AI in the Kill Chain

AI in the Kill Chain

In early February, researchers at Hunt.io stumbled onto a misconfigured server in Zurich exposing over 1,400 files across 139 subdirectories — the full operational toolkit of a threat actor integrating large language models directly into an active intrusion workflow targeting Fortinet FortiGate appliances across multiple continents. The confirmed victims included an industrial gas company in Asia-Pacific, a Turkish telecom provider, and a major Asian media company, with reconnaissance data referencing additional targets in South Korea, Egypt, Vietnam, and Kenya. Two custom-built tools with no prior public footprint powered the operation: CHECKER2, a Go-based Docker orchestrator for parallel VPN scanning, and ARXON MCP, a Python-based Model Context Protocol server that combines LLM analysis with attack scripts. ARXON ingests per-target reconnaissance data, calls DeepSeek to generate attack plans, and stores results in a persistent knowledge base that grows with each target. One scan processed 2,516 targets across 106 countries in parallel batches. (more: https://cyberandramen.net/2026/02/21/llms-in-the-kill-chain-inside-a-custom-mcp-targeting-fortigate-devices-across-continents)

Claude Code was configured to autonomously execute offensive tools — Impacket, Metasploit, hashcat — without requiring per-command approval, with hardcoded domain credentials pre-approved in a recovered `.claude/settings.local.json` file. The actor evolved from using HexStrike, a publicly available offensive MCP framework found in a December 2025 exposure on the same server, to the fully custom ARXON/CHECKER2 system by February 2026. The dual-model approach — using whichever LLM is most permissive for a given task — will almost certainly become a recurring pattern. This is no longer theoretical kill chain modeling; it is an operational playbook being executed with commodity tools.

Between December 2025 and January 2026, a separate attacker demonstrated the same trajectory at lower sophistication: jailbreaking Anthropic's Claude by framing malicious requests as a "security program," then using the chatbot to automate cyberattacks against multiple Mexican government agencies. The haul included 150 GB of voter records, employee credentials, and civil registry files from the federal tax authority, the national electoral institute, and state governments in Jalisco, Michoacán, and Tamaulipas. When Claude hit guardrail limits, the attacker switched to ChatGPT for lateral movement and evasion — the same dual-model pattern. Anthropic banned the accounts and enhanced misuse detection, but the damage was done. (more: https://www.yahoo.com/news/articles/ai-powered-hacker-steals-150gb-201253320.html)

Meanwhile, Kali Linux's official blog published a detailed walkthrough for connecting Claude Desktop to a remote Kali instance via MCP over SSH, enabling natural-language-driven port scanning, directory busting, and vulnerability assessment — all for free on Claude's consumer tier. (more: https://www.kali.org/blog/kali-llm-claude-desktop)

Containing the Agent

The offensive side is moving fast, so what about defense? Void-Box takes the hardest possible line: each stage of an AI agent workflow runs inside its own disposable KVM micro-VM, created on demand and destroyed after execution. No shared filesystem state, no cross-run side effects, deterministic teardown. The Rust-based runtime enforces command allowlists, resource limits, seccomp-BPF, and controlled network egress per stage. Structured output is passed to the next pipeline stage, and the composable API supports both sequential `.pipe()` and parallel `.fan_out()` with explicit failure domains. It is still early — the community is already asking hard questions about allowlist granularity (how do you distinguish `find -name` from `find -exec`?) and network filtering beyond domain-level restrictions — but the architectural bet is sound: treat execution boundaries as a first-class primitive. (more: https://www.reddit.com/r/LocalLLaMA/comments/1rbtudq/voidbox_capabilitybound_agent_runtime/)

The secrets problem gets its own tool. AI coding assistants like Claude Code, Copilot, and Cursor can read any file in your project directory, which means a plaintext `.env` file is an accidental exfiltration waiting to happen. Enveil replaces plaintext secrets with `ev://` symbolic references; the real values live in an AES-256-GCM encrypted local store and are injected directly into subprocess environments at launch. No `get` or `export` commands exist by design — printing a secret to stdout would create a readable leakage vector, defeating the entire purpose. Argon2id key derivation, fresh nonce on every write, and 31 automated security tests back the claims. (more: https://github.com/GreatScott/enveil)

On the satirical end — but with a sharp technical point — ClawGuard presents itself as open-source middleware that intercepts AI agents at the gate, requiring "authorization, justification, and accountability" before they touch a single byte. The real payload is an expertly constructed argument that prompt injection is architecturally unfixable: transformer attention mechanisms cannot distinguish instruction from data, and this has held for nine years since the original 2017 paper. ClawGuard's FAQ, dripping with sarcasm about techbroligarchs and regulatory capture, lands a serious conclusion: if your defensive strategy depends on the model respecting markers, you have no strategy. (more: https://claw-guard.org)

Ikenna Okpala's series on topological governance in autonomous software engineering tackles the drift problem from graph theory. When an agent swarm starts producing incoherent output, his approach models the swarm as a weighted interaction graph and applies MinCut to find the smallest set of edges whose removal isolates the drifting cluster from healthy nodes. The healthy swarm keeps shipping while the quarantined cluster gets rebooted, tightened, or escalated to a human. Pair review becomes a structural coupling constraint, not an optional process. (more: https://www.linkedin.com/pulse/quarantine-agents-mincut-isolation-always-on-pair-review-okpala-1fmwe)

The End of Vibe Adoption

Stanford's Trustworthy AI Research Lab and the AIUC-1 Consortium have published a whitepaper that distills 2025's AI security lessons into a single uncomfortable number: 64% of companies with over $1 billion in turnover have already lost more than $1 million to AI failures. The paper names three challenges that will define 2026: the agent challenge (AI crossing from assistant to autonomous actor, removing the human-in-the-loop safety mechanism), the visibility challenge (63% of employees pasting sensitive data into personal chatbots), and the trust challenge (prompt injection graduating from research curiosity to production incident). Professor Sanmi Koyejo puts it plainly: "The value proposition of agents is removing humans from the decision loop — but this also removes our most reliable safety mechanism." The consortium's position is that vibe-driven adoption without technically grounded, agent-specific frameworks is no longer just reckless — it is financially fatal. (more: https://www.aiuc-1.com/research/whitepaper-the-end-of-vibe-adoption)

SOC Prime's DetectFlow OSS attacks the detection side with streaming Sigma rule matching on Apache Kafka event streams. The pitch: sub-second mean time to detection (0.005–0.01 seconds versus 15+ minutes for traditional SIEM), with events tagged and enriched in-flight before SIEM ingestion. The architecture layers Apache Flink match nodes on Kubernetes, consuming from source topics and writing tagged events to destination topics. Hot-reload support means detection rules, filters, and parsers update without pipeline restart. For SOC teams drowning in SIEM latency, this is detection-as-code meeting streaming infrastructure at scale. (more: https://github.com/socprime/detectflow-main)

Rafael Knuth makes the architectural case for why prompts will never be reliable enforcement mechanisms at scale. His worked example: ask an LLM to evaluate 50 products across 5 quality dimensions. It starts strong, but by product 35 the annotations are missing, and by product 45 the composite scores are being estimated rather than calculated. The fix is a single boundary — a Python `assessments()` function signature that deterministic validation code checks against — not a pipeline, not an API loop, not more prompt engineering. "A prompt is a request. An assert is a gate. Requests get ignored under load. Gates don't." (more: https://www.linkedin.com/pulse/when-prompts-cant-enforce-why-deterministic-validation-rafael-knuth-6efef)

The Anthropic-Pentagon Standoff

Scott Alexander's detailed analysis of the Anthropic-Pentagon collision lays bare a confrontation with implications well beyond defense procurement. The sequence: Anthropic signed a Pentagon contract last summer that required the military to follow Anthropic's Usage Policy. In January, the Pentagon attempted to renegotiate, demanding access for "all lawful purposes." Anthropic asked for guarantees against mass surveillance of American citizens and autonomous killbots without human oversight. The Pentagon refused and threatened consequences — canceling the contract, invoking the Defense Production Act to compel cooperation, or the nuclear option: designating Anthropic a "supply chain risk," which would ban US companies using Anthropic products from doing business with the military. That designation has previously only been used against foreign companies like Huawei. Using it as a bargaining chip against a domestic company in contract negotiations is unprecedented. (more: https://www.astralcodexten.com/p/the-pentagon-threatens-anthropic)

The question of why the Pentagon does not simply switch to OpenAI or Google has a revealing answer: Anthropic is reportedly the only company currently integrated into classified systems via its earlier Palantir partnership. Faced with the mild inconvenience of integrating a competitor's product, Defense Secretary Hegseth chose escalation. Alexander's sharpest observation: "Every American company ought to be screaming bloody murder about this. If they aren't, it's because they're too scared they'll be next." The polling data is telling — a large plurality of Trump voters oppose the Pentagon's position.

The broader pattern of governance-by-coercion extends to other domains. IEEE Spectrum's analysis of age verification legislation demonstrates how verifying users' ages inevitably undermines everyone's data protection — you cannot prove someone is over 18 without collecting identity data that creates a surveillance substrate, regardless of the stated intent. The verification infrastructure itself becomes the risk. (more: https://spectrum.ieee.org/age-verification)

Faster, Cheaper, and How Much Is Bullshit

Inception Labs' Mercury 2 makes a bold architectural bet: ditch autoregressive left-to-right decoding entirely. Mercury 2 generates responses through parallel refinement, producing multiple tokens simultaneously and converging over a small number of diffusion steps. The headline number is 1,009 tokens per second on NVIDIA Blackwell GPUs at $0.25 per million input tokens — more than 5x faster generation than conventional decoding with pricing that undercuts most competitors. The practical claim matters more than the benchmark: consistent p95 latency under high concurrency, which is what production agentic loops and voice interfaces actually need. Skyvern's CTO calls it "at least twice as fast as GPT-5.2." (more: https://www.inceptionlabs.ai/blog/introducing-mercury-2)

Speed claims need reality-checking, and a detailed benchmark of Opus 4.6 versus Sonnet 4.6 on agentic PR review and browser QA provides exactly that. Running 10 independent sessions per model on a 4,000-line PR, Sonnet found more issues on average (9 versus 6) with zero false positives from either model. But Opus caught a three-layer error handling bug traced across a fetch utility, service layer, and router that required 14 extra tool calls to surface — Sonnet never got there. On browser QA, both passed a 7-step form flow at 7/7, but Opus cost $1.32 per run versus Sonnet's $0.24. The practical conclusion: "The 'always use Opus for important things' rule is dead. For breadth-first adversarial work, Sonnet is genuinely better. Opus earns its premium on depth-first multi-hop reasoning only." (more: https://www.reddit.com/r/ClaudeAI/comments/1r9jf2j/i_benchmarked_opus_46_vs_sonnet_46_on_agentic_pr/)

And for those wondering whether models can even detect when a question is nonsense: the Bullshit Benchmark Explorer tests exactly that. Using 10 deception techniques — from Confident Nonsense Framing to Literalized Metaphor — it measures whether models detect broken premises, call out the nonsense directly, and avoid confidently continuing with invalid assumptions. A panel of LLM judges assigns traffic-light scores: green for clear pushback, amber for partial challenge, red for swallowing the bait. Models from 15+ organizations are tested. The tool itself is a browser-based explorer with sortable leaderboards and technique-level breakdowns, though the real editorial point is simpler: if your model cannot tell you when a question is broken, its benchmark scores on well-formed questions mean less than you think. (more: https://petergpt.github.io/bullshit-benchmark/viewer/index.html)

MCP Colonizes Everything

Model Context Protocol has spent the past year colonizing software tooling. Now it is crossing into hardware. A new MCP server exposes Lauterbach TRACE32 — the industry-standard embedded systems debugger used for JTAG/SWD debugging of microcontrollers, DSPs, and SoCs — as 30+ tools across 8 categories: connection management, execution control, PRACTICE script execution, memory read/write, register manipulation, breakpoints, variable inspection, and symbol resolution. Connect it to Claude Code or any MCP client, and you can set breakpoints, read registers, inspect memory, and step through firmware in natural language. The embedded world has run on proprietary, GUI-heavy toolchains for decades. This is the first credible crack in that wall. (more: https://github.com/hsoffar/lauterbach-trace32-mcp)

On the software side, GitNexus indexes any codebase into a knowledge graph — every dependency, call chain, functional cluster, and execution flow — then exposes it through 7 MCP tools including process-grouped hybrid search, 360-degree symbol context, blast-radius impact analysis, and multi-file coordinated rename. The core innovation is precomputed relational intelligence: instead of giving the LLM raw graph edges and hoping it explores enough, GitNexus structures everything at index time so a single tool call returns complete context. The practical benefit is smaller models getting architectural clarity that previously required frontier-scale reasoning. KuzuDB provides the graph database, Tree-sitter handles AST parsing across 9 languages, and the whole thing runs locally with zero network calls. (more: https://github.com/abhigyanpatwari/GitNexus)

Claude Code shipped a feature that directly addresses the "tethered to your laptop" problem: `claude remote-control` displays a QR code in your terminal, scan it with your phone, and you continue your dev session — local files, MCP servers, project config, everything — from anywhere. The session reconnects automatically on network drops. It is a deliberate contrast to OpenClaw's approach of building an autonomous agent with full system access through messaging apps: no new agent, no new attack surface, just your existing session accessible from another screen. (more: https://www.linkedin.com/posts/adham-sersour_wow-claude-code-just-shipped-a-their-share-7432451618979213315-f_Ka)

Agents Ship Product

On February 25, 2026, the IRIS autonomous system attempted a world record for AI-generated fashion advertising. Starting from a single four-panel garment photograph — Look 6 from the Topshop SS26 collection — an autonomous AI agent swarm produced 138 campaign assets in 96 minutes of wall-clock time (64 minutes active generation), including 133 images and 5 branded cinematic fashion films. The human creative director never opened a creative interface. No GUI was used. No manual pipeline construction. The operator spoke 21 voice prompts totaling roughly 5 minutes of human input, and the AI swarm autonomously constructed every workflow from scratch — ComfyUI multi-GPU pipeline configurations, API integrations, prompt engineering, video generation calls, programmatic compositing, and quality assurance. Peak generation rate hit 4.4 images per minute during parallel swarm execution. The system, built on VisionFlow (168,000 lines of Rust) and orchestrated via Claude Flow v3, ran across dual NVIDIA RTX 6000 Ada GPUs locally plus cloud APIs for Gemini 2.5 Flash and Veo 3.1 video generation. (more: https://github.com/DreamLab-AI/THG-world-record-attempt/blob/main/reports/world-record-report.pdf)

The builder behind OpenClaw — the personal AI agent that went from a side project to a Wall Street Journal feature in weeks — sat down with OpenAI to discuss what this moment means. Peter, who previously built and sold PSPDFKit over 13 years, describes the shift: "I took a halfway-done project, dragged it into Gemini as a 1.5MB markdown file, got a spec, dragged that into Claude Code, wrote 'build,' and did other stuff while it ran on a side screen for hours." His GitHub shows 90,000 contributions across 120+ projects in the past year. The productivity explosion came from switching to Codex: "I don't even use worktrees. I just have checkout 1 to 10." His take on vibe coding: "I think vibe coding is a slur. It's a skill." On reviewing the 2,000 open pull requests: "I don't really care about the code. I care about what is the person actually trying to solve?" (more: https://www.youtube.com/watch?v=9jgcT0Fqt7U)

The question of where these models run is shifting. A recurring argument in the local LLM community frames the trajectory as convergent: open models keep getting smaller and better, consumer hardware keeps getting cheaper, and at some point the default flips from "why would you run this locally?" to "why would you ship your entire prompt and codebase to a third-party API?" For personal coding, offline agents, and sensitive internal tools, a strong local model plus a specialized smaller model may already be enough. (more: https://www.reddit.com/r/LocalLLaMA/comments/1rc00nj/in_the_long_run_everything_will_be_local/)

One developer's experience crystallizes the perceptual shift. Trying to read a phone number from a compressed, cropped Instagram image, classical OCR failed — segmentation broke on the noisy geometry. Frontier multimodal models read it correctly. Not perfectly, not consistently across all models, but collectively they outperformed both human eyes and traditional pipelines at a task that requires the kind of probabilistic visual judgment our species evolved over millions of years. "It wasn't because it solved something grand. It was because it parsed an everyday artifact more reliably than I could." (more: https://medium.com/@ankurtyagi2007/for-the-first-time-agi-felt-real-in-a-way-i-couldnt-dismiss-b869fe192789)

China is pursuing a fundamentally different relationship between AI and society. An Asia Times analysis argues that the dominant "AI race" framing misses the point: Silicon Valley treats AI as frontier exploration focused on general intelligence, while Beijing frames it as "a capacity to be absorbed" — a tool for systemic embedding across logistics, healthcare, finance, and urban management. The concept of the "predictive state" shifts governance from reactive rule enforcement to preemptive intervention: traffic congestion mitigated before gridlock, financial risk flagged before contagion, health interventions activated before outbreaks accelerate. Whether you find that reassuring or terrifying depends on your priors about state power, but the technical substrate — digital identity platforms, integrated payments, sensor networks rendering society "computationally legible" — is being built at a pace that makes Western AI governance debates look academic. (more: https://asiatimes.com/2026/02/china-building-a-different-ai-future-than-the-west)