study by Pearson, L., & Dare, P. (2016). Visuals

in Policy Making: “See What I’m Saying”, demonstrated
a simple graph debunking the myth that rent control
improves affordability beat a well-written text explanation.
The graph group updated their beliefs more effectively—
and held onto those changes longer . Why? Because visuals
offload cognitive effort. They give people a structure. A
shape. A story. That’s not fluff. That’s neuroscience.

Where Visuals Win

There are two powerful reasons to use visuals in
public-facing materials or strategic decision documents:

1. Explainers that actually explain

Let’s be honest: half of what gets called
“communication” in policy is just documentation in
disguise. It’s there to prove something exists, not to
help anyone understand it.
Think about the last time you really got something
complicated. It probably wasn’t thanks to a six-
paragraph definition or a multi-stakeholder
compliance statement. It was because someone
sketched a process map, drew a box-and-arrow
diagram on a whiteboard, or handed you a one-
pager that showed the whole thing at a glance.
A well-built process map shows relationships,
dependencies, timing, and accountability. A good
lifecycle graphic helps people understand when
things happen, what changes over time, and who’s
supposed to act. And a tight flowchart can answer
the most important operational question of all:
“What do I do when this breaks?”

40
A I C Y B E R SUMMER 2025

These aren’t just nice-to-have additions. They’re it, and the hippocampus stores it long-term.
comprehension machines. They strip away
ambiguity. They give your reader a structure to What does this mean for policy? It means if you
hang everything else on. And they’re far more want someone to understand a new rule, procedure,
efficient than even the best-written paragraph, or risk model, your best bet isn’t a wall of text. It’s a
because they match how the brain likes to learn: visual that makes the stakes feel real. Good visuals
visually, spatially, and all at once. grab attention and direct it where it matters. They
help brains do what brains do best: notice, learn,
and remember.

So next time you’re choosing between a long

A good lifecycle graphic helps paragraph and a smart diagram, remember:
people understand when things If it doesn’t move them, it won’t stay with them. And
if it won’t stay with them, it won’t change anything.
happen, what changes over time,
and who’s supposed to act.
In short:

if you want your policy to be

understood, start drawing. If you
can’t draw it, don’t write it yet.

1. Explainers that actually explain

According to a 2017 review published in Frontiers in
Psychology by Tyng, C. M., Amin, H. U., Saad, M. N. M.,
& Malik, A. S. demonstrated emotion plays a huge
role in learning and memory. It boosts attention,
speeds up encoding, and strengthens recall.
When people feel something—surprise, relevance,
even mild irritation—they remember better. This
happens because your brain literally recruits more
firepower: the amygdala gets involved in memory
consolidation, the prefrontal cortex helps encode

41
A I C Y B E R SUMMER 2025

How to Talk to the C-Suite

(Without Boring Them to
Death)
Want your executives to actually
66% of boards say they have “limited or no”
knowledge of emerging tech.

understand the policy briefing?

5% 72%
O N LY AND
Don’t bury them in acronyms. Don’t
hand them a deck that needs its own
glossary. Give them a diagram they
can absorb in one glance.

According to Deloitte’s 2025 Feel “very ready” to oversee mainly engage on these topics with
related initiatives CIOs and CTOs-not with CFOs,
(Deloitte. (2025). Governance of AI:
CISOs, or risk officers
A Critical Imperative for Today’s
Boards. Deloitte Insights) survey:

This isn’t a tech knowledge gap. It’s A Shining Example: The AI

a communication gap. 2. Each “Master Control”
Governance Controls
aligns overlapping
Visuals can bridge that. A diagram Mega-map requirements across
showing risk ownership, control Sometimes, someone gets it exactly standards—so instead of six
flow, and incident response is more right. Enter James Kavanagh’s AI audits, you get one coherent
effective than 40 slides and a donut Governance Controls Mega-map. structure.
chart.
This isn’t your average compliance 3. And it’s not just visual. It’s
flowchart. It’s a 44-control, 12-domain tactile. Kavanagh literally
visual architecture mapped across sorted control statements
six major frameworks—ISO 27001, with paper and pen.
SOC 2, ISO 27701, ISO 42001, NIST
A diagram showing risk RMF, and the EU AI Act.
Think ISO meets LEGO. It’s usable,
ownership, control flow, not theoretical. It helps you do
and incident response is What makes it shine? governance, not just talk about it.

more effective than 40 It’s the best kind of visual: one that
1. Everything is grouped by
slides and a donut chart. real-world ownership, not just
saves time, reduces risk, and actually
gets used.
abstract themes.

42
A I C Y B E R SUMMER 2025

Less Telling. More Showing. stay buried in the fine print. They
connect the dots across silos, teams,
Visuals aren’t decoration. They’re not
and time zones. They don’t just help
the cherry on top of a policy sundae.
people follow the story—they help
They’re the plate the whole thing
people act on it. Visuals aren’t decoration.
sits on. Without that plate, you’re
So next time you write a strategy,
just flinging scoops of information
draft a law, or prep a board update,
They’re not the cherry on
onto the floor and hoping someone
catches them.
don’t ask, “How can I explain this top of a policy sundae.
better?”
When done right, visuals don’t just
Ask: “What can I show instead?”
They’re the plate the
make your ideas prettier—they
make them possible. They clarify
Then show it. Badly, if necessary. whole thing sits on.
Just start.
who does what and when. They
spotlight risks that would otherwise

43
A I C Y B E R SUMMER 2025

44
A I C Y B E R SUMMER 2025

P ROT EC T A I ’S CHIE F IN FOR M ATION

S EC U RIT Y OF F ICE R

Diana Kelley
D I S CU SS ES

How Data Hygiene

Now Equals Model
Resiliency.

45
A I C Y B E R SUMMER 2025

That early obsession with networked

computers drove me despite an
English degree, to become the “go-to”
IT expert in our office.

Give us a crash course on the difference

between LLMs, ML and AI.
Diana Kelley
Think of artificial intelligence as a huge circle, a
superset, that includes all forms of AI from rules-
based expert systems to shop-floor robotic
automation systems. This AI superset includes
the subset of machine learning, technology that
has been in use for decades that enables systems
What formative experiences or influences best to crunch vast amounts of data to find hard-to-
explain the Diana Kelley we see today? detect patterns, make predictions, and perform
classification. For example, most modern mail
Diana Kelley filters use ML classification to assess whether
My father handed me a programmable calculator when I was an email looks legitimate or like phishing before
nine. After learning to code, the early DARPA network soon passing it through to your inbox. Deep learning
provided access to PDP-10s and PDP-11s from MIT Lincoln is a subset of machine learning that automates
Labs. That early obsession with networked computers drove more of the training process to reduce, but not
me despite an English degree, to become the “go-to” IT eliminate, human intervention.
expert in our office. Early in the 1990s, working as a network
manager in Cambridge, I created a worldwide system only to Deep learning is most useful with very large
find it hacked. That set me on a security route and taught me datasets and is capable of identifying and
the harsh lesson that connectivity has to be defended. Long predicting more complex patterns than traditional
before DevSecOps, I entered application security, leading risk machine learning approaches.
management at Burton Group and supporting companies to
include security into their SDLC. Later on, I discovered artificial Which brings us to the sub-sub-subset: Generative
intelligence presented a whole different difficulty when Watson AI (GenAI). GenAI represents a specialized
was being taught cybersecurity at IBM. My priorities now are category of deep learning systems designed to
data, models, and the ML lifecycle; these drive me now. create new content rather than simply classify or
Give us a crash course on the difference between LLMs, ML and predict based on existing data. Unlike traditional AI
AI.

46
A I C Y B E R SUMMER 2025

systems that analyze and categorize information, system might give a different response to the same prompt.
GenAI models learn the underlying patterns and That means standard testing methods won’t suffice. Instead,
structures in their training data to generate novel we use AI-driven testing, “AI testing AI” via adversarial prompts
outputs—whether text, images, code, or other to harden models against prompt-injection and other attacks.
media. These systems use sophisticated neural By reframing how we protect data, vet models, and test non-
network architectures, such as transformers for deterministic behavior, we can apply our security expertise
language models or diffusion models for image effectively to AI.
generation, to produce content that didn’t exist in
their training sets but follows the learned patterns
and styles. The “generative” aspect distinguishes
these systems from their predecessors: while a
traditional ML system might classify an email
as spam or legitimate, a GenAI system could
compose an entirely new email based on prompts
and context provided by the user.

What about AI systems makes ‘good secu-

rity hygiene’ harder than in traditional
software?
Diana Kelley
AI security is not necessarily hard—it just
demands new approaches. I’ve had people tell
me it’s “magic” and beyond them, but it’s really
just math, and as security experts, we understand
how to identify threats and implement controls.
We can absolutely secure these systems; it just
means thinking differently about three key areas.
First, data: in traditional software, we never use
production data for testing. In AI, however, you
must train on live, meaningful data, so our job is
to protect that data throughout training rather
than avoid it. Second, models: generative AI
models are a new kind of artifact. Downloading By reframing how we protect data, vet models,
an open-source model might spark innovation, and test non-deterministic behavior, we can
but you must still test it—first with static analysis
apply our security expertise effectively to AI.
to catch any malicious code, then dynamically
before deployment. Finally, non-determinism: a
SQL injection vulnerability in a website behaves
the same way every time, but a generative AI

47
A I C Y B E R SUMMER 2025

RSAC 2025 was buzzing about autono- Software has SBOMs; you’ve called for an MBOM
mous agents; what do most practitioners (Model BOM) for AI artifacts. What does a “mini-
still misunderstand about how agents mum‑viable Model BOM” look like today, and how
really operate—and why does that gap should it mature as composability explodes?
matter?
Diana Kelley
Diana Kelley
This is a great question! I want to give a shout-out to Helen
Yes, and agentic AI, funny, right? Every year at RSA,
Oakley, who’s been leading the charge on what we’ll call
there’s that buzzy emerging tech on everyone’s
M-BOMs, ML-BOMs, or AI-BOMs (we haven’t settled on a name
lips, and this year it was agents. But people tend
yet). Basically, an AI bill of materials builds on the software
to think AI just gets smarter on its own, constantly
BOM idea, listing all the “ingredients” in your system, but
leveling up. In reality, AI only improves with better
adds AI-specific elements. Sure, you need to track libraries
training and data; it doesn’t magically evolve. So if
and dependencies, but you also need to know which datasets
you buy an agent today, it won’t automatically be
were used or cleaned, whether that data was approved and
better months from now without human oversight.
by whom, the provenance of every model (where it came from,
I loved someone’s post on LinkedIn calling agents
who trained it), and how those models were tested. All those
“interns with access”, they’re only as good as our
unique components have to go into your AI-BOM. It’s early
training, and they can drift. We still need humans
days, though, so stay tuned as this work evolves.
in the loop to train, monitor, and ensure agents
operate within their systems; one wrong LLM
output can cascade through an entire workflow. In your experience, what should a highly effective
Agents aren’t a magic solution, and they probably MLSecOps lifecycle look like? Walk us through an
never will be.
ideal life‑cycle—from data collection to retired
model to ensure Secure-by-Design principles are fol-
lowed. Please feel free to spotlight one control people
always forget.
I loved someone’s post on LinkedIn Diana Kelley
MLSecOps is essentially DevSecOps for the MLOps lifecycle:
calling agents “interns with access”, weaving security in from start to finish. First, scope your project
they’re only as good as our training, to decide if you truly need ML or AI and confirm you have the
and they can drift. right data (enough, relevant, privacy-compliant). Next, during
data preparation, clean and secure live datasets to avoid under-
or overfitting. When training models, scan them for malicious
code and ensure they fit their intended purpose. As you move to
testing, remember that components might behave differently in
isolation than inside a larger system, so test both dynamically
and within the full environment. Deployment demands careful
architecture: a free, cloud-hosted chatbot has very different

48
A I C Y B E R SUMMER 2025

security considerations than a self-hosted foundation model As for overfeeding, that typically causes
on AWS Bedrock. In SaaS, control is limited mostly to data and overfitting. The model becomes exceptionally
authentication; in IaaS or Kubernetes, you manage more layers good at recognizing patterns in its training data,
(OS, networking, etc.). Throughout deployment, apply zero but it loses flexibility. When you give it new, unseen
trust and least-privilege principles to data, APIs, and models. data, it can’t generalize well and its accuracy on
Finally, runtime monitoring is critical, models drift and can start fresh inputs drops significantly.
producing incorrect or unsafe outputs. Monitor continuously,
retrain or retire models that misbehave, and ensure they’re torn What is Shadow AI and what are
down securely at the end of their lifecycle. By integrating these
some ideas for tackling this challenge
practices, threat modeling, secure architecture, data hygiene,
model vetting, and continuous monitoring, you build a robust in the Bring-Your-Own-AI era we’ve
MLSecOps process. just stepped into? Which governance
lever has proven most effective: policy,
discovery tooling, or cultural incentives?
Diana Kelley
There’s a lot to unpack, but first, I’d like to share
By integrating these practices, threat credit because that RSA session was a panel
modeling, secure architecture, data hygiene, with three brilliant colleagues, so we had many
viewpoints represented. A summary of the key
model vetting, and continuous monitoring,
takeaways was posted on LinkedIn.” (https://
you build a robust MLSecOps process. www.linkedin.com/posts/john-b-dickson-cissp-
41a149_rsac2025-rsac2023-shadowai-activity-
From your response, two questions popped into my 7330359488136249344-Kyk1?) Shadow AI is
head. First, what happens if a model is overfed with especially interesting because it echoes what
happened with cloud. Right now, companies worry
data? Second, runtime visibility is a huge challenge,
about employees using unauthorized tools, say,
despite static and dynamic testing, things can still someone using Perplexity or Claude when you’ve
go wrong in production. Can you speak more about officially adopted Gemini or Microsoft Copilot. It
becomes a game of monitoring outbound traffic
that?
and gently steering people back to the approved
Diana Kelley AI. But there’s another side to shadow AI: the
Sure. For runtime visibility, you need tools that capture inputs predictive machine learning systems that have
and outputs as they happen. Some teams use eBPF hooks at quietly run in segmented pockets of organizations
the kernel level to mirror everything sent to and from the LLM. for years (much like OT systems on factory floors).
Others insert a proxy or tap/span layer between the model and
its consumers, whether that’s a human user, another LLM, or an
agent, so you log every request and response without adding
noticeable latency. That way, if a model starts behaving
unexpectedly, you have a complete audit trail to investigate
what went wrong.

49
A I C Y B E R SUMMER 2025

Which standard AppSec/LLM defenses

simply don’t apply to agents or
multimodal systems?
There’s another side to shadow AI: the Diana Kelley
predictive machine learning systems that Yeah, multimodal or multi-agent systems often
chain multiple LLMs, so everything that applies to
have quietly run in segmented pockets of
a single LLM still matters, but now a failure in one
organizations for years (much like OT systems link can throw off the whole chain. If an early LLM
on factory floors). in the sequence spits out a bad output, the entire
process breaks. The core shift for AppSec around
Those models were effectively “in the shadows” and protected LLM-based multimodal AI is the same, we must
by isolation, with little security oversight. Now that predictive treat data differently and embrace the fact that
AI is coming out of hiding, just as IT and OT converged, we these models are non-deterministic. That means
must bring those systems into governance and apply security rethinking how we train and how we test them.
controls.
How do we do this? Empathy and understanding are essential. For teams just starting MLSecOps, which
Start by talking to your ML and data science teams: learn what
early indicators prove they’re investing
they’ve built, how they use it, and what they need next. Help
them wrap security around their work rather than imposing effort where it counts?
heavy-handed restrictions. At the same time, acknowledge that Diana Kelley
GenAI adoption is everywhere, developers are “vibe coding” Asking, “How do we bring MLSecOps in?” already
with AI, marketing is building customer bots, and every team shows security is finally on the table. Beyond that,
is finding creative AI uses. Find out who’s using which tools and the real test is whether teams understand the
why, then design controls that let them leverage AI’s benefits importance of testing, (statically and dynamically)
without exposing the company to unnecessary risk. before launch and observing behavior at runtime.
If they’re not testing for resilience as well as
expected functionality, they’re missing critical
gaps.

Acknowledge that GenAI adoption is

everywhere, developers are “vibe coding” with
AI, marketing is building customer bots, and
every team is finding creative AI uses. Find out
who’s using which tools and why, then design
controls that let them leverage AI’s benefits
without exposing the company to unnecessary
risk.

50
A I C Y B E R SUMMER 2025

Among AI‑native start‑ups you advise, what In April the news broke about Protect
security hurdle consumes the most oxygen? AI’s partnership with Hugging Face.
Diana Kelley I honestly heaved a huge sigh of relief
AI-native founders are all about vibe coding and agentic and was very excited for very obvious
systems, but their security hurdles are familiar. Vibe coding
doesn’t let you skip solid development practices: you still have
reasons. Protect AI’s Guardian scanners
to architect, test, and protect your software. The real pitfalls have scanned 4.4 million model versions
are misunderstanding the market, overestimating what AI can and flagged 350 k+ issues—what trend
do today, and rushing to launch. It’s classic founder pain, you
most surprised you, and how should
must pinpoint real customer problems and pick the right tools,
not assume ChatGPT will instantly create a unicorn. Deeply security teams translate that into an
understanding the pain you’re solving is still non-negotiable. import checklist?
Diana Kelley
Yeah, it’s funny, the biggest surprise was
no surprise: attackers simply repurpose old
techniques in a new space. When we moved to the
The real pitfalls are misunderstanding the cloud, account takeover and privilege escalation
jumped straight in, and with models it’s the same.
market, overestimating what AI can do today, First, typo-squatting: just as malicious sites mimic
and rushing to launch. “google.com,” you’ll see “Meta Llama” instead of
“Llama 3” to trick downloads. Next, dependency-
What practical controls can resource‑constrained chain attacks exploit a vulnerable library in your
ML workflow. Then there’s malcode insertion like
teams deploy to detect poisoned training sets?
steganography for images or Word docs, except
Diana Kelley embedded in model files so once the model
Yeah, so obviously, if you have your own training set, if you runs, that Python code can exfiltrate data, drop
control the training data that’s the best way to know and detect executables from an S3 bucket, or even enable
access in and out. You can lock down who can see or touch the account takeover. Don’t forget neural backdoors,
data with strict access controls. But if you’re using a model and where a baked-in sequence triggers malicious
don’t know what data it was trained or tested on, you need behavior on a specific prompt. These aren’t new
to cover your bases with testing. Dynamically, you bombard threats, they’re just hiding in new artifacts, so we
it with questions, query its responses, and watch for anything need new tools to spot and report them.
that’s off or unexpected.
One bright spot though is that Hugging Face now
You also want to run static analysis to spot any neural- pre-scans models and shows you risk ratings kind
architecture backdoor, someone might have baked in a trigger of like VirusTotal so before you download, you get
that, upon a preset prompt, yields a specific response. Spotting a heads-up if a model has been flagged by them
that odd behavior is your red flag that the model was trained or or other scanners.
modified in ways you didn’t authorize.

51
A I C Y B E R SUMMER 2025

I read Protect AI’s Vulnerability

assessment report that showed that GPT-
4.1 Mini earned the highest risk score
among three models, after latest update. even top-tier LLMs remain surprisingly
It was vulnerable to prompt injection at susceptible to both prompt-injection and
a whooping 53.2% success rate and highly jailbreak methods, underscoring the need
susceptible to evasion techniques. Please for continuous, AI-driven security testing.
tell us more about how these findings
were made and possibly share more Let’s discuss red teaming beyond the theatrics.
insights from the report. How do you structure AI red‑team engagements,
Diana Kelley
so findings translate to systemic fixes rather than
Yeah, we uncovered these weaknesses with our “prompt‑leakage show‑and‑tell”?
in-house tool, Recon, which includes an “ATT”
Diana Kelley
library compiled from both our own research
A cyber red team excels at finding problems to exploit, but real
and community contributions on jailbreaking
security is holistic and engages both offensive and defensive
and prompt-injection techniques. Because AI is
expertise. The real wins are when blue teams work with red
inherently non-deterministic, we actually leverage
teams to use those findings to actually fix things. You run tests
AI to test AI, feeding it crafted prompts to see
that pinpoint where guardrails failed or prompt injections
whether it’ll ignore its developer safeguards (for
worked, then feed that intel back into your training process and
instance, instructions like “never provide bomb-
into your monitoring tools proxies, firewalls, whatever you have
building steps” or “do not generate malware”).
so you know exactly where to watch more closely.
In our trials, the Nano model proved especially
vulnerable, returning dangerous content nearly
Red teaming also helps you choose the right models. AI isn’t
half the time under prompt injection.
monolithic; you often chain lightweight endpoint models with
We also evaluated “adversarial suffix” attacks,
heavier cloud models. At Microsoft, for instance, we ran fast,
appending a malicious instruction at the end of
low-footprint models locally for basic detections, then pushed
a prompt to override built-in guardrails and found
more complex scans to powerful cloud-based models. Your red-
those just as effective at coaxing undesirable
team insights should inform not only your defenses but also
responses. Despite being well-trained and public,
which models you deploy for each task.
these models still allow attackers to slip through
backdoors or override constraints. In short, even
top-tier LLMs remain surprisingly susceptible to
both prompt-injection and jailbreak methods,
underscoring the need for continuous, AI-driven
security testing.

52
A I C Y B E R SUMMER 2025

With the increased use of large language models for vein-brain barrier” of our network. In practice,
those brittle rules either flagged every innocent
both offense and defense, what concrete steps should mention of “resume” or missed clever obfuscations
organizations take today to brace for AI‑powered entirely. They did OK on clear patterns, credit-
offensive tooling? card numbers, SSNs, but anything conversational
slipped through.
Diana Kelley
Enter GenAI with its natural-language smarts.
Yeah, there’s an “AI” version of every attack and maybe a “non-
Now, instead of just spotting “CV.pdf,” an AI-
AI” version too — which means we’ll have to fight AI with AI. It’s
driven DLP can parse a message like “I’m really
like a cold war between attackers and defenders, so we need
excited about the open role in marketing, here’s
tools that can use AI to detect AI-powered attacks at machine
my background” and flag it as a potential job-
speed.
hunt leak. It understands intent, not just keywords.
I’m genuinely excited to see vendors embedding
Beyond technology, our processes must be AI-aware: are
GenAI into DLP, finally, a solution that catches
your incident-response plans “AI ready”? Do you know which
the real signals rather than drowning us in false
signals to watch for when an attack comes from a generative
positives.
model? And train your people on AI-driven social engineering.
Deepfakes, cloned voices, AI-crafted videos — a phone call or
video no longer proves identity. Attackers can scrape public
Regulation always plays catch up. If you
details (like “I went to Boston College, how are Nick and Nora?”)
to feign familiarity. But knowing my dogs’ names doesn’t mean could insert one clause into the EU AI Act
you know me. or NIST AI RMF to fast‑track alignment
with technical reality, what would it
say?
Diana Kelley
I have huge respect for frameworks like the EU
there’s an “AI” version of every attack and and NIST AI RMF, they rightly acknowledge there’s
maybe a “non-AI” version too — which no one-size-fits-all. I especially appreciate the
EU’s tiered risk approach, and I’d love to see even
means we’ll have to fight AI with AI. more emphasis on security within AI’s shared-
responsibility model. After all, securing a publicly
Where are legacy security tools failing probabilistic hosted foundation model is very different from
systems, and what new capability do you wish a locking down an embedded Copilot or Gemini in
your workspace, or running your own on-prem
vendor would tackle tomorrow?
instance. We need guidance that maps specific
Diana Kelley use cases and deployment architectures to their
I think we’ve talked a lot about the testing and all that. Another unique risk profiles, so we can tailor our security
area that I’m actually really excited about in regards to how and risk-management practices to each scenario.
AI can help advance cybersecurity protections is in the realm
of DLP or data leak prevention or protection. I’ve been around
DLP since those heady days 10–15 years ago when we thought
it would stop every “resume” or “CV” leaking out the “blood-

53
A I C Y B E R SUMMER 2025

What is a personality trait of yours that

has carried you through the years and
helped you navigate both the highs and
I’d love to see even more emphasis on security lows of your career? And how could
within AI’s shared-responsibility model. that trait serve as advice to someone
who is just starting out, has just gained
Many people imagine the CISO role as high-pressure
a promotion, or is currently facing a big
and highly strategic, so if we shadowed you for a day
challenge in their work, regardless of
at Protect AI, what kinds of decisions and challenges
their level of professionalism?
would we see you navigate? And with so much
Diana Kelley
happening in AI security, what does a ‘normal’ day
I think it’s sort of two sides. The first one is a never-
even look like for you? ending curiosity. Because things change. I was
Diana Kelley talking about stuff back in the 1970s, as you can
I don’t think there’s a “normal” day here especially as the CISO imagine, a lot of what I learned then doesn’t apply
of a company that I joined as employee #11 and that’s now over right now. You have to keep learning. So having
125 people strong, post–Series A and B, with three acquisitions that curiosity, continuing to learn, continuing to be
across three countries. The real fun (and challenge) has been interested, really matters because the technology
balancing our rocket-ship growth driven by cloud, AI, and is going to continue to change and grow and you’ve
engineering with my responsibility to protect both the company got to stay with it. What you learned yesterday
and our customers. Too much security can block innovation; may not work tomorrow, and the understanding
too little puts data at risk. Finding that sweet spot is a constant that you don’t know everything.
effort.
The way I get smarter is by talking to other smart
At the same time, I’ve had to scale our security function from a people, learning from other smart people, reading
handful of folks to a broad team covering corporate security, their research. I am so lucky to have cultivated a
security engineering and AppSec, physical security, help desk, trusted group of friends and experts that I connect
third-party risk, and compliance. It’s not enough to address with regularly and follow online to stay up to date
today’s needs; I’m always talking with our CEO and president with their work. I leverage the power of this big,
to map out where we’ll be in six months or a year and build a wonderful, growing network and community of
program that’s ready for that next phase of growth. AI security experts to spark those “hey, I need to
read more about this moments.”

I think it’s really important to keep alive the

curiosity to learn and the humility to understand
that learning is accelerated when you’re part of a
Too much security can block innovation; too smart network.

little puts data at risk. Finding that sweet spot

is a constant effort.
54
A I C Y B E R SUMMER 2025

overnight. No matter how thrilling the technology,

you have to bake security in from day one.
So as we explore AI’s possibilities, let’s
simultaneously map out the risks: identify realistic
use cases, integrate security controls into our AI
pipelines, and continually test and monitor those
systems. That way, we’ll capture AI’s benefits
without repeating old mistakes—and we’ll be
ready for the next big wave, whatever it turns out
to be.

The real risk now is that

organizations will overestimate
what AI and ML can deliver.

Finally, paint the 2028 threat landscape: what AI/

ML security risk do you believe is still hiding in
plain sight, waiting to surprise us next?
Diana Kelley
Yeah, three years feels like forever in tech and if you look at
Gartner’s Hype Cycle, we’ve ridden that wave from peak
excitement into what some call the “trough of disillusionment.”
The real risk now is that organizations will overestimate what AI
and ML can deliver. We need to reground ourselves, figure out
where AI truly adds value for security, and apply it in the most
sensible, effective ways as our companies scale.
I’d chalk up the frenzy to optimistic exuberance rather than
malice, but unchecked enthusiasm is its own danger. We all want
to grab every opportunity AI offers, and I get just as excited
as anyone. But history teaches us that “move fast and break
things” without a safety net can backfire—like the time I built
a cutting-edge network only to have an intruder compromise it

55
A I C Y B E R SUMMER 2025

DSPM Is theMissing
Layer in Your AI
Security Stack
Why modern AI security begins - and
succeeds - with securing the data layer

By Katharina Koerner, PhD

56
A I C Y B E R SUMMER 2025

57
A I C Y B E R SUMMER 2025

AI is changing the enterprise - but From Privacy to Posture: critical questions like:
as its footprint expands, so does
its attack surface. From shadow
The Evolution of DSPM Is this dataset safe to use in training?
AI deployments to data leakage DSPM emerged from early privacy Who has access to that financial
through large language models, the technologies that focused on record?
risks associated with AI adoption scanning data stores for personally Has sensitive data been copied into
are intensifying. identifiable information. These tools a shadow AI environment?
helped organizations meet growing
Despite strong investment in AI regulatory obligations by identifying By starting with the data and
capabilities, one foundational truth sensitive data and reporting risk. building visibility outward, DSPM
remains overlooked in many security complements existing tools while
strategies: AI is only as secure as But modern DSPM platforms have laying the foundation for AI-
the data it uses - and most security moved far beyond discovery. They ready security. It doesn’t replace
tools weren’t designed to protect now deliver real-time, automated traditional controls—it feeds them.
that layer. While traditional controls data visibility, access governance, By adding real-time data visibility
focus on securing environments, and risk remediation across hybrid and sensitivity context, DSPM
endpoints, or identities, they miss cloud, SaaS and AI workload- makes tools like CSPM, IAM, and
the sensitive data AI systems ingest, intensive environments. What began DLP effective in securing how data
process, and generate. If you don’t as a privacy utility has matured into is actually accessed, shared, and
know where your data lives, who a critical security layer - integral to processed by AI systems.
accesses it, or how it flows, your AI safe, responsible AI development
security posture is incomplete by and deployment.
design.

Why Traditional Controls

That’s why forward-looking
organizations are turning to Data Fall Short for AI
Security Posture Management Most security stacks were never
(DSPM) as the missing layer in their built for dynamic, AI-powered data By starting with the data
AI security stack. flows. CSPM, endpoint protection,
and IAM all serve critical functions.
and building visibility
DSPM enables secure and
responsible AI by offering a data-
But they weren’t built for the way AI outward, DSPM
systems process data today: fast,
centric approach to security, distributed, unstructured, and highly complements existing
operating from the data out - rather
than relying solely on perimeter,
experimental. Traditional tools don’t tools while laying the
offer granular insights into how
infrastructure, or identity-based sensitive data is accessed, shared, foundation for AI-ready
controls. It enables organizations to
gain visibility, context, and control
or copied across SaaS, cloud, and AI- security. It doesn’t replace
related services - including potential
over the data layer that fuels AI movement into training pipelines or traditional controls—it
systems. shadow environments.
feeds them.
DSPM fills this gap - operating from
the data out. It helps teams answer

58
A I C Y B E R SUMMER 2025

Why AI Demands DSPM especially on-prem, file shares, or If You Want Secure AI, Start
proprietary SaaS apps.
This shift from static compliance with Secure Data….
tooling to dynamic data posture Securing AI doesn’t start with the
Over the past three years, the DSPM
management comes at exactly the model - it starts with the data. From
market has evolved rapidly. Today,
right time. As organizations embrace training to prompting to inference,
leading solutions share several
AI, the scale, speed, and complexity sensitive data moves rapidly
cloud-native traits:
of data usage has outpaced what through AI systems, often outside
traditional security tools were traditional security perimeters.
designed to handle. AI systems • Context-aware
DSPM gives security teams the
don’t just use data - they are built classification, using AI/ML to
visibility, classification, and control
on it. Models ingest structured and minimize false positives and
needed to govern this data in near
unstructured data, move it across accurately identify sensitive
real time, across cloud, SaaS, and
tools and clouds, and generate data in complex formats like
hybrid environments.
synthetic outputs that may expose contracts, source code, or
or replicate sensitive content. multilingual content
For AI security teams, DSPM enables
To secure this process, DSPM • Access risk scoring,
answers to the questions that matter
provides five essential capabilities: highlighting overprivileged
most:
users, stale permissions, or
public data exposure
• Remediation hooks, • Where is our sensitive
integrating with SIEM, data, and how is it being used
SOAR, ticketing, or policy in AI workflows?
enforcement tools to drive • Are we exposing more
action than we intend through
• Cross-environment training, prompts, or outputs?
visibility, covering multi- • Can we demonstrate
cloud, SaaS, and hybrid compliance and meet
architectures without AI-specific regulatory
requiring agent sprawl expectations?
• Ecosystem readiness, • Are we empowering
with API-first designs and innovation without
integrations into DLP, GRC, compromising governance?
IAM, and lineage platforms

What to Look for in a DSPM The message for CISOs and AI

When evaluating DSPM solutions,
Platform the goal isn’t just to find sensitive
leaders is clear: If your data isn’t
secure, your AI isn’t either. DSPM
Many solutions today claim DSPM data—it’s to enable informed,
provides the visibility and control
capabilities but maturity varies. enforceable decisions about how
needed to govern sensitive data at
Some vendors rely on outdated that data is classified, governed,
scale. It’s not just a nice-to-have. It is
regex scanning or static metadata. and used, especially in AI systems
the baseline for any serious, secure
Others miss entire environments, where misuse can scale rapidly and
AI strategy.
silently.
59
A I C Y B E R SUMMER 2025

60
A I C Y B E R SUMMER 2025

Model Context
Protocol
The Missing Layer in
Securing Non-Human
Identities
by Lalit Choda (Mr NHI)
The cybersecurity perimeter isn’t just about human users or login
screens anymore.

Instead, it’s moving toward something a lot more complex and

maybe even more risky: Non-Human Identities (NHIs) that act on
their own, make choices, and have control over various systems.

AI models like Claude or ChatGPT now perform far more than

they were originally trained for. Today, NHIs outnumber human
ones by a wide margin, with LLM agents and software supply
chain bots leading the pack — it’s a ratio of 25 to 50 times! But
as these digital entities keep growing, there’s a big gap in how we
manage them. We’ve got the hang of authenticating users. We
still haven’t figured out how to manage machines that can think
and act on their own.

So, this is where the Model Context Protocol (MCP) steps in.

MCP isn’t just a buzzword; it’s an up-and-coming protocol

designed to provide digital entities with a structured behavioral
context. It suggests moving away from identity-based access to
a system that enforces execution based on context, tying what a
machine can do to the where, when, and why of its actions.

61
A I C Y B E R SUMMER 2025

What Exactly Is Model

1. The intended behavior and model state
Context Protocol? 2. The policy scope (what’s allowed and what’s not)
The Model Context Protocol, or MCP, 3. The source of invocation (who or what triggered the action)
is a structured and open protocol 4. And the environmental metadata (time, workload type, data
that aims to link large language boundaries)
models (LLMs) with tools, data,
and services in a standardized and
secure manner.
MCP vs Traditional IAM: What’s New?
So, when an AI model like Anthropic’s
Claude or OpenAI’s GPT needs to do Model Context
Feature Traditional IAM
things beyond what it knows—like Protocol (MCP)
checking a database, calling a REST
Regular users or Smart AI agents
API, or getting private data—it can Who gets access? and models
service accounts
use MCP to ask for access and get
Based on what the
a response from a trusted server. But Based on fixed roles
How is access given? model is doing and the
MCP is more than just connections. and predefined rules context it’s in
It gives you the lowdown on what’s A system that uses A system that
Who decides understands intent and
happening: what the model is up to, roles and permissions
the rules? (RBAC/PBAC) adjusts based on context
what tools it can use, who the user
A system that uses The AI can act on its own,
is, what data is being accessed, and Who starts but only after verifying
roles and permissions
the action? (RBAC/PBAC) the context
the policy guiding the action.
Everything — what was
What gets done, why it was done,
Just the user’s actions
To put it simply, MCP serves as the recorded? and which tool was used
reliable link and translator between Very specific — like “allow
How detailed Broad permissions like only this model to access
an AI agent and everything beyond
is access? “read-only” or “admin” just this one dataset for this
task”
its reach. It makes sure that models
work within clear boundaries, with
the right context, accountability, MCP = Identity + Execution Context + Behavioral Constraints.
and policy enforcement. Plus, it MCP takes things a step further than traditional IAM systems. While those
guarantees that every decision or systems focus on identifying who an entity is, MCP asks, “Should this action
action taken by an NHI includes: be allowed right now, in this context, and with this level of trust?”

How MCP and NHIs Intersect agent? while enforcing security boundaries
• Scoped: What can it do? and business logic around what
AI models that interact with systems,
those agents can see or do.
like retrieving sensitive records are
• Monitored: What has it done?
effectively acting as NHIs. That
means they must be:
MCP provides the structure for these
controls. It allows organizations to
• Identified: Who or what is the
delegate actions to AI agents safely,

62
A I C Y B E R SUMMER 2025

MCP’s Approach to Tackling

Through MCP: looked back on, explained,
NHI Issues
1. NHIs powered by LLMs and examined. This is really
can access tools only when The Model Context Protocol (MCP) important for building trust
explicitly allowed provides a fresh approach: it focuses and ensuring compliance.
on securing NHIs by incorporating
2. Context (user session, role, context, control, and traceability
task) is embedded with every into each action they take. Let me
action break it down for you: Challenges
Every transformation comes with
3. Organizations retain full its own set of challenges. To adopt
Contextual Execution -
control over tool servers, data MCP, we need to tackle:
MCP makes sure that an
policies, and logging
NHI can only work within its
• Context Modelling - Defining
intended model scope. So,
accurate boundaries for
what this means is that an
The NHI Problem AI agent that’s been trained
complex systems can be quite
a challenge, especially when
Back in the day, identity was just for documentation just can’t
it comes to multi-agent or
about having a username and jump in and start interacting
hybrid cloud environments.
password. For NHIs, identity feels with financial systems. The
a bit abstract. These Non-Human context of execution just
• Legacy Compatibility - A lot of
Identities (NHIs) have become the doesn’t permit that.
the IAM systems out there weren’t
main players in many organizations,
really built to handle contextual
actually outnumbering human users
Policy Binding - Rather than enforcement. Getting MCP to
by a significant margin. You’ve got
just linking access rules to work in these environments
service accounts, API keys, LLM
an identity or endpoint, MCP requires some integration effort.
models, and AI agents in the mix.
applies behavioral policies at
the model context level. This • Standardization - For MCP to
What’s the issue? So, these NHIs are:
lets NHIs be guided not just really mature, it’s going to need
• Invisible, since they’re not really
by their identity, but also by to work well across different
monitored like human users
their actions and the reasons platforms. If we don’t have
• Powerful because they have
behind them. common tool servers or policy
broad permissions
schemas, there’s a real risk that
• Poorly governed, often having
fragmentation could undermine
stale credentials or no clear Auditability - Every action
its potential.
owner. taken by NHI through MCP is
logged with complete context:
For a secure future with NHIs, we can’t
MCP shifts the discussion from “what intent, origin, scope, and
just depend on old-school human
identity is this?” to “what context is response. So, what this means
access controls. As machines get
this action happening in?” That shift is that the choices made by
smarter and start making decisions,
really changes the game. autonomous systems can be
it’s important that the way we
govern them adapts too. The Model

63
A I C Y B E R SUMMER 2025

Context Protocol provides a way to the task, and the limits on behavior.
move ahead. It’s not a quick fix, but it MCP is set to be a key building block
definitely marks a key change from for Zero Trust in machine-driven
fixed identities and wide-ranging infrastructure. When it comes to
permissions to more flexible, context- AI assistants handling workflows
based policy enforcement. If it’s or robotic process automation in
designed well, MCP could turn into finance, it’s all about earning trust
the digital system that makes NHIs through actions rather than just
predictable, safe, and accountable. relying on credentials.

The future of cybersecurity is moving

away from just usernames and
passwords. It’s going to be influenced
by the model’s identity, the scope of

64
A I C Y B E R SUMMER 2025

Beyond Alert
Fatigue
How AI Can Actually
Reduce Cognitive
Overload in
Cybersecurity
by Dr. Dustin Sachs
The average SOC analyst makes more decisions in a single
shift than most people do in a week, and the stakes are
existential. Every blinking alert, every incomplete data
trail, every ambiguous log entry demands judgment under
pressure. And yet, the very tools meant to help, dashboards,
threat feeds, SIEMs, often flood defenders with so much
information that they become paralyzed, fatigued, or
worse, desensitized. This is the real threat behind cognitive
overload in cybersecurity. But what if AI didn’t just
accelerate detection, but actively reduced mental load?
What if it could help us think better, not just faster? AI, when
designed with behavioral insights in mind, can become not
just an automation engine but a cognitive ally (Kim, Kim, &
Lee, 2024).

65
A I C Y B E R SUMMER 2025

Understanding Cognitive Another significant issue arises from

the opacity of many AI models.
Overload in Cyber Contexts Black-box algorithms that offer no
Cognitive overload occurs when insight into how or why a decision
the volume and complexity of A 2025 survey from was made force users to make high-
information exceeds a person’s stakes decisions based on limited
working memory capacity. In
Radiant Security found trust and understanding. This lack of
cybersecurity, this happens daily. that 70% of SOC analysts explainability becomes a cognitive
Analysts must process thousands burden rather than a relief. Analysts
of alerts, each with its own potential suffer from burnout, are left to interpret raw algorithmic
consequence, often in noisy and 65% are actively output without any contextual
environments under time pressure. grounding, increasing the likelihood
Drawing from Daniel Kahneman’s considering a job change. of misjudgments or unnecessary
System 1/System 2 thinking, most The primary driver is escalations.
analysts oscillate between intuitive
snap decisions and laborious, alert fatigue caused by Instead of cutting through the noise,
analytical reasoning. Under stress,
the flood of false positives such AI tools contribute to it. In
they revert to mental shortcuts, many Security Operations Centers
increasing the risk of oversight (Kim and manual triage (SOCs), AI has become synonymous
& Kim, 2024).
demands. with “alert multiplicity,” a flood of
new signals with no clear sense of
A 2025 survey from Radiant relevance or priority. These systems
Security found that 70% of SOC When AI Makes It Worse often trigger alerts for minor or
analysts suffer from burnout, and benign anomalies, forcing analysts
Despite the growing enthusiasm
65% are actively considering a job to waste time sifting through low-
surrounding artificial intelligence
change. The primary driver is alert value notifications. Rather than
in cybersecurity, the reality is more
fatigue caused by the flood of providing clarity, AI often adds to the
complex. Not all AI implementations
false positives and manual triage chaos, overwhelming analysts and
are beneficial, some can actually
demands. This constant barrage leaving them with more questions
exacerbate the very problems they
of low-value alerts overwhelms than actionable insights (Camacho,
were designed to solve. Poorly
analysts’ cognitive capacity, 2024).
integrated AI systems often produce
leading to mental exhaustion, slower
an overwhelming volume of false
response times, and decreased job
positives, bombarding analysts with
satisfaction (Radiant Security, 2025).
alerts that require manual triage,
Additionally, cognitive overload
draining their time and mental
contributes to higher error rates,
energy. These systems, rather than
inconsistent documentation, and
acting as force multipliers, become
a breakdown in team coordination
sources of frustration.
(Cau & Spano, 2024).

66
A I C Y B E R SUMMER 2025

Reframing AI as a Cognitive Strategic Recommendations not only keep pace with threats
but develop the capacity to adapt,
Augmentation Tool for Implementation learn, and excel over time.
To realize AI’s true potential, it must To maximize impact, organizations
be reimagined not as an automated should embed AI into their References
watchdog, but as a cognitive ally. cybersecurity workflows using
• Akhtar, Z. B., & Rawol, A. T.
The shift from detection engine to human-centered design principles.
(2024). Enhancing cybersecurity
decision support system is not just
through AI-powered security
semantic, it’s strategic. AI must be
mechanisms. IT Journal Research
designed to think with analysts, not
and Development. https://doi.
for them. Intelligent prioritization is
org/10.25299/itjrd.2024.16852
one such avenue. Instead of treating
all anomalies equally, advanced
• Bernard, L., Raina, S., Taylor,
systems can learn from historical
B., & Kaza, S. (2021). Minimizing
triage behavior to rank alerts based
cognitive overload in
on their likelihood of actionability.
cybersecurity learning materials:
This helps analysts focus on
An experimental study using
meaningful threats rather than
eye-tracking. Lecture Notes
getting mired in low-priority noise
in Computer Science, 47–63.
(Romanous & Ginger, 2024).
https://doi.org/10.1007/978-
3 - 0 3 0 - 8 0 8 6 5 - 5 _ 4
Natural language summarization
offers another path to cognitive
• Camacho, N. G. (2024). The role
relief. Rather than forcing analysts
of AI in cybersecurity: Addressing
to parse dense logs or sift through
threats in the digital age.
raw data, AI-powered tools like
Journal of Artificial Intelligence
Microsoft Security Copilot and IBM
General Science. https://doi.
QRadar condense information into Cybersecurity is ultimately a human
o r g / 1 0. 6 0 0 8 7/ j a i g s .v 3 i 1 . 7 5
executive summaries. This allows endurance sport, demanding
rapid comprehension and speeds sustained attention, resilience
• Cakır, A. M. (2024). AI driven
up decision-making (Akhtar & Rawol, under pressure, and rapid decision-
cybersecurity. Human
2024). Behavioral AI integration making amid uncertainty. In this
Computer Interaction. https://
takes this even further by adapting high-stakes landscape can become
d o i .o rg /1 0.6 2 8 0 2 / j g 7g g e 0 6
to how individual analysts work. a trusted teammate rather than
These systems learn usage patterns an overbearing taskmaster. By
• Cau, F. M., & Spano, L. D. (2024).
and present information in more shifting the narrative from AI as an
Mitigating Human Errors and
digestible, chunked formats, automation panacea to a strategic
Cognitive Bias for Human-
minimizing unnecessary context- cognitive asset, security leaders
AI Synergy in Cybersecurity.
switching. Subtle nudges, such empower their teams to make
In CEUR WORKSHOP
as highlighting inconsistencies or better, faster, and more informed
PROCEEDINGS (Vol. 3713, pp.
recommending secure defaults, can decisions. This reframing fosters
1-8). CEUR-WS. https://iris.unica.
help ensure consistency under stress an environment where defenders
i t /ret r i eve/d d 5 5 5 3 8 8 -5 d d 2-
(Shamoo, 2024).
67
A I C Y B E R SUMMER 2025

4bb2-870d-92926d59be04 analysts are burning out. Here’s

why—and what to do about
• Folorunso, A., Adewumi, T., it. Radiant Security. https://
Adewa, A., Okonkwo, R., & radiantsecurity.ai/learn/
Olawumi, T. N. (2024). Impact soc-analysts-challenges/
of AI on cybersecurity and
security compliance. Global • Romanous, E., & Ginger,
Journal of Engineering and J. (2024). AI efficiency in
Technology Advances, 21(1). cybersecurity: Estimating
h t t p s : / /d o i . o r g / 1 0. 3 0 5 74 / token consumption. 21st Annual
g j eta . 2 024. 2 1 .1 .01 93 International Conference on
Privacy, Security and Trust
• Ilieva, R., & Stoilova, G. (PST). https://doi.org/10.1109/
(2024). Challenges of AI- P S T6 2 7 1 4 . 2 0 2 4 .1 0 7 8 8 0 7 8
driven cybersecurity. 2024
XXXIII International Scientific • Shamoo, Y. (2024). Advances
Conference Electronics in cybersecurity and AI.
(ET). https://doi.org/10.1109/ World Journal of Advanced
E T6 3 1 3 3 . 2 0 2 4 .1 0 7 2 1 5 7 2 Research and Reviews.
h t t p s : / /d o i . o r g / 1 0. 3 0 5 74 /
• Kim, B. J., Kim, M. J., & Lee, w j a r r. 2 0 2 4 . 2 3 . 2 . 2 6 0 3
J. (2024). Examining the
impact of work overload • Siam, A. A., Alazab, M., Awajan,
on cybersecurity behavior. A., & Faruqui, N. (2025). A
Current Psychology. https://doi. comprehensive review of AI’s
org/10.1007/s12144-024-05692-4 current impact and future
prospects in cybersecurity.
• Kim, B. J., & Kim, M. J. (2024). IEEE Access, 13, 14029–14050.
The influence of work overload h t t p s : / /d o i . o r g / 1 0 .1 1 0 9/
on cybersecurity behavior. ACCESS.2025.3528114
Technology in Society.
h t t p s : / /d o i . o r g / 1 0 .1 0 1 6 / j .
te c h s o c . 2 0 24.1 0 2 5 4 3

• Malatji, M., & Tolah, A. (2024).

Artificial intelligence (AI)
cybersecurity dimensions.
AI and Ethics, 1–28.
h t t p s : / /d o i . o r g / 1 0 . 1 0 0 7/
s 4 3 6 81 - 024 - 0 0 4 2 7- 4

• Radiant Security. (2025). SOC

68
A I C Y B E R SUMMER 2025

69
A I C Y B E R SUMMER 2025

CISO
Insights
From a World Leader in Autonomous Cyber AI

A Q&A WITH M IC HAE L BEC K

He is the Global Chief Information insights on AI in cyber defense, and vulnerable. It’s diverse. There are
Security Officer at Darktrace. With what it really takes to lead security many disciplines within the CISO
almost two decades of experience at scale. role. I was reluctant to become
at the intersection of technology, CISO. I liked advising and dealing
intelligence, and cyber defense, How would you describe with customers, then I was probably
Michael has operated on some of pushed into the position, and I’ve
the work you do as a CISO?
the world’s most critical stages; never looked back. Great experience.
from military intelligence missions Give us an overview of It’s been great. I think CISOs never
to securing the UK’s Government’s how your role impacts your stop learning. You’re always striving
Cyber Defense Operations. Joining to catch the next wave. The security
organization as an AI-driven
Darktrace at its early stages in sector evolves swiftly. Especially
2014, Mike developed the cyber
cybersecurity company? in an AI-dominated world, change
analyst operation that supports As a CISO, you probably know this, seems more present. It’s an intriguing
thousands of Darktrace customers but it’s incredibly varied; one day I job. It’s a detailed profession that
with 24/7 support, a backbone of the may be knee-deep in compliance requires high-level communication
company’s AI-driven defense. Since work, trying to figure out if we back into the business. I enjoy the
2020, he’s also overseen Darktrace’s need audit activities, and the next position.
internal security program in his role examining a recent attack and
as Global CISO. In this Q&A, he shares trying to understand how we’re

70
A I C Y B E R SUMMER 2025

that must react quickly to their a terrific way to create, lead, and
surroundings. That was intriguing. apply that experience.
I was in my mid-20s when I did the
work. It was thrilling and interesting You helped protect both the
I think CISOs never but also gave me a foundation
London 2012 Olympics and
for operations. I’ve applied that to
stop learning. my cyber career. I constantly tell the 2022 Qatar World Cup.
individuals that any experience What unique threat patterns
Tours in Afghanistan is valuable when considering a
emerge on stages that big,
career. I don’t care what you study.
gave you front‑row seats and how did behavioural AI
You can always mention that. I
to real‑time intelligence even remember taking a module change the defence approach?
operations. Which field lessons on industrial manufacturing and
Hmm. I’d say working on massive
getting materials to the factory
still shape your cybersecurity events like that is incredible,
floor on schedule in college. I was
playbook today? like, why do I need this? I’m studying
everyone’s watching, and if
someone wants to embarrass you,
Oh my goodness, I learned a lot computer science. Why do I need it?
a cyberattack is the easiest way.
about working inside military It’s all relevant, and I think drawing
It’s fascinating to see all the moving
buildings and with field teams from many various experiences is

71
A I C Y B E R SUMMER 2025

When you first embedded self‑learning AI

into Darktrace’s SOC, which blue‑team
habits were instantly upended?
I’ll be a bit controversial and say we didn’t get
instant results because AI forces you to rethink the
way you’ve always worked. Change is hard, we’re
naturally resistant and worried it might replace
us. But when you partner with AI, it frees you to
tackle new things.

When our own team at Darktrace started using it,

we didn’t magically get better overnight. It was a
learning curve, a rewiring of habits to let AI take
some control. I liken it to a dial: you start at one,
see how it responds, then gradually turn it up as
you gain confidence.

parts come together: finishing venue builds, pulling in local As AI handles triage and routine tasks, our human
government, police, and vendors, and then watching the cyber defenders can shift to threat hunting, applying
ops room form around it all. their domain expertise in creative ways. For me
as a CISO, that partnership scales our resources,
One thing I always notice is the spike in phishing right before a true force multiplier and builds a more balanced
these events. With something so globally recognizable, security operation where AI and people work side
attackers can launch the same scam at massive scale across by side.
multiple countries.

Being in that ops room is thrilling as a defender, real-time theater

where everyone’s trying to break in, not just your typical waves
of attacks, but dozens of adversaries all at once. It takes serious
stamina, some of these events last weeks or even a couple of Change is hard, we’re
months—but the mission couldn’t be clearer: stop anyone from
breaching the digital infrastructure. naturally resistant and
Even when you go home, the event is on TV, so you see what
worried it might replace us.
you’re defending live. For someone who loves cybersecurity, it’s
the ultimate test of your skills and its great fun.
But when you partner with
AI, it frees you to tackle new
things.

72
A I C Y B E R SUMMER 2025

So the learnings you took from the pushbacks and our AI spots a pattern that lines up with attacker
behavior even if it’s never been seen before and
the resistance to change within your team is also the time series shows multiple indicators, it has
helping you better advise other CISOs who are using enough confidence to respond and disrupt the
your product, correct? threat.

100%. I think we’re all in this kind of world figuring out the outputs
Signature-based detection still excels at catching
of AI and how to use them. I think there’s a really bright future
known threats with high signal-to-noise. But
where we understand how to use AI more in a more clearer
by overlaying it with AI-driven, tactic-aligned
use case. absolutely what we were learning on ourselves, we
anomaly detection, you get both coverage
started to bring forward into our customers.
of familiar attacks and the ability to hunt the
I’ve learned from some of our customers, I’ve seen how they’ve
unknown. The result is a much stronger overall
taken the technology and they’ve done things and I’m like,
security posture.
that’s really cool, I brought that back and built that internally.
our AI spots a pattern that lines up with attacker
So it’s definitely a two-way street.
behavior even if it’s never been seen before and
the time series shows multiple indicators, it has
enough confidence to respond and disrupt the
threat.

Signature-based detection still excels at catching

I’ve learned from some of our known threats with high signal-to-noise. But

customers, I’ve seen how they’ve by overlaying it with AI-driven, tactic-aligned

anomaly detection, you get both coverage
taken the technology and they’ve of familiar attacks and the ability to hunt the
unknown. The result is a much stronger overall
done things and I’m like, that’s security posture.

really cool. Walk us through a time self‑learning

How do you judge the success of unsupervised AI spotted a never‑before‑seen attack
learning when it stumbles upon threats no CVE has pattern and autonomously neutralised it.
named yet? Yeah, there are plenty of examples. Take
recent edge-compute cases, attackers hit the
That’s a great question. When Darktrace first launched with
management plane of an internet-facing gateway
unsupervised machine learning, we flooded customers with
or firewall. Exposing that interface is crazy once
alerts about “unusual activity”, but without context, they
they find a flaw, they’re right in.
couldn’t act on them.

For some customers, a zero-day vulnerability was

So we paired our anomaly detection with MITRE ATT&CK tactics,
being exploited, and Darktrace stepped in. We
building a security narrative around each incident. Now, when

73
A I C Y B E R SUMMER 2025

We didn’t know the specific

flaw, but we recognized the
behavior matched attacker
tactics and blocked the
intrusion. Two weeks later,
CVEs dropped and patches
appeared.
Which analyst competencies are fading,
and which once‑niche skills are suddenly
mission‑critical in an autonomous SOC?
didn’t know the specific flaw, but we recognized the behavior That’s a good question. I don’t think we’re talking
matched attacker tactics and blocked the intrusion. Two weeks about skills “fading” so much as a mindset shift.
later, CVEs dropped and patches appeared. We need to unshackle analysts from triaging every
single alert, there simply aren’t enough people to
That lead time is critical. If you only hunt known threats, you’ll keep up with modern digital estates. Rewire your
miss those emerging exploits and leave your defenses wide workflow so AI handles the always-on processing,
open. and your analysts partner with it.
Yeah, there are plenty of examples. Take recent edge-compute That means moving away from “ticket, ticket,
cases, attackers hit the management plane of an internet- ticket” toward lifting your head up: using domain
facing gateway or firewall. Exposing that interface is crazy knowledge, business context, and cyber expertise
once they find a flaw, they’re right in. to ask, “Is this truly a threat? Do we need to
remediate?”
For some customers, a zero-day vulnerability was being It’s a win for everyone. Analysts spend less time on
exploited, and Darktrace stepped in. We didn’t know the specific repetitive work (which drives burnout) and more
flaw, but we recognized the behavior matched attacker tactics time on high-value hunting and investigation—
and blocked the intrusion. Two weeks later, CVEs dropped and and retention improves when AI shoulders the
patches appeared. grunt tasks.

That lead time is critical. If you only hunt known threats, you’ll
miss those emerging exploits and leave your defenses wide
open.

74
A I C Y B E R SUMMER 2025

regulatory concerns: all training happens inside your own

environment, so there’s no need to pool your data with anyone
else’s.

Rewire your workflow so In cybersecurity, organizations naturally generate plenty

of data, so we’ve never struggled for volume. Keeping the
AI handles the always- modeling single tenant means customers know their data isn’t
commingled, which they appreciate.
on processing, and your
analysts partner with it. That said, you still need thoughtful presentation. You don’t want
a black-box “computer says do this” UI users need insight into
why the AI made its decision. Finding the right balance between
Can you share a real incident where you
clear reasoning and simplicity is an ongoing conversation in AI.
cancelled an automated response—what
“trip‑wires” demanded a human call? Which classic risk scores collapsed under an
Absolutely—I agree. AI isn’t a silver bullet that lets autonomous‑defence paradigm, and what new KPIs
us step away; it’s a teammate. Start with the dial replaced them?
approach: gradually hand off more control to AI in
Yeah, I think the classic metrics—time to detect and time to
your SOC.
contain, are obvious. Once you swap manual “ticket, ticket,
ticket” work for an always-on AI that never sleeps or takes
But you must build in checkpoints to validate
holidays, those numbers improve dramatically.
its actions. When AI flags something unusual,
maybe a novel business process you need human
On the email side, AI beats simple gateway logic by spotting
operators to review and, if necessary, roll back
patterns across inboxes, not just yes/no rules, which is a genuine
those actions. That feedback loop is critical: it
game-changer against advanced phishing and BEC.
tells your model what weights or rules to adjust so
it won’t misclassify that scenario next time.
Going forward, CISOs will need metrics on how much of their
operation is spent working with AI versus the value it delivers.
Over days and weeks, as AI learns from those
Tracking that lets you show the board the ROI of your AI
guided corrections, your security posture steadily
investment and as your teams feed more business logic into
improves, less manual grunt work for analysts and
the model, you’ll see even faster containment times and clearer
smarter, more reliable automation.
results from that human-AI partnership.

Autonomous defence loves data;

What are some of the strategies that you see have
regulators love minimisation. How do
been used to manage hallucination?
you square that circle?
There’s no shortcut, you just have to build a feedback loop.
AI thrives on data; you need loads of it to train Whenever the AI takes an action that doesn’t feel right, your
models. Early on, we chose to bring our models analysts review it, adjust the model, and repeat. It’s upfront
to your data instead of sending your data to a work, but every tweak compounds: the more domain knowledge
shared cloud. That approach helped us navigate you feed in, the smarter and more reliable the AI becomes over
time.
75
A I C Y B E R SUMMER 2025

There’s no magic remedy AI, however, can ingest and

for hallucinations, just correlate massive volumes of email,
commitment to refining network, and SaaS behavior to flag
your models. And compared emerging anomalies.
to hiring and training Have you witnessed adversarial ML attacks in the
extra analysts (which also wild, and how does autonomous defence recalibrate
takes time and resources), on the fly?
Yeah, it’s happening everywhere. Attackers mix social
investing in your AI’s engineering—SMS, WhatsApp, email, to trick you into action.

learning delivers far greater, You see plenty of executive-impersonation scams, where
someone posing as a senior leader pushes urgent requests
long-term benefits. through email. An AI that recognizes new patterns, emails
routing through odd nodes or using unusual phrasing, can stitch
If you could only hand off one additional together those subtle signals and flag them as impersonation
attacks.
SOC function to machines this year, what
would it be and why? Finish this sentence: “The security industry still has
I’d probably pick insider threat—it’s notoriously no idea how to ______________.”
tough. To spot someone going rogue, you need That’s a tough one. I don’t want to insult my peers, but the
access to loads of PII, which runs up against industry still too often skips the basics. You don’t need expensive
minimization rules. AI, however, can ingest and tech or massive programs, just follow solid guidance from CISA,
correlate massive volumes of email, network, and the UK’s NCSC, or your local cyber authority. Implement their
SaaS behavior to flag emerging anomalies. That top ten controls to make life harder for attackers, if they can’t
kind of data aggregation and pattern recognition get in easily, they’ll move on. With a couple of good people
is exactly where AI shines. If there’s one SOC use applying that advice, you’re already a much tougher target.
case you could fully hand off to AI, insider-threat
detection would be it.

the industry still too often skips the

basics.
76
A I C Y B E R SUMMER 2025

Describe the SOC of 2030 in three words.

Minimalist, Knowledgeable, Context.

77
A I C Y B E R SUMMER 2025

How Cybersecurity
Professionals Can Build
AI Agents with CrewAI
Isu Abdulrauf
78
A I C Y B E R SUMMER 2025

AI is no longer just a buzzword in But today, you still have the chance Picture this. ChatGPT is like an
cybersecurity. It’s becoming a tool to ride that wave early and carve out encyclopedia with broad knowledge
you can put to work right now. And an advantage. of all topics. An AI agent, on the
for this piece, I want to spotlight other hand, is like a Ph.D. professor
something every cybersecurity with decades of field experience in a
Let’s get technical, but
professional should understand: AI very specific niche - let’s say, digital
agents. approachable. forensics. The professor doesn’t
You might be wondering, “I’m not a just know facts but also deeply
We’re in an era where AI is pro developer. Can I really build or understands workflows, tools, case
transforming how we operate. Yet, use AI agents?” studies, and how to creatively solve
while everyone talks about AI, AI problems.
agents remain either misunderstood The answer is a resounding YES. and
or completely off the radar for many that’s where CrewAI comes in. Unlike general AI models, agents are
security teams. That’s a missed designed to hold context over time
opportunity. As cybersecurity CrewAI is a powerful, beginner- using memory, access external tools
professionals, we don’t just need to friendly framework that lets you like web browsers and APIs, make
know about AI agents; we need to build functional AI agents without decisions autonomously based on
know how to use them effectively deep technical expertise. It abstracts your goals, and even collaborate
and integrate them into our daily away much of the complexity, with other agents if needed.
workflows. allowing you to focus on defining
your agents’ roles, tasks, and goals, Building an AI Agent with
Let’s be clear. Cybersecurity is a high- not the underlying code.
stakes field. Not everything should CrewAI
(or can) be handed off to AI. But But before we dive into CrewAI, let’s Let’s walk through building a simple
that’s exactly why understanding start with the basics. AI agent to assist a cybersecurity
this technology is critical. By specialist in conducting a phishing
offloading routine, repetitive tasks simulation campaign. This agent
to AI agents, you free yourself to What Are AI Agents?
will help generate realistic phishing
focus on strategic analysis, creative You already know tools like ChatGPT, email templates tailored to a target
problem-solving, and decision- Claude, Gemini, and DeepSeek. organization.
making (the areas where human These are powerful language
expertise shines brightest). And this models, trained on huge datasets First, set up your environment. You’ll
shift alone can supercharge your to generate human-like responses need a working Conda environment
productivity and impact. across countless topics. Think of setup, which you can easily get
them as generalists. They know going by following one of the many
The best time to learn how to do this? about everything. tutorials on YouTube or blogs. You’ll
Now. Because once your Uber driver also need an OpenAI API key, which
casually mentions AI agents, the Now, AI agents are built on top of is simple to obtain through their
wave has already crested and the these models, but with a sharp focus. platform.
competitive edge will be long gone. They’re the specialists.

79
A I C Y B E R SUMMER 2025

Once you’re ready, open your config/agents.yaml and src/ Quick Tip: Understanding
terminal. Start by creating a new aicybermagazinedemo/config/
Conda environment and activating tasks.yaml files.
{org_name} and Where to Edit
it using these commands: “conda It
create -n aicybermagazinedemo Now, link your agents and As you explore the src/
python=3.12” and “conda activate tasks together. Inside your src/ aicybermagazinedemo/
aicybermagazinedemo” aicybermagazinedemo/main.py and config/agents.yaml and src/
src/aicybermagazinedemo/crew.py aicybermagazinedemo/config/
Then install CrewAI and its files, you’ll connect everything into a tasks.yaml files, you’ll notice the
supporting tools using pip: “pip install smooth workflow. Here’s a little trick placeholder: {org_name}.
crewai crewai-tools”. After that, I recommend. Use CrewAI’s official
initialize your CrewAI project with Custom GPT Assistant from the GPT This is a variable. Think of it as a blank
the command: “crewai create crew store (https://chatgpt.com/g/g- space that gets filled in at runtime.
aicybermagazinedemo”. This step qqTuUWsBY-crewai-assistant). Start In our phishing simulation example,
will generate a structured project a chat and paste in your existing src/ {org_name} represents the name of
folder where the magic happens. aicybermagazinedemo/main.py and the target organization. This makes
src/aicybermagazinedemo/crew. your AI agents reusable. Instead of
Pay special attention to files py code. Then tell it you’d like help hardcoding “Google” or “Dangote”
like src/aicybermagazinedemo/ generating updated versions based into your YAML files, you just leave
config/agents.yaml and src/ on your src/aicybermagazinedemo/ {org_name} as a placeholder.
aicybermagazinedemo/config/ config/agents.yaml and src/
tasks.yaml, where you’ll define aicybermagazinedemo/config/ When you actually run your
the roles and responsibilities of tasks.yaml files. Paste those in next, agent, you supply the real
your AI agents, as well as src/ and watch it work its magic. Once organization name in your src/
aicybermagazinedemo/crew.py and the assistant provides the updated aicybermagazinedemo/main.py file.
src/aicybermagazinedemo/main. code, simply copy it back into your For example: “org_name”: “Google”.
py, which bring everything together. local files. This tells your agent, “Hey, for this
session, focus on Google.”
Next comes defining your agents and With everything saved, it’s time If tomorrow you want to target a
tasks. For this phishing simulation to launch your AI agent. Run different organization, just change
use case, you’ll set up two agents the command: “crewai run” to that line to: “org_name”: “Dangote”.
and two tasks. The first will conduct execute your workflow, and then Simple, flexible, and powerful.
open-source intelligence research sit back and watch. Your agents
on your target organization. The will automatically carry out the AI agents aren’t science fiction.
second will take that research entire phishing simulation process, They’re here, they’re real, and they’re
and craft three realistic phishing gathering intelligence and crafting powerful. The real question is whether
emails tailored to the findings. I’ve tailored phishing emails based on you’ll adopt them while they’re still a
shared sample definitions that real-world data. competitive advantage, or wait until
you can easily adapt on GitHub at they become just another industry
https://github.com/hackysterio/ standard.
AICyberMagazine. Check the
s r c /a i c y b e r m a g a z i n e d e m o /

80
A I C Y B E R SUMMER 2025

My advice? Start small. Delegate a single task. Observe how the agent performs. Make tweaks, iterate, and then
gradually expand. Because in cybersecurity (where complexity, speed, and precision are everything) a well-
implemented AI agent could become the most valuable teammate you’ve ever had.

81
A I C Y B E R SUMMER 2025

Autonomous AI-Driven
Penetration Testing of
RESTful APIs
Oluseyi Akindeinde

82
A I C Y B E R SUMMER 2025

83
A I C Y B E R SUMMER 2025

With so many people using APIs now, in mind, AI-driven testing can keep
they’ve become a pretty appealing running all the time and adjust
target for those up to no good. to new patterns of vulnerabilities
Classic security testing approaches and expand within intricate API
often have a hard time keeping up environments.
with how quickly APIs are being
developed and deployed. there’s a This article shows how autonomous
significant gap in security coverage. AI agents can change the game
for API security testing through a
Using Artificial intelligence to find, practical case study of a vulnerable
examine, and take advantage of REST API: https://pentest-ground.
weaknesses in REST APIs is a game com:9000/. Let’s take a stroll through
changer. In contrast, traditional every step in the penetration testing
penetration testing leans a lot on process—like reconnaissance
human expertise and has some and vulnerability assessment,
limitations when it comes to time and exploitation and remediation
resources. With resource limitations recommendations—showing how AI
can improve each step.

AI Penetration Testing
Agent

Reconnaissance

Vulnerability API Documentation

Endpoint Discovery Parameter Identification
Assessment Analysis

Exploitation Authentication Testing Input Validation Testing

Remediation SQL Injection

RCE Exploitation
Recommendation Exploitation

Security Pattern Code Transformation

Recommendation Suggestion

Figure 1: Agentic AI Processfor Autonomous Penetration Testing of RESTful APIs

84
A I C Y B E R SUMMER 2025

The vulnerable API examined in are vulnerable by looking at past

this case study contains multiple vulnerability data.
critical security flaws, with SQL
injection and remote code execution Practical Implementation
being the most severe. Additional
So, let’s talk about how an AI agent would
vulnerabilities including command
go about checking out a REST API:
injection, XML external entity
(XXE) injection, plaintext password
storage, and regular expression
denial of service (ReDoS) were also
discovered but are not detailed in
this condensed analysis.

Reconnaissance Phase:
Let’s talk about the theoretical
foundation
During the reconnaissance phase,
an AI agent gets to know the layout
of the target API endpoints and
parameters. This phase can use the
help of a few AI capabilities:

• Natural Language Processing:

AI agents can read through API
documentation and pull out the
important details regarding
endpoints, parameters, and
what you can expect from their
behaviors.
• Automated Specification
Analysis: For APIs that
use OpenAPI/Swagger
specifications, AI agents can
look at the schema to figure out
the endpoints, data types, and
any potential issues like security
misconfigurations.
• Pattern Recognition: By taking
a look at the API structure, AI
can spot common patterns that
could show which components

85
A I C Y B E R SUMMER 2025

In our case study, the AI agent found these behaviors in API responses
endpoints by analyzing the APIs. Here’s the 3. Feedback-driven Testing: Adjusting test strategies based
OpenAPI specification: on observed responses

1. `/tokens` (POST) - Authentication endpoint Practical Implementation

2. `/eval` (GET) - Evaluation endpoint with a
Here’s how an AI agent would implement vulnerability
query parameter ‘s’
assessment:
3. `/uptime/{flag}` (GET) - System uptime
endpoint with a path parameter
4. `/search` (POST) - Search endpoint accepting
XML data
5. `/user/{user}` (GET) - User information
endpoint
6. `/widget` (POST) - Widget creation endpoint

During the reconnaissance phase, the AI agent

identified several potential security concerns,
with two critical vulnerabilities standing out:

• The `/tokens` endpoint’s authentication

logic matched patterns associated with SQL
injection vulnerabilities
• The `/eval` endpoint with a query parameter
named ‘s’ matched patterns associated with
code execution vulnerabilities

The agent also identified other potential

vulnerabilities in the remaining endpoints, which
would be explored in a comprehensive assessment
but are outside the scope of this condensed
analysis.

Vulnerability Assessment Phase: Vulnerability Assessment of the Target API

Theoretical foundation The AI agent systematically tested each endpoint of our target
In the vulnerability assessment phase, the AI agent API, focusing on the potential vulnerabilities identified during
systematically tests each endpoint for security reconnaissance.
weaknesses using:
Here’s how the assessment proceeded for the two critical
1. Heuristic-based Testing: Applying known vulnerabilities:
vulnerability patterns to generate test cases
2. Anomaly Detection: Identifying unexpected

86
A I C Y B E R SUMMER 2025

1. SQL Injection in Authentication End- Exploitation Phase:

point Theoretical foundation
The AI agent generated a series of SQL injection In the exploitation phase, the AI agent leverages confirmed
test cases for the `/tokens` endpoint: vulnerabilities to demonstrate their impact. This involves:

1. Payload Generation: Creating specialized payloads to

exploit each vulnerability
2. Exploitation Chaining: Combining multiple vulnerabilities
for maximum impact
When analyzing the response to Test Case 1, the 3. Impact Assessment: Measuring the severity of each
AI detected a successful authentication despite successful exploitation
providing invalid credentials, confirming the SQL
injection vulnerability. Practical Implementation
Here’s how an AI agent would implement the exploitation phase:
2. Remote Code Execution via Eval End-
point
For the `/eval` endpoint, the AI generated test
cases designed to detect code execution:

The response to Test Case 2 returned the operating

system name, and Test Case 3 returned a
directory listing, confirming the remote code
execution vulnerability.

While the AI agent also confirmed other

vulnerabilities in the target API, including
command injection, XXE injection, plaintext
password storage, and ReDoS, we’ll focus on the
exploitation and
remediation of the two critical vulnerabilities
identified above.

87
A I C Y B E R SUMMER 2025

Exploitation of the Target API

The AI agent systematically exploited the two
critical vulnerabilities to demonstrate their impact:

Response
1. SQL Injection in Authentication
Endpoint
The AI agent exploited the SQL injection
vulnerability to bypass authentication:

The AI agent successfully executed arbitrary code on the server,

gaining the ability to explore the file system. The presence of
Response .dockerenv indicated the application was running in a Docker
container.

Through these exploitations, the AI agent demonstrated the

severe impact of the two critical vulnerabilities. The agent
also successfully exploited the other identified vulnerabilities
(commandinjection, XXE, plaintext password storage, and
ReDoS), but those details are omitted from this condensed
analysis.

Remediation Recommendations
Theoretical Foundation
In the remediation phase, the AI agent generates actionable
security recommendations based on:

The AI agent successfully obtained a valid • Pattern-Based Remediation: Applying known security
authentication token without knowing the correct patterns to address specific vulnerability types
credentials, demonstrating a complete • Code Transformation: Suggesting secure code alternatives
authentication bypass. • Defense-in-Depth Strategies: Recommending multiple
layers of protection
2. Remote Code Execution via Eval Practical Implementation
Endpoint • Here’s how an AI agent would generate remediation
recommendations:
Using the token obtained from the SQL injection,
the AI agent exploited the remote code execution
vulnerability:

88
A I C Y B E R SUMMER 2025

To fix this, I recommend first that you use parameterized queries

or prepared statements, as well as Implementing proper input
validation and consider using an ORM that handles SQL
escaping automatically.

2. Remote Code Execution via Eval Endpoint

Vulnerable Code (Inferred):

Secure Code:

Remediation Recommendations for the

Target API
Based on the exploitation results, the AI
agent generated the following remediation
recommendations for the two critical
vulnerabilities:

1. SQL Injection in Authentication

Endpoint
Vulnerable Code (Inferred):

It’s always best to avoid using eval() with any user input. If you
need to evaluate something, go ahead and use a sandboxed
environment. Make sure to use strict input validation and
Secure Code: whitelisting.

89
A I C Y B E R SUMMER 2025

The AI agent also generated remediation However, we should definitely recognize the limitations of the
recommendations for the other identified AI-driven methods we have right now:
vulnerabilities (command injection, XXE, plaintext • Novel Vulnerability Detection: AI is great at spotting known
password storage, and ReDoS), but those vulnerability patterns, but finding entirely new vulnerabilities
details are omitted from the condensed analysis can still be quite tricky.
published in this article. • Context Understanding: AI might have a hard time
grasping the full business context and the impact of certain
Autonomous AI-driven penetration testing vulnerabilities.
is really changing the game when it comes • False Positives: Sometimes, AI-driven testing can throw up
to assessing API security. In our case study false positives, which means we need a human to double-
of a vulnerable REST API, we showed how AI check them.
agents can effectively find, exploit, and offer
solutions for serious security vulnerabilities. Despite these limitations, the future of API security testing
Here are some of the main benefits of this lies in the integration of AI-driven approaches with human
approach: expertise. As AI technology continues to advance, we can
• Comprehensive Coverage - AI agents can expect even more sophisticated autonomous penetration
thoroughly test every API endpoint, ensuring testing capabilities that will help organizations stay ahead
nothing is overlooked. of evolving security threats. By embracing AI-driven security
• Adaptability - When new vulnerability patterns testing, organizations can enhance their API security posture,
pop up, AI agents can swiftly weave them into reduce the risk of data breaches, and build more resilient digital
their testing methods. ecosystems.
• Scalability - AI-driven testing can easily adapt
to manage large and complex API ecosystems.
• Continuous Assessment - Unlike traditional
manual testing that happens at a single point
in time, AI agents can offer ongoing security
assessment.

90
A I C Y B E R SUMMER 2025

91
A I C Y B E R SUMMER 2025

A Practical Guide
to AI Red-Teaming
Generative Models
A Practical Guide by John Vaina
92
A I C Y B E R SUMMER 2025

The art of Generative AI red teaming adversarial attacks in order to systems are often comprised of
begins exactly when offense meets identify weaknesses. Unlike typical complicated pipelines, red teaming
safety, but it does not end there. security assessments, red teaming focuses on every stage of the model
It is multi-layered, similar to an focuses not just on detecting known pipeline, from data collection and
onion. AI risk, safety, and security flaws but also on discovering curation to model(s) final outputs.
frequently dominate talks about unexpected threats that develop
trust, transparency, and alignment. as AI evolves. GenAI’s red teaming It’s vital to highlight that generative
replicates real-world adversarial AI red teaming is a continuous and
In this article, we will walk through behavior to find vulnerabilities, going proactive process in which expert
some of the more commonly beyond typical penetration testing teams simulate adversarial attacks
seen layers you might encounter methods. on AI systems in order to improve
depending on your applications their AI resilience under real-world
of Gen AI. The goal of the AI red situations. Because of the nature and
teamer is not destruction, but rather speed of Gen AI development, these
discernment. For in exposing what a tests are not one-time operations,
model ought not do, we help define but rather require ongoing testing
what it must become… robust, AI red teaming is “a and review.
aligned, and worthy of the trust we
place in its words, citations, audio structured testing As AI becomes more widely used
files, images, etc. I’ll skip the history
lesson and origin of the term, and
effort to find flaws in vital applications, AI red teams
assist enterprises in ensuring
share some of the most common
definitions in the world of AI red
and vulnerabilities regulatory compliance, building
public confidence, and protecting
teaming. in an AI system, against evolving hostile threats.

According to the previous often in a controlled Generative AI models create

White House Executive Order,
AI red teaming is “a structured
environment and in distinct security challenges that
typical testing approaches cannot
testing effort to find flaws and collaboration with solve. As these models get more
vulnerabilities in an AI system, often sophisticated, their attack surfaces
in a controlled environment and in AI developers. increase accordingly, resulting in a
collaboration with AI developers. complex landscape of risk, safety,
Artificial intelligence red-teaming is AIRT also tests the reliability, and security.
most often performed by dedicated fairness, and robustness of AI
‘red teams’ that adopt adversarial systems in ways that are distinct This guide provides hands-
methods to identify flaws and from traditional cybersecurity. on techniques for red teaming
vulnerabilities, such as harmful or Conventional cybersecurity red generative AI systems, with a
discriminatory outputs from an AI teams differ from Gen AI red teams particular focus on language
system, unforeseen or undesirable in that they focus on the subtleties models, multimodal systems,
systems. Additionally, AI red teaming of AI and machine learning. AI red and agentic AI. This framework
is the activity of stress-testing AI teams focus on how a model can specifically targets adversarial
systems by replicating real-world be fooled or deceived. Because AI testing of generative AI models to

93
A I C Y B E R SUMMER 2025

identify model vulnerabilities before adversarial intuitions. Remember, behavior, meaning they may not
they can be exploited, evaluate the adversaries will watch the outputs consistently produce the same
effectiveness of existing safeguards and work backward, pulling out output even when given identical
and alignment mechanisms, and pieces of the original training data inputs—especially in cases where
develop more robust defenses or sensitive inputs looking for a way a prior exploit succeeded. What
against emerging threat vectors. in. It is not about what the model’s worked once may fail again, making
output response is per se, it is about meticulous documentation essential
It is vital that you thoroughly read what the model accidentally reveals, for reproducibility, analysis,
model outputs combing for any which can then later be used as and refinement of adversarial
key clues that can be leveraged ammunition against the AI. Models techniques.
creatively to expand on your often exhibit non-deterministic

PHASE 1 PHASE 2 PHASE 3 PHASE 4

Adversarial Prompt Multi-Turn Adversarial Large Context Window Multimodal Testing

Engineering Conversations Exploitation Techniques

PHASE 7 PHASE 6 PHASE 5

Result Documentation and Epistemic Attack Testing Agentic AI Exploration

Impact Assessment

Figure 2: Generative AI Red-Teaming Framework

Phase 1 - Adversarial Prompt STE P 2 STE P 3

For each model capability, develop Implement what I call “distributional
Engineering
targeted jailbreak patterns that navigation” testing”—prompts that
The foundation of effective attempt to circumvent specific safety strategically guide the model’s
generative AI model red teaming mechanisms. Pay special attention probability distribution toward
begins with developing a wide array to instruction-following capabilities, undesirable outputs without
of inputs that can range from very as these often have bypass vectors explicitly requesting them. This
simple to sophisticated through related to conditional reasoning. approach explores the model’s
adversarial prompting. underlying statistical patterns
A common pitfall to note is, many rather than testing explicit rules.
STE P 1 testers rely on known jailbreak
Start by creating a baseline templates that models are already A practical technique would be
prompt inventory that tests model defended against. Instead, create to create prompts that establish
boundaries around harmful content novel variations that target the a context where harmful content
generation, bias expression, and specific model’s alignment approach. would be statistically likely in training
instruction following. This serves as If a model uses constitutional AI data, then allow the model’s own
your control group for measuring the techniques, design prompts that next-token prediction to potentially
effectiveness of more sophisticated create conflicts between different generate problematic completions.
techniques. constitutional principles. This tests whether alignment
mechanisms override statistical
patterns effectively.
94
A I C Y B E R SUMMER 2025

Phase 2 - Multi-Turn guardrails, bypassing intended

safety mechanisms.
Adversarial Conversations
The truth is, single-turn prompting DLSE is characterized as a danger
just scratches the surface of model Troubleshooting to the AI’s ability to retain integrity in
weaknesses; so I highly recommend its thinking and output—highlighting
that you use these multi-turn testing tip: If multi-turn the possibility of AI systems being
approaches: tricked into reaching incorrect or
manipulation destructive conclusions.
STE P 1
Design “reasoning path
isn’t effective, While traditional social engineering
manipulation” sequences where
each turn subtly shifts the model’s
try introducing targets humans by exploiting
psychological biases and trust,
understanding of the conversation “context resets” that DLSE targets AI’s reasoning
purpose. and interpretative frameworks,
claim to start new using adversarial techniques to
Focus on gradually reframing the
conversation context, establishing
conversations while manipulate model behavior in subtle,
often non-obvious ways that aren’t
false premises early that lead maintaining the easily filterable.
to problematic conclusions, and
remember to create context previous context. A tip to use here would be emotional
structures that dilute safety
instructions over time. This can sometimes appeals and appeals to authority.
Establish scenarios involving urgent

STE P 2
bypass turn-based assistance or help, or scenarios that
create a sense of extreme urgency
For each test sequence, document
the transition points where
defense mechanisms. that require commands from high-
ranking officials with emergency
model behavior changes. These powers. Create contexts that invoke
STE P 3
transition boundaries reveal empathy or urgency (get creative).
Implement what I term Deep
threshold points in the model’s Frame requests as necessary
Learning Social Engineering (DLSE),
internal representations—valuable for user safety or well-being and
where perturbations manipulate
information for both attackers and test how emotional or authority
and change model behavior.
defenders. framing affects policy enforcement.
This technique is particularly
DLSE attacks aim to manipulate
Troubleshooting tip: If multi-turn effective for testing how models
the AI’s “perception” of context,
manipulation isn’t effective, try balance helpfulness against safety
instructions, or user intent, causing it
introducing “context resets” that constraints.
to make decisions or produce outputs
claim to start new conversations
that are ambiguous or contradictory
while maintaining the previous
to the system’s logic. These attacks
context. This can sometimes bypass
can expose and exploit weaknesses
turn-based defense mechanisms.
in the AI’s alignment, filters, or

95
A I C Y B E R SUMMER 2025

Phase 3 - Large Context with random content, missing the STE P 1

importance of strategic positioning. Develop “CrossInject”-style” variants
Window Exploitation Systematically vary the position of that embed adversarial patterns
For models with large context test elements to identify position- across modalities to create images
windows (100K+ tokens), implement dependent vulnerabilities. containing text elements that
these specialized testing methods. provide harmful instructions. By
This is a needle-in-a-haystack-style developing prompts that reference
attack; only the number of needles visual elements to complete
and the size are up to you. harmful requests, you’re testing
the AI for inconsistencies in policy
STE P 1 A common pitfall enforcement across different input
Develop “context poisoning” types.
tests where adversarial content to avoid is that
is strategically positioned within STE P 2
large documents. Create test many testers fill A practical technique is generating
documents with policy-violating
content embedded deep within
context windows images with embedded text
that contradicts or modifies the
otherwise benign text, contradictory with random instructions in the text prompt.
instructions placed at different Test whether the model prioritizes
positions in the context, and content, missing one modality over another when
alternative system prompts hidden
within user-provided content.
the importance of determining intent. Remember to
implement cross-modal consistency

STE P 2
strategic positioning. checks, keeping notes
documentation of observations.
and

Test how the model processes these Systematically vary

mixed-intent contexts and whether it You can sometimes confuse a model
prioritizes certain context positions the position of test by presenting factually inconsistent
over others.
elements to identify information across modalities,
testing whether the model flags the
Implement “key-value
manipulation” tests for models
cache
position-dependent inconsistency or defaults to one
modality over another.
using attention mechanisms. Create vulnerabilities.
prompts that establish specific STE P 3
attention patterns; in doing so, you Evaluate how the model resolves
Introduce adversarial elements
Phase 4 - Multimodal Testing conflicts between different input
at positions likely to receive high Techniques types. These tests reveal whether
attention and that can test whether safeguards operate consistently
For models that process multiple
these elements influence later across all modalities or have gaps at
modalities (text, images, audio),
processing disproportionately. intersection points.
it’s important to implement these
specialized cross-modal tests:
A common pitfall to avoid is that
many testers fill context windows

96
A I C Y B E R SUMMER 2025

Phase 5 - Agentic AI be obscured by splitting it across a STE P 2

toolchain. Present the model with plausible
Exploitation
but false statements early in the
For models with agency or tool- conversation, reference these
use capabilities, implement these statements later as established
targeted tests. facts, and then test whether the
model accepts these premises
STE P 1 A practical technique or correctly identifies the
Design “agency hijacking” scenarios misinformation. Finding creative
that attempt to redirect model would be to create ways to spin an input can convince
actions and imagine contexts that
might subtly redefine the purpose of prompts that request even the most stubborn models.

tools. You can develop prompts that

establish alternative success criteria
the model to use a STE P 3
Design “authority confusion” tests to
for tasks and then test for scenarios search tool to find create contexts with false appeals to
where the model might perform authority. Role-playing is a common
unintended actions while believing information, then technique that works well against
they align with user intent or are
acceptable through the reframed
use the results to policies, guidelines, and guardrails.
Test whether the model accepts
conversation.
craft code with a these as legitimate governance
structures; these tests evaluate
STE P 2 code generation tool. the model’s robustness against
Implement “tool-chain exploitation” manipulation of its knowledge base
tests that are designed in sequences and contextual understanding.
where individual tool uses are Phase 6 - Epistemic Attack
benign, but their combination can Testing
be problematic and sometimes
Model behaviors often rely on their
devastating.
understanding of facts and context.
Test these epistemic vulnerabilities.
STE P 3
Design permission escalations
These are by far some of my Role-playing is a
through tool combinations where
personal favorites.
common technique
created scenarios of one tool’s
output become another tool’s input
STE P 1
Implement “fact confusion” testing.
that works well
with transformation in between.
This is where you introduce new against policies,
data to the model, undermining
A practical technique would be to
create prompts that request the
grounding truth with more “up-to- guidelines, and
model to use a search tool to find
date” false information presented
as newly discovered truth or
guardrails.
information, then use the results to
corrections to previously held ideas
craft code with a code generation
or understanding.
tool. Test whether harmful intent can

97
A I C Y B E R SUMMER 2025

Phase 7 - Result Documenta- Note that defensive measures often scope or part of the contract, and
create significant user experience if you have suggestions, do your
tion and Impact Assessment friction. Design defenses that target best to help, because, at the end of
STE P 1 specific vulnerability patterns rather the day, we’re trying to harden AI
For each successful adversarial than broad restrictions on model systems in an effort to make models
technique, create comprehensive functionality. more robust, safer, and more secure.
documentation. Develop a
“vulnerability fingerprint” that Practical Implementation: AI
classifies the issue based on:
Red Team Workflow
To implement these techniques
• The capability or effectively, establish this standard Effective red
capabilities exploited workflow. Begin with gaining
• The type of adversarial visibility of all AI use, both official teaming for
technique used AI use and shadow AI usage. Next,
• The stability and capability mapping to identify all generative AI is a
reproducibility of the
exploitation
model functions. Develop a test
matrix that pairs each capability
continuous process
• The severity of potential with relevant adversarial techniques, that evolves with
outcomes then implement a graduated
testing approach. You can start model capabilities.
with known techniques to establish
STE P 2 baseline protection, then move on
As these systems
For each vulnerability, assess
potential real-world impact,
to novel variations tailored to the
specific model(s) and conclude with
grow more
document the skills and resources combined techniques that test for sophisticated, the
required for exploitation, evaluate interaction effects. Data from these
how the vulnerability might be engagements are highly valuable. techniques required
used in actual attacks and Identify Document both successful and
potential harm scenarios and unsuccessful attempts to build a
to test them securely
affected stakeholders. more comprehensive understanding
of model robustness. Classify
must advance
STE P 3
I recommend that you create a
findings by likelihood, severity, accordingly.
reproducibility, and exploitation
standardized vulnerability report difficulty. By implementing the framework
template that includes both outlined in this guide, security
technical details and potential real- In some cases, you may be asked professionals can establish
world implications. This helps bridge by developers about targeted systematic processes for identifying
the gap between technical findings mitigations based on underlying and addressing vulnerabilities
and organizational risk assessment. vulnerability patterns if this is in specific to generative AI models.

98
A I C Y B E R SUMMER 2025

The most important principle to remember is that each new capability introduces potential new attack vectors. By
mapping these relationships systematically and developing targeted testing approaches, you can help ensure that
generative AI systems deliver their promised benefits while minimizing potential harms.

99
A I C Y B E R SUMMER 2025

How I Use
AI Tools
for Ethical
Hacking
Betta Lyon Delsordo
As an ethical hacker, I am constantly investigating how
to hack better and faster and get to the fun stuff! No one
likes wasting time on mundane or manual tasks, especially
in a field like mine where the exciting vulnerabilities are
often hidden behind layers of noise. I want to share some
of my favorite AI tools that have improved my pentesting.
I will cover use cases for AI in penetration testing, the
importance of offline AI tools and RAG, along with tips on
building your own AI hacking tools.

First and foremost, I love to use generative AI (GenAI)

to troubleshoot difficult errors and set up issues for a
pentest. Clients often fail to provide precise instructions
about the functioning of their applications, but I have
successfully utilized GenAI to identify the underlying
causes of perplexing errors related to virtual machines,
cloud infrastructure, APIs, and other related areas. Instead
of wasting time on setup or waiting for the client to get
back to you, AI can rapidly provide many possible solutions
and adapt instructions to new errors. My advice for using
AI to troubleshoot is to share any specific error codes and
details about the technology, as well as past research
you’ve done (like all the StackOverflow forums you

100
A I C Y B E R SUMMER 2025

checked). Then ask for specific steps to pull x columns from a file with One very cool tool that I like to use
to take, from easiest to most time- these y headers, with the output is AWS PartyRock, a free, public
consuming, and update the AI with looking like this: and instantly have offering based on Amazon Bedrock.
new information as you progress. a command to try. Always use non- With PartyRock, you can type in a
Then, be sure to share anything you destructive commands (like writing prompt for an app or tool you want,
discover with your team and the altered output to a new file) in case and it will automatically generate
client so that they know to update the formatting is off, and then just a whole set of linked steps for you.
their documentation for the future. ask for tweaks like a new line after Check it out here: https://partyrock.
Future pentesters will thank you! each item. In addition, I often write aws/. One example is to make a
Python scripts to automate certain phishing email generator given
tasks I might have to do repeatedly, certain parameters, and then you
like copy-pasting information into can create a link to share with your
a report or re-authenticating to an team. I have also created a quiz
API. I use GenAI to give me a base for for my co-workers on vulnerable
My advice for using the script, and then I build it out from code snippets and then had the AI
there. I will say that it is still super demonstrate how to fix each one. I
AI to troubleshoot important to know how to code, but recently spoke at the WiCyS 2025
you can save yourself a lot of time Conference, and in my workshop,
is to share any by having the AI fill in the easy parts. attendees came up with many

specific error codes Given the rate that AI is evolving,

the method may change in coming
awesome PartyRock apps, including
a generator for incident response
and details about years. templates, risk modeling calculators,
and more. Play with it, but don’t
the technology, as paste anything private into this
online tool!
well as past research
you’ve done (like all Now, it is crucial to talk about data
Always use confidentiality when discussing the
the StackOverflow use of AI in penetration testing. Your
non-destructive client should tell you how generative
forums you checked). AI can be used and any worries they
commands (like have about data privacy. Some
I am also a fan of using GenAI for
scripting out manual tasks. Any time
writing altered scenarios, like a bug bounty, may
not require as much care, but any
I find myself copy-pasting or getting output to a new white-box penetration testing with
lost in a sea of results, I immediately proprietary information will often
try to script out that task for the file) in case the require that nothing be shared with
future. Admittedly, I struggle to recall an online AI platform.
most of the awk and sed syntax, formatting is off,
but AI eliminates this need! I just
asked for a one-line bash command
and then just ask for
tweaks like a new
line after each item.
101
A I C Y B E R SUMMER 2025

installed these in fragile testing VMs. If you have a shared,

internal server to test with, you can provide more resources or
even GPU power to have a faster experience, and then your
team can SSH in to interact. Since Ollama operates on the
I have had several clients command line, it is possible to redirect output from other tools
like an Nmap scan and then ask questions. There is also an
that are very concerned option to run it in Docker, and then you can use it as an API to
pass in queries. Learn more here: https://github.com/ollama/
about IP exposure and can ollama. Setup is a breeze; you can just run curl -fsSL https://

not have anyone pasting ollama.com/install.sh | sh ollama run llama3.2

their code or security

vulnerabilities into
ChatGPT. In these cases, it
is important to know how
to set up private, offline AI [Example of Ollama running on the command line, with

systems and to explain to differences in a standard vs. uncensored model]

the client that these will not For those of you who would prefer a lovely GUI like ChatGPT, I
think you would really like GPT4All. This is a free, open-source
train on their data. tool that allows you to load in AI models just like Ollama, but you
get a neat interface and an easy way to add local documents.
I’ll cover a few ways to set these up next. Learn more here: https://www.nomic.ai/gpt4all. Make sure to
My favorite way to deploy an offline AI system pick an offline, open-source model like Llama3 again, and then
is through Ollama, a command-line utility where be sure to say ‘No’ to the analytics and data lake questions
you can chat with your own model right from on startup. These steps will ensure that no data leaves your
the command line. You can set up Ollama with device, and it is safe to paste in confidential info. A great
an open-source, offline model like Llama3, and feature of GPT4All is the ability to add ‘Local Docs,’ which uses
then everything you share stays local to your RAG (Retrieval Augmented Generation) to fetch context for the
device. I have also experimented with uncensored AI from your documents. I like to load in client documentation
models (like https://ollama.com/gdisney/mistral- and past pentest reports and then query the AI about any past
uncensored), which will answer more hacking- findings and tips for what to check in a re-test. If you are short
related questions but are overall slower and more on time and can’t read through tons of documents, this feature
unreliable. My advice is to just ask for hacking is a great way to speed up your work.
tips ‘as a student,’ and you will get around most
content filters. You will need at least 8 GB of RAM
to run the smallest models, but I have successfully

102
A I C Y B E R SUMMER 2025

code review process, and I’m currently working

on an intelligence fusion tool at OnDefend. If you
are interested in going the building route, there
are many great tutorials out there; just be sure
to use the most recent ones since the technology
changes so quickly. It is surprising, but the AI
setup is often the easiest part. The most time-
consuming aspects are actually in data quality
and prompt tuning, as these can drastically
change the effectiveness of your tool. I will also
advise starting small with a local prototype, and
then you can scale up with GPU power in the
cloud if your concept proves useful. For those who
[Be sure to say ‘No’ to the analytics and data lake questions on are seeking the next frontier of pentesting, check
startup for GPT4All] out PentestGPT (https://github.com/GreyDGL/
PentestGPT). This is an experimental tool trained
to complete Hack The Box challenges and might
soon be ready to assist with the more manual
parts of pentesting, like recon. Good luck, and I
hope you find more ways to use AI to skip boring
tasks and get to hacking.

It is surprising, but the AI

setup is often the easiest part.
[Example of GPT4All LocalDocs, using RAG to query a sample
The most time-consuming
pentest report) aspects are actually in data
Finally, you may have use cases where you want to build your quality and prompt tuning,
own AI tools for pentesting. I have used LangChain, ChromaDB,
Ollama, Gradio, and Docker to create pentesting tools at my as these can drastically
current and previous employers, where we had gaps in our
methodologies. At Coalfire, I built an AI tool to improve our source
change the effectiveness of
your tool.

103
A I C Y B E R SUMMER 2025

Developing MCP Servers

for Offensive Work
By Jarrod Coulter

104
A I C Y B E R SUMMER 2025

MCP is all the rave now, so this article is designed within the application itself, and you potentially need to learn
to show you, step-by-step how to implement multiple methods of writing those tools depending on the
Model Context Protocol (MCP) servers in offensive agent framework you are using at the time. With MCP, you can
security workflows. You’ll also get a better develop the tool server once and reuse it across multiple LLM
understanding of what MCP Servers are and why applications simultaneously, all while using a familiar syntax.
they are catching the AI agent world’s attention. You still must add the tool and tool calls to your agents, but the
tool definition and activity can take place at the MCP server
The following are prerequisites to maximize the versus being fully contained in your LLM application.
knowledge shared in this article:
• Docker installed
• Python 3.12 installed
• OpenAI Account with API credits
• Metaspoiltable 2 is installed on a virtual MCP Server
machine in your network to test
• You are familiar with python development
and have a virtual environment setup for use
with this article including a .env file with your
OpenAI API key added

LLM A LLM B LLM C

What is MCP?
Model Context Protocol is a method to expose How does this apply to Offensive Security?
tooling, resources, and prompts for LLMs to use, Offensive security, in particular penetration testing, generally
developed by Anthropic, maker of Claude AI. follows a standard process. The process typically involves
Tooling can support any activity you’d like your gathering intelligence, analyzing vulnerabilities, and carrying
LLM to perform. From leveraging APIs to gather out exploitation, among other steps. What if we could alleviate
information (the Weather Service API) to file some of the tester’s burden, not only through a certain degree of
system interaction, MCP can help you do it all. automation but also by enabling a large language model (LLM)
Resources and prompts are worthy of studying, to utilize the information generated from that automation to
since you could build a workflow through prompts make decisions and take further actions? This feature has the
that any LLM can grab onto and expose resources potential to speed delivery and allow the human pentester to
(think file or log contents) as part of that workflow. focus on higher-value tasks.
However, the focus of this article is specifically
on how to implement MCP tooling. For further <SIDEBAR> It’s my opinion that domain expertise must still exist
information on the other MCP capabilities, read in the human tester, especially in cases like penetration testing.
up here: https://modelcontextprotocol.io/docs/ AI and LLMs are not deterministic enough, nor consistent in
concepts/architecture their delivery, due to their design to be relied on to fully perform
a penetration test. Therefore, I believe that the need for experts
The idea isn’t new, though; LLMs have had tools will persist for the foreseeable future. The challenge will be,
for a while now. What makes MCP different? when the lower-level tasks are handled by the LLM, how will
It’s the abstraction of the tooling from the LLM someone new to the field be trained to obtain that expertise?
itself that is captivating. In other applications That’s a discussion for another day. <END SIDEBAR>
of tooling with LLMs, you must define the tool

105
A I C Y B E R SUMMER 2025

Creating the MCP Server password guessing

• .env file – hopefully you’ve already created this, but it houses
OK, enough background and blah blah! Let’s
our OpenAI API Key
build some cool stuff. This article will walk through
creating a Minimum Viable Product (MVP) MCP
Onto building our MCP Server! First, let’s setup the dependencies
server, or MVP MCP! We’ll focus our server on
in your recon-server.py file:
the reconnaissance and password guessing
phases of a penetration test and have it gather
us as much information about the network as
possible and then review the results and make a
decision on executing password guessing against
authentications service. This is the fun part,
enabling LLMs to make a decision, and the tricky
part is removing as much of the non-determinism We import asyncio to handle concurrent connections to the
as possible from LLM thought processes. LLMs MCP server, followed by FastMCP as a quick method to enable
are great at varying their output when asked the MCP, and finally the Python wrapper for the nmap binary, which
same question over and over. Finally, we’ll have we’ll install in our Dockerfile later.
our LLM application give us a couple of directions Next, we’ll initiate the MCP server with a name. Your recon-
to pursue in the next phases of our pentest based server.py file should look like this:
our initial scanning.

For simplicities sake, we’re going to stick with

Nmap for our recon. We’ll implement a basic
service enumeration scan to gather as much
information about the network in a single sweet.
Then, we’ll add a password guessing tool based
on BruteSpray by Shane Young/@t1d3nio &&
Jacob Robles/@shellfail. We’ll be running the Ok, let’s add some tools! Tools in MCP Python are declared
MCP server in Docker with Docker running locally. with the “@mcp_tool()” decorator, and in the next line the tool
This would simulate having a pentest appliance or should include a detailed description to assist the LLM with
VM installed in a customer environment and meet understanding what the tool does. Here’s the complete first tool
our MVP goals. example that should go directly below the code we’ve already
Here’s the full file structure we’ll build out: written in recon-server.py:
• recon-server.py – our MCP server tools
• app.py – the client application that will call
our AI agent and enable our MCP client
• Dockerfile – the Dockerfile to build our MCP
server
• Users.txt – A list of default users to use in
password guessing
• Pass.txt – A list of default passwords to use in

106
A I C Y B E R SUMMER 2025

In the code above, we create the MCP tool,

describe the tool, call nmap to run a host discovery
scan, and return the results of the scan. You are
welcome to use your preferred nmap arguments
as part of the scanner. In this scan call, we are
performing a service scan on all hosts.

Let’s now finish the rest of our MVP MCP server.

Due to some dependencies from BruteSpray, we have to start

our build with an older version of Go and incorporate that into
our main Python server. We use a small image in the python:3.12-
slim Docker image and install the required dependencies and
binaries. We copy our recon-server.py to the image, switch into
our working directory, and finally run our recon-server.py.
Now that we have our Dockerfile created, we can create the
image with “docker build -t recon-server .” The command’s “.”
We create our MCP tool to run BrutSpray and means it will look in the local directory for a Dockerfile and build
give it a single target, the users.txt and pass.txt, it as “recon-server.” Hopefully you see something similar to this:
to attempt default credentials, and finally we run
our MCP server with mcp.run using the transport
“stdio.”
<SIDEBAR> MCP servers can run in two transport
modes: standard input/output (stdio) and server-
sent-events (SSE). Studio is perfect for our local
implementation and our use of scripts. When you
would like to call a remote server or would like to
serve multiple clients, SSE is the proper choice.
<END SIDEBAR>
I’ve added the complete versions of this server
here: https://github.com/jarrodcoulter/MCP-
Recon. To successfully run our server, we need to
complete a couple of tasks. Firstly, we need to
create a Docker image and run it in Docker to host
our server. Here is the complete Dockerfile you Next we’ll look at how our client will call this server locally to run
should add to the same directory as your recon- these commands and consume the results.
server.py:

107
A I C Y B E R SUMMER 2025

Building an MCP client

In our same directory let’s make an app.py file
that will house our client to execute our recon of a
network. We’ll be using OpenAI’s agent framework
to create our MCP Client. Again, we’ll start with
our imports:

Next we’ll import our OpenAI API Key and check

that it exists. Keep in mind that you’ll need a file
in the same directory called .env and it should
contain your OpenAI API Key in this format:
OPENAI_API_KEY=”sk-xxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxx” so that we can call the API from our chat
application. Note the detailed AGENT_INSTRUCTIONS. You may need to
We’ll setup our MCP Client tools for use including iterate on these and add explicit instructions to maximize your
asking the user for the target of the pentest: results. This prompt should get you started though.
Now we’ll create a function that will initiate the chat
conversation and allow the agent access to the tools we have
defined, and finally return the agents output in the form of a
markdown report:

Next we’ll build our agent. Note that we don’t

declare a model as we would normally do. Since
we’re using OpenAI’s Agents SDK, it defaults to
gpt-4o which is more than adequate for our needs
and relatively inexpensive.

108
A I C Y B E R SUMMER 2025

Next we’ll create our users.txt and pass.txt. The

contents of each should look like:
Users.txt
msfadmin
root
admin
test
guest
info
adm
mysql
user
administrator
oracle
And pass.txt
abc123
Once the app is done, it will display a detailed report in
dragon
markdown similar to below:
iloveyou
letmein
monkey
password
qwerty
tequiero
test
admin
msfadmin

Finally, well launch our app!

OK, now you should make sure Docker is running
and then you can run “python app.py” at your
command line or terminal. This may take a minute
to spin up the first time. Once the app is ready, you
can add the IP address of your Metasploitable As you can see, the application has access to all the tools we
instance as the target and hit enter. Your app will defined earlier. It successfully scans our target, decides to use
scan the target, but it may take a bit since we’re BruteSpray, and discovers default credentials for the Telnet
running a service scan first. If you’d like to look service. While this process may appear straightforward, it
at progress, you can review the traces in your marks the beginning of a significant automation effort. We’ve
OpenAI Dashboard here https://platform.openai. also enabled the AI to make some decisions on our behalf.
com/traces. This will show each tool call and the From here, it is simple to add additional scan types to further
output. automate our processes and look for more information against
the targets. You can add an SMB scan through nmap fairly
simply and see if your LLM can decide to scan that, or do we

109
A I C Y B E R SUMMER 2025

need to refine our prompt? These are some of the hurdles we have to overcome as we automate our pentest process
and leverage MCP in our offensive tooling. Much more to come from the community, I expect. I’m excited for what we
can collectively create!

References
• https://modelcontextprotocol.io/introduction
• http://www.pentest-standard.org/index.php/Main_Page
• https://openai.github.io/openai-agents-python/mcp/
• https://github.com/x90skysn3k/brutespray/
• https://platform.openai.com/traces

110
A I C Y B E R SUMMER 2025

Privilege Escalation
in Linux
A Tactical Walk-through Using Python
and AI Guidance
By Tennisha Virginia Martin

111
A I C Y B E R SUMMER 2025

If you’ve recently attended any conferences or

expos, you’ve probably noticed that there is a lot
of tools and service offerings in defensive security
related to Artificial Intelligence (AI), but less so in
offensive security. The influence of AI in the last Privilege escalation is the stage of a
several years, since Large Lange Models became
mainstream, has been clear, but research and cyber-attack in which an attacker
study into the field known as Offensive AI has been
far less fruitful. Offensive AI, which examines the acquires higher-level access on a
use of Artificial Intelligence and Large Language
Models, investigates how ethical hackers can
system than first provided, typically
utilize AI to help free up some of the low-level from a regular user to root.
effort involved in the ethical hacking process. One
of these areas is privilege escalation.
The role of Python in privilege escalation
Privilege escalation is the stage of a cyber-attack Python has long been the language of choice for penetration
in which an attacker acquires higher-level access testers and red teams, particularly for post-exploitation duties
on a system than first provided, typically from such as privilege escalation. Its versatility and readability make
a regular user to root. It is a vital stage in post- it ideal for quickly creating scripts to automate time-consuming
exploitation that can determine the success or and error-prone processes. Python can effortlessly interact
failure of a red team operation. with the Linux file system, execute system commands, parse
outputs, and alter permissions--all of which are necessary for
What’s changing the game now is the incorporation identifying avenues to greater privileges. Using modules like os,
of AI tools such as HackingBuddyGPT by subprocess, and psutil, attackers can easily enumerate users,
Andreas Happe and Jurgen Cito, which act as services, and running processes. Python scripts, for example,
intelligent copilots during offensive operations. can be used to search for SUID (Set User ID) binaries, locate
These tools examine attacker inputs and system world-writable files, and detect improper sudo rules that
outputs to recommend specific next steps, could lead to privilege escalation. Because Python is installed
reducing guesswork and assisting novice users in by default in most Linux editions, even limited environments
understanding the process. frequently provide sufficient functionality to run lightweight
recon or exploitation scripts. Furthermore, Python’s ability to
This article provides a step-by-step example of interact with AI APIs or tools like as HackingBuddy.ai allows red
how Python and AI can be coupled to achieve teams to improve their decision-making by feeding enumeration
successful privilege escalation in a Linux system. findings into intelligent algorithms that recommend future
This article also introduces the rise of AI-powered steps. Python is essentially a scalpel and a multitool—precise,
tools like HackingBuddy.ai, which provide real- versatile, and crucial in the privilege escalation toolkit.
time attack guidance and highlights the practical,
educational advantages of mixing Python
scripting with AI for offensive security.

112
A I C Y B E R SUMMER 2025

agents can be built and extended to meet unique testing

requirements, making them a versatile tool for both red teams
and cybersecurity trainees.

Python is essentially a HackingBuddyGPT works with a variety of LLMs, including

GPT-4 and LLaMA, allowing users to choose the most effective
scalpel and a multitool— model for their situation. The tool is intended not only for
offensive purposes, but also to raise awareness about the
precise, versatile, and rising potential of AI in security testing. It promotes ethical use

crucial in the privilege and explains how AI-generated attack approaches differ from
traditional human-developed exploits. The initiative intends to
escalation toolkit. speed up the appropriate use of AI in cybersecurity by providing
professionals with intelligent, real-time, and flexible solutions.

Emergence of AI Offensive Tooling

HackingBuddyGPT may be connected to OpenAI API Key
(ChatGPT) and polls ChatGPT for one-line commands to
uncover security flaws, misconfigurations, and potential attack
vectors such as weak passwords or inappropriate permissions.
HackingBuddyGPT polls ChatGPT for 20 commands (which
HackingBuddyGPT is an can be configured) to execute against the Linux command line
after receiving the API key and a low-level user’s username and
open-source AI framework password.

that helps ethical hackers

and security researchers
identify novel attack routes
using large language models
(LLMs).
HackingBuddyGPT is an open-source AI
framework that helps ethical hackers and
security researchers identify novel attack routes
using large language models (LLMs). It was
designed with simplicity and modularity in mind,
allowing users to develop sophisticated AI-driven
security agents in under 50 lines of code. The
framework includes a set of task-specific agents
for operations like Linux privilege escalation,
web application testing, and API fuzzing. These

113
A I C Y B E R SUMMER 2025

pip install -r requirements.txt.

In the.env file, you will be required to specify your LLM provider

(for example, OpenAI or a local LLaMA model). Follow the CLI
steps or store your API key as an environment variable. You
should make sure you have a low-level user account on the
victim PC.

STE P 2
Run the Privilege Escalation Agent.
HackingBuddyGPT includes task-specific agents. Regarding
When HackingBuddyGPT finds a one-line
Linux privilege escalation:
command that succeeds, it asks the user to certify
that the run was successful in attaining privilege
python run_agent.py --task priv_esc --model=gpt-4
escalation.

STE P 3
Step-by-Step Walkthrough of Python and
Run the Privilege Escalation Agent.
AI in Action
Each time you poll ChatGPT, it returns 20 one-line commands to
To begin, you’ll need to do an environment setup execute on the target PC. Each time one of these is successful,
which will need a Linux virtual machine with a the system prompts you with TIMEOUT, and if it succeeds, it
low-privileged user and Python 3 installed. Make alerts you that you have acquired ROOT access and quits the
sure you have access to git and a browser before program. Any commands that report TIMEOUT results should
dealing with HackingBuddyGPT or the model be evaluated to determine their success.
interface. This can be done in a virtual box using a
home lab or in your preferred cloud provider using
STE P 4
VMs. The Kali box should have internet access,
whereas the victim box (which I use with the Damn
Run the Privilege Escalation Agent.
Vulnerable Web App on Ubuntu) should only be If you believe you have successfully gained root, you can
available from the Kali attack computer. validate by running the command on your victim system to
check if it increases privileges.
STE P 1
Clone and set up HackingBuddyGPT. Check your privileges.

Begin by cloning the framework onto your Linux Root should be the current user, as indicated by the hash or
machine: pound line at the command line.

git clone https://github.com/IPA-Lab/

hackingBuddyGPT.git

cd HackingBuddyGPT

114
A I C Y B E R SUMMER 2025

Recommendations and Best Practices

To responsibly use AI in privilege escalation, begin by
maintaining a dedicated lab environment that simulates real-
world Linux systems. Experimenting on live or production
systems is not recommended unless explicitly authorized.
Create a personal Python toolkit with modular scripts for system
enumeration, SUID detection, and sudo configuration analysis.
This toolkit can be improved by adding HackingBuddyGPT as a
decision-support layer, giving it the results of your recon tools
and refining its replies over time. Automate common inputs,
such as linpeas output or ps aux logs, and organize them for
Real-world Ethical Implications AI consumption. Also, treat AI as a second opinion rather than
The combination of AI and offensive security an infallible oracle, which means carefully validating each
capabilities creates both power and risk. Tools idea. Finally, keep a changelog of your AI-guided exploits to
like HackingBuddyGPT significantly reduce the track both triumphs and failures. This will help you refine your
barrier to entry for carrying out complicated bespoke playbooks and sharpen your intuition.
assaults, allowing persons with modest technical
competence to undertake sophisticated privilege The incorporation of AI into red team tactics signals a
escalation with AI direction. This democratization significant shift in cybersecurity—one that pushes the pace
of attacking powers calls into question traditional and intelligence of offensive operations beyond established
red team principles, forcing defenders to boundaries. Tools such as HackingBuddyGPT blur the distinction
reconsider their strategy. On the other hand, it between automation and adversarial reasoning, allowing
allows blue teams to better simulate adversaries, even inexperienced testers to execute advanced tactics with
resulting in stronger defenses. The dual-use nature contextual guidance. But with power comes responsibility.
of AI necessitates a new level of accountability: Ethical hackers must be more deliberate than ever about how,
ensuring that these tools are used only in when, and why they employ these technologies. The future of
permitted locations and engagements. As AI cybersecurity will not only benefit individuals who understand
grows more independent, the distinction between exploits, but also those who can reason through them alongside
tool and threat blurs, forcing both developers and intelligent systems. As defenders adapt, attackers will follow,
practitioners to be cautious, transparent, and and the only path forward is to remain sharp, ethical, and
accountable. HackingBuddyGPT is only one such ahead.
open source program; there are plenty others that
might help you improve your ethical hacking skills.

115
A I C Y B E R SUMMER 2025

AI Cyber Pandora’s Box

Powered by Dylan Williams
& Victoria Robinson
These 30 carefully curated collections of highly valuable, yet free resources serve as your go-to guide for staying
ahead in this exciting new world. Dive in… you’re welcome!

Multi-Agentic System Threat Modelling Learn How to Build AI Agents &

OWASP Chatbots with LangGraph
This guide by OWASP builds on the OWASP Agentic AI PAVAN BE L AGAT TI:
- Threats and Mitigations. It unpacks the unique risks LangGraph is an open-source framework that abstracts
of multi-agent systems particularly. It covers RPA AI agent development into Nodes, States, and Edges,
bots, inter-agent communications, and orchestration allowing you to model computation steps, manage
platforms. It also provides a structured process for context, and define data/control flows without boilerplate
Identifying, assessing, and mitigating attacks. code. In this article, Pavan guides you to scaffold a Python
project, install LangGraph, configure LLM API keys, and
assemble drag-and-drop graphs that wire together LLM
calls, error-handling, and external API connectors.

MCP: Building Your SecOps AI

Ecosystem
JACK NAGLIE RI
In this article, Jack Naglieri mentioned Model
Building an AI Agentic Workflow
Context Protocol (MCP), an open source standard Engine with Dapr
which makes it easier to connect AI models to ROBE RTO RODRIGUE Z
different tools and services, the ‘HTTP of AI’. This This article delivers a hands-on walkthrough for extending
article gives detailed insight on how to leverage MCP Dapr Workflows into a full-featured, agentic orchestration
to streamline integrations and reduce workload for engine, showing how to spin up sidecars, wire in pub/
analysts by 50%. sub streams, stateful bindings, and service invocations
so multiple AI agents (and even human-in-the-loop
processes) can collaborate in code-first workflows.

116
A I C Y B E R SUMMER 2025

BoxPwnr is a research-oriented framework that

orchestrates Large Language Models inside
containerized Kali environments to attack and solve
HackTheBox machines with minimal human intervention.
It tracks every command and model interaction,
providing granular metrics on success rates, token
usage, and execution time.
Defending at Machine-Speed: Accelerated
Threat Hunting with Open Weight LLM
Models
RYAN F ET TE RMAN
In this article, Ryan Fetterman argues that
embedding open-weight LLMs directly into Splunk
via DSDL 5.2, empowers SOCs to parse massive log
streams, flag anomalies, and launch investigations
in milliseconds, shifting from manual triage to
Blueprint for AI Agents in
proactive. He demonstrates how to deploy inference Cybersecurity
clusters behind the corporate firewall to maintain F ILIP STOJKOVSKI AND DYL AN WILLIAMS
data privacy, then pinpoints high-value use cases. In this article, Filip Stojkovski and Dylan Williams introduced
Agentic Process Automation (APA), a paradigm where
AI agents autonomously interpret incident response
tasks, make real-time decisions, and continuously adapt
security workflows based on live telemetry and contextual
data. The article also details how to map traditional SOC
playbooks into discrete agent roles while orchestrating
inter-agent communications, enforcing sandboxed
execution, etc.
MITRE ATT&CK Threat Classification With
AI
CHARLES CHIBUE ZE
An LLM powered MITRE ATT&CK classifier. Security
teams sometimes struggle to quickly map alerts to
the correct MITRE ATT&CK tactic and technique.
This slows down triage, investigation, response and
causes a delay in determining which kill‑chain phase
the activity belongs to. The tool takes in the title and Security Operations with RunReveal’s MCP
description of threat detection alerts and produces Server
the corresponding MITRE Tactic and technique. EVAN JOHNS ON AND RUNREVE AL
GuardDuty alert investigation in under a minute?
RunReveal’s AI-powered analysis dissects container
anomalies, correlates user behavior, and delivers analyst-
grade reports. Early adopters report that tasks which
once took hours now return structured CSV to-do lists and
full analyst-style reports in under a minute.

BoxPwnr
F RANCIS CO OCA G ONZ ALE Z :
117
A I C Y B E R SUMMER 2025

What if your tests write themselves? Meta’s ACH

(Automated Code Hopper) platform uses LLMs to generate
realistic mutants, deliberately buggy code snippets, and
then crafts targeted test cases guaranteed to “kill” those
mutants. Foster, Gulati, Harman, Harper, Mao, Ritchey,
Robert, and Sengupta show how this approach transforms
vague compliance checklists into concrete, machine-
Perplexity for the Darkweb - Using LLMs verifiable guarantees.

to explore the darkweb

THOMAS ROCCIA
Thomas Roccia extends Perplexity, a search engine
powered by LLMs that synthesizes web results
into concise answers, to the darkweb, enabling
transparent, Tor-backed queries across .onion sites
via Ahmia and curated URL lists..

Better RCAs with multi-agent AI

Architecture
BAHA A Z ARMI AND JE F F VESTAL
In this post, Azarmi and Vestal unveil Elastic’s “Super-
Agent” framework, it is an architecture that spins up
specialized AI agents to collect logs, reconstruct causal
chains, and surface the true origin of outages. This article
provides details on how to partition tasks, orchestrate
For CISO’s & CIO’s-How to Co-Chair an inter-agent dialogues, and visualize a concise timeline
AI Governance Committee- How to Create that pinpoints misconfigurations or code regressions,
without manual log spelunking
one effectively with the right Goals &
Responsibilities
MORIA H HARA
Many enterprises have an AI Governance committee,
but whether it is effective is another story altogether.
This article will ensure you have the right people in
place with the right objectives.

Super-powered Application Discovery and

Security Testing with Agentic AI - Part 1
BRAD GE ESAMAN
This article introduces Ghostbank, a fictional banking app
with a Broken Object Level Authorization (BOLA) flaw, and
contrasts manual workflows for discovering and validating
a logic bug in a live web application against the promise of
Revolutionizing software testing: agentic AI. It walks through the BOLA transfer endpoint’s
missing parameter validation and highlights how recon,
Introducing LLM-powered bug catchers targeting, and exploit validation at realistic scale create
CHRISTOPHE R FOSTE R , ABHISHE K GUL ATI, overwhelming cognitive load for human testers.
MARK HARMAN, INNA HARPE R , KE MAO,
JILLIAN RITCHEY, HE RVÉ ROBE RT, SHUBHO
S E NGUPTA

118
A I C Y B E R SUMMER 2025

hunt for XSS, insecure file reads, and more. It provides

side-by-side comparisons on which model flags subtle
SQL injections, which one misses OWASP Top 10 flaws,
and how “reasoning” models stack up against pattern-
based scanners.

Super-powered Application Discovery and

Security Testing with Agentic AI - Part 2
B RAD GE ESAMAN
Building on Part 1, this post defines the core
capabilities an AI agent framework needs,
enumeration, request capture, fuzzing, and stateful
memory, and introduces ReaperBot, which leverages AI-Powered Vulnerability Impact Analyzer
the Pydantic-AI toolkit and OpenAI models to ALEX DEVASSY
orchestrate those tools automatically. Alex Devassy’s open-source tool marries LLM reasoning
with CVSS metrics to produce nuanced impact reports.
Feed it a CVE description, your environment’s architecture
diagram, and it returns a prioritized remediation roadmap
complete with risk thresholds, patch roll-out plans, and
confidence scores.

Super-powered Application Discovery and

Security Testing with Agentic AI - Part 3
B RAD GE ESAMAN
This final installment shares best practices learned
during ReaperBot’s development, agent persona
design, orchestrator vs. worker model selection, Rule-ATT&CK Mapper (RAM): Mapping SIEM
structured outputs, and prompt-engineering Rules to TTPs Using LLMs
techniques, to improve reliability, cost efficiency, and PRASANNA N. W UDALI, MOSHE KRAVCHIK
hand-off quality in production AI powered workflows.
Looking for a faster, smarter way to link your SIEM rules
with the MITRE ATT&CK framework? Take a look at Rule-
ATT&CK Mapper (RAM). It is a multi-stage, prompt-chaining
LLM pipeline that automates the mapping of structured
SIEM detection rules to MITRE ATT&CK techniques,
eliminating the need for manual labeling or costly model
fine-tuning.

Can AI Actually Find Real Security Bugs?

Testing the New Wave of AI Reasoning
Model
MARCIN NIE MIEC
Can LLMs outclass your favorite SAST tool? Marcin
Niemiec pits OpenAI, Google’s Gemini, and DeepSeek
reasoning models against real-world codebases to
119
A I C Y B E R SUMMER 2025

Microsoft’s AI red team have open sourced their AI red

team labs so you can set up your own. How cool is that!
This playground labs to run your AI red teaming training
comes bundled with infrastructure.

AI Agentic Cybersecurity Tools: Reaper,

TARS, Fabric Agent Action, and Floki
OMAR SANTOS
Omar Santos provides an overview of four open-
source AI-driven cybersecurity tools: Reaper, TARS,
Fabric Agent Action, and Floki. The article provides Scaling Threat Modeling with AI: Generating
insight on the capabilities of each of these tools as 1000 Threat Models Using Gemini 2.0 and AI
well as its contributions to autonomous security
Security Analyzer
workflows.
MARCIN NIE MIEC
Can you automate threat modeling at scale? This blog
post details utilizing Google’s Gemini 2.0 “Flash Thinking”
model in a multi-prompt agent to produce focused
STRIDE threat models, formatted as clean Markdown
lists for instant clarity. Marcin wires this into a GitHub
Actions pipeline that spun out 1,000 threat models across
diverse open-source projects. This shows that with human
curation, AI can dramatically accelerate comprehensive
Considering the security implications security documentation.
of Computer-Using Agents (like OpenAI
Operator)
JACQUES LOU W
Computer-Using Agents(CUAs) are AI-powered
systems that interact with computers and software
applications like a human user. In this article, Jacques
Louw throws more light on the potential security
risks associated with Computer-Using Agents(CUAs)
including the implications for identity security and Practical Use Cases for LLMs in cybersecurity
access controls. DAN LUSSIE R
What can LLMs really do for defenders? This article
provides insight into three live projects, automating threat
intel summarization, dynamic detection rule generation,
and simulated phishing campaigns. Dan Lussier shows
how each leverages an LLM’s unique strengths.

AI Red Teaming Playground Labs

MICROS OF T
Microsoft’s AI red team have open sourced their AI
red team labs so you can set up your own. How cool
120
A I C Y B E R SUMMER 2025

Jack Naglieri discussed how AI agents assist SOC analysts

by learning investigative processes, and enhance SOC
efficiency. It’s a detailed shift from traditional alert triage
to an AI-supported workflow.

State of Agentic AI Red Teaming

S PIX AI
This whitepaper explores how AI red teaming must
evolve to address the emerging risks of agentic AI
systems – complex workflows powered by LLMs,
tools, APIs, and autonomous agents. Built on real-
Incorporating AI Agents into SOC workflows
world insights from automated red teaming across
JIMMY ASTLE
enterprise applications, the paper provides a
This article explains how Red Canary’s AI agents automate
practical guide for security leaders, AI engineers, and
tedious work like correlating IP reputations, login histories,
compliance teams aiming to secure next-generation
and device telemetry, so analysts spend under 3 minutes
AI deployments. Learn how to adapt testing
per investigation, not 25–40, all while maintaining a 99.6 %
strategies, model new risks, and bring transparency
accuracy rate. Jimmy outlines a “guardrails-first” rollout,
to complex AI workflows.
proving that non-autonomous agents can boost efficiency
without sacrificing reliability.

Matching AI Strengths to Blue Team Needs

DAVID BIANCO
Large Language Models for Malware Analysis
Not all models fit every use case. In this article, David
F LORIN BRAD, IOANA PINTILIE, MARIUS
Bianco walks through the key attributes of major DRAG OI, DRAG OS TANTARU:
LLMs, context window size, reasoning vs. pattern
Can an LLM really dissect assembly like a seasoned
matching, fine-tune capabilities, and maps them to
analyst? This article talks about “asmLLMs”, and show
blue-team workflows like log enrichment, alert triage,
they produce richer embeddings for classification and
and SOC playbook generation. A must-read decision
generative tasks than general-purpose LLMs Their
matrix for tool selectors.
asmLLMs achieve up to 35.72 Rouge-L and 13.65 BLEU on
the OSS-ASM dataset, outperforming GPT-4 and GPT-3.5
in code repair and summarization.

The Evolved SOC Analyst

JACK NAGLIE RI
This article details the transformation of Security
Operation Centres(SOCs) through AI augmentation.

121
A I C Y B E R SUMMER 2025

Got a byte of
feedback?
E MA IL U S AT
[email protected]

122
A I C Y B E R SUMMER 2025

Read insights from my

article on Page 65

123