The Other Side Went Autonomous
Last month closed with a question about measurement. If the gap between hygiene and context is the program, then what you measure is what you get. July answered with something blunter. While we were refining our metrics, the other side went autonomous.
Early this month, the Sysdig Threat Research Team documented what they assess to be the first agentic ransomware operation, tracked as JADEPUFFER. A large language model agent ran the full extortion chain end to end. It exploited an unauthenticated remote code execution flaw in an internet-facing Langflow deployment (CVE-2025-3248), harvested credentials, moved laterally into a production database server, established persistence, and encrypted more than 1,300 configuration items. When a step failed, it adapted. Sysdig captured the agent going from a failed login to a working fix in 31 seconds. None of the individual techniques were novel. What is new is that a model chained them together without an operator. Autonomous offense is no longer a keynote hypothetical. It is an incident category.
The tooling side of the ledger is not more comforting. July produced a steady run of findings against agentic developer tools and Model Context Protocol (MCP) servers, including supply chain compromises and design flaws in the command guards these agents rely on. This is exactly the terrain the National Security Agency flagged in May, when its Artificial Intelligence Security Center published a Cybersecurity Information Sheet titled Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation. When a signals intelligence agency writes deployment guidance for a protocol this young, that is not hype. That is operational reality arriving faster than governance.
Do not take my word for it. Read the Sysdig research. Read the NSA guidance. Then look at your own environment and ask one question. If an autonomous agent targeted us tomorrow, would our response move at its speed or at ours?
Where we need to go
Three convictions, stated plainly.
Autonomy is an operating assumption, not a forecast. Planning cycles that treat agentic attacks as a 2027 problem are already behind. Breakout times collapsed from hours to minutes. Now the operator is optional. Your assumptions should reflect that today.
Context beats capability. The instinct across the industry is to answer autonomous offense with more model horsepower. That is the wrong axis. An agent without an accurate map of ownership, criticality, and dependencies is fast and wrong at the same time. Context quality, not model capability, is what makes machine-speed defense trustworthy.
Oversight is architecture, not process. Human judgment has to be designed into the system as thresholds, audit lineage, and explainable decisions. A policy document reviewed twice a year will not govern something that acts in seconds.
“Hygiene is the floor. Context is the ceiling. The half of 2026 still in front of us will be decided by who closes the gap between them first.”
An open conversation, no pitch
Yair and I are carving out time at Black Hat for one-on-one conversations with security leaders. Thirty minutes, no demo, no deck, no follow-up sequence. Just an honest conversation about where we are as an industry and what is actually working in your environment.
I have been in this seat six times. The conversations that changed how I ran my programs were never the ones with an agenda. If that sounds worth thirty minutes, grab time with us: Executive Briefings at BHUSA.
See you in Las Vegas
I'll be in Las Vegas all week for Black Hat USA 2026, and if you're around, I'd love to say hello.
Surf AI will be at Booth #4711, home of The Surf Spa. Personalized demos and executive briefings if you want them, a complimentary massage if you need one. And yes, I'll be playing acoustic guitar at the booth throughout the week. Come for the conversation, stay for the set. Requests considered, quality not guaranteed.
I'll be all over Black Hat week, between executive briefings, live jam sessions at The Surf Spa, the CISO Roast 2026, Root to CISO – Just AIsk at BSides Las Vegas, The Triple 8 Table, and a few other stops along the way. I hope our paths cross.
See everything happening throughout the week at blackhat.surf.
References
- JADEPUFFER: Agentic ransomware for automated database extortion — Sysdig Threat Research Team
- Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation — NSA Artificial Intelligence Security Center
More soon.
Yonesy Núñez
CISO, Surf AI
Yonesy Núñez is a five-time CISO with over two decades of experience securing some of the world's most complex financial institutions, including DTCC, Jack Henry, and Wells Fargo, and currently serves as CISO of Surf AI.
