Summer ‘26 vibes: international flights, Riyadh heat, and plentiful CISO conversations. Every conversation (regardless of geographic location or industry vertical) currently begins and ends with AI strategy. Let’s unpack the nuance.
Every executive should be contemplating two questions at this moment:
- Are we building, testing, and scaling agents for the coming onslaught of AI-enabled adversary activity?
- Do we have the breadth of intelligence necessary to move at machine speed?
Why Agents and Why Now?
Timing is everything in life. So the question is: why invest in agents for defensive workflows now? Two premises need to be explained here.
First, let’s focus on financially motivated adversaries that don’t receive a government paycheck (directly or indirectly). The state-sponsored adversaries have a different set of resources at their disposal.
There are controlled cases where Frontier AI models enable autonomous adversarial activity in malware generation or holistic intrusion chains. Even the Five Eyes are officially warning about adversarial use of frontier models. Yet the onslaught of offensive agents hasn’t materialized yet. Like the Uruk-hai attacking Helm’s Deep in The Lord of the Rings, we expect the wave is coming, but the automated army hasn’t arrived. Why not?
Frontier models may be susceptible to context poisoning over time, but it’s difficult to use them at any scale for automated offensive operations. The guardrails are sufficient for the moment. Adversaries are also caught between the OPSEC tension of using third-party APIs (which increases attribution risk) and investing the resources to build local open-source models.
While much has been made of open-source model capabilities, the reality is that time, effort, and financial resources are required to use them effectively for offensive campaigns. To get nerdy for a second (because the details are important), a recent experiment with LibreChat and Dolphin-llama3:14b (uncensored LLM) on a $3K local server (containing a reasonable Nvidia GPU with 16GB of VRAM) revealed that simple tasks like coding a new web shell are still out of reach.
The level of effort and hardware required to build a local resource capable of orchestrating effective autonomous attack agents will only decrease over time. Quantization is the clock defenders should be watching. A reductive quantization explanation in this AI context is using less memory by rounding billions of numbers (weights) rather than maintaining precision, thereby shrinking an AI model’s size. Even though the model is slightly less capable, it’s still useful for most tasks. Quantization drives the hardware bar down, and the lower that bar falls, the sooner opportunistic actors can execute attacks at scale.

The danger for defenders isn’t the headline-grabbing frontier models; it’s the ease with which adversaries can deploy effective local models on modest hardware. Based on the previous 18 months of advances, the next 6-12 months will likely yield similar advances in open-source model capabilities with minimal hardware investment. That’s when opportunistic actors start staging at scale.
Which brings us back to protecting the proverbial house with defensive AI agents. Now is the time to build, not ponder. We don’t jump into self-driving cars until we have some confidence that the edge cases have been worked out. Similarly, the agentic workflow edge cases can’t be discovered and solved without iteration and testing.
Smart CISOs are building an AI control plane (in collaboration with adjacent business units) to enable transparency into AI token consumption, project ROI visibility, and code security. Building and testing agents is part of a larger control-plane project and is particularly time-sensitive.
Sandwiched between data availability and information security regulations, CISOs need to generate trust and confidence in agents. Humans may stay in the decision loop for the foreseeable future, but observing agents in a non-production environment is critical. From applying a patch to generating and applying a signature to quarantining a PC or revoking credentials, there is no substitute for iterating over time. Vendors are certainly useful for sharing domain knowledge and solutions, but given the implications of agents gone bad in production environments, teams should own and observe workflows for an extended period.
Organizations that don’t begin building and iterating with agents now will find themselves at a significant disadvantage as financially motivated actors (specifically) increase their autonomous capabilities using open-source AI models.
Where Should Agents Go First?
This is the second question in practice. Agents are only as good as the data available to them, and moving at machine speed requires intelligence that is both broad and traceable. There’s plenty of low-hanging fruit (brand protection, for example), but the following three categories are big value.
1. CTEM (Continuous Threat Exposure Management). All five CTEM stages are suited for agents. Specifically, AI-led vulnerability discovery is exploding, but reliable patches aren’t always available. The name of the game is K-E-V. KEVs (Known Exploited Vulnerabilities) and agent-built detection signatures are the urgent priority in a sea of largely irrelevant CVSS scores. When newly identified KEVs are combined with a comprehensive asset inventory and enumerated services, from both internal and external views, a powerful agentic workflow emerges. The breadth of KEV intelligence visibility is directly proportional to the quality of CTEM outcomes.
2. BAS (Breach & Attack Simulation). Think continuous Red Teaming. Controls rarely prevent or detect threats at the advertised efficacy rate. Adversary AI will map resources and dismantle controls in minutes. Validating coverage and exposing gaps before an adversary’s agents get in is well-advised. The intelligence necessary to power BAS starts with malware tools, tactics, and procedures (TTPs), but living-off-the-land tools and new procedure permutations are equally important. In the short term, agents will accelerate the orchestration between new TTPs and BAS platforms. Long-term agents will replace many of the BAS platform actions.
3. Security Operations. This is where there’s currently substantial movement in the AI start-up vendor space, as tactical SIEM alerts and potential incident response investigations are triaged faster. Deep intelligence from multiple source classes around indicators and artifacts enables an agentic decision advantage to escalate, remediate, or close a ticket. The discipline is in matching autonomy to consequence. Closing a benign ticket and revoking production credentials sit at opposite ends of the risk spectrum, and the governance model should let agents move fast on the former while keeping a human on the latter.
Agentic Early Adoption or Wait?

Production-grade security agents may still be a work in progress, but investing in research and development now will enable a deeper organizational resilience as models continue to improve and quantization accelerates. The defensive urgency is just beginning; the point is to prepare before opportunistic actors can easily deploy local AI models.
Combining vendor services support with in-house AI and security domain expertise will accelerate the learning curve. Humans stay in the loop where judgment matters, while agents take on more of the repeatable work. Don’t wait. Start building today.
Source: RecordedFuture
Source Link: https://www.recordedfuture.com/blog/build-defensive-ai-agents