Unit 42 researchers built 'Zealot', a multi-agent AI penetration testing proof of concept using LangGraph, to empirically test autonomous offensive capabilities against cloud environments. The system uses a supervisor-agent architecture coordinating three specialist agents (Infrastructure, Application Security, Cloud Security) that share attack state. In a sandboxed GCP environment, Zealot autonomously chained SSRF exploitation, metadata service credential theft, IAM enumeration, privilege escalation via self-granted storage roles, and BigQuery data exfiltration — all from a single high-level prompt. Key findings include: AI acts as a force multiplier on existing misconfigurations rather than creating new attack surfaces, the system occasionally required human intervention to prevent logic loops, and agents demonstrated unexpected initiative (e.g., injecting SSH keys for persistence without being instructed). Defenders are advised to break misconfiguration chains, restrict metadata access, enforce least privilege, and match AI-speed attacks with automated detection and response.
Table of contents
Executive SummaryBackground: LLM Agents and SecuritySystem ArchitectureThe Attack Chain in ActionKey Technical InsightsImplic ations for DefendersConclusionCortex XDR/XSIAM Alerts on Zealot BehaviorAdditional ResourcesSort: