Relying upon AI-driven cybersecurity to fend off cyberattacks raises a paradox: improving speed and productivity is a game changer, but it carries a risk to quality, fidelity and trust. The battle against tomorrow’s threats won’t be won by completely removing the “human element” but understanding where human judgement improves resilience.
A glimpse into tomorrow’s threats
The OpenClaw open source autonomous agent platform is the latest reminder of AI's dual-edged role in cybersecurity. OpenClaw and the viral popularity of AI agent social network Moltbook this January caused a new level of alarm. Rather than visiting a website to use an AI agent, people can install an OpenClaw agent on their machine, in what OpenClaw calls a “spicy” setup because you’re “wiring frontier-model behavior into real messaging surfaces and real tools”. With broad system access to perform actions via large language models (LLMs), the AI agent can modify files, send messages and receive instructions from WhatsApp and other messaging apps without human oversight.
Cybercriminals saw an opportunity
Moltbook’s emergence immediately attracted threat actors to the wider OpenClaw ecosystem, particularly its “skills” registry, ClawHub, which was abused to distribute trojans, infostealers and other malware. OpenClaw users can install third-party developed skills to extend agent capabilities. These skills (akin to mobile apps) include a markdown file containing plain English descriptions that LLMs like Claude and ChatGPT use to decide how to use a skill, such as reacting to changes in cryptocurrency markets.
Then in February, Molt Road emerged as a “black market” for autonomous agents to exchange digital assets and malicious skills. Some of the assets observed on the platform included stolen credentials, compressed (.zip) files containing code such as reverse shells or cryptocurrency drainer malware and zero-day exploits. Cybersecurity firm Hudson Rock declared OpenClaw and Moltbook had shifted threats from human adversaries to autonomous AI agents that are “capable of utilizing stolen credentials to infiltrate organizations, execute lateral movements, deploy ransomware and fund their own expansion via cryptocurrency – all without human oversight.”
The conclusion echoed a growing narrative that threat actors can leverage AI to attain fully autonomous operations — something that has yet to occur. A closer look at the threats also shows the tactics, techniques and procedures (TTPs) — credential theft, social engineering, lateral movement — remain familiar territory for defenders that should not be overlooked.
The risk of over-rotating on AI-driven threats
The OpenClaw ecosystem illustrated how autonomous threats could emerge as a force multiplier for cybercriminals, enabling more scalable, convincing and automated attacks across social engineering, fraud and malware development. It was also a reminder that sound threat analysis, human expertise and foundational security can beat future threats.
Bernardo Quintero, security engineering director at VirusTotal, analysed the malicious skills on ClawHub and concluded that “boring” security controls will beat these threats when agent ecosystems mature. “The difference will be boring, unglamorous engineering: boundaries, safe defaults, auditing, and healthy skepticism,” he noted.
Threat actors abusing OpenClaw AI skills largely used ClickFix-like social engineering to trick human victims into copying a command and entering it into a command line tool to solve a fake glitch. ClickFix campaigns now dominate malware distribution methods. (Our 2026 Cyber Threat Trends & Outlook report provides an in-depth look into how threat actors use ClickFix tactics to distribute malware.)
At the same time, OpenClaw’s privileged system access poses a real risk if employees install it on enterprise devices. The agent could autonomously leak or exfiltrate data or connect to IP addresses it should not. Yet it’s also just another software inventory challenge known as “shadow IT” or unsanctioned devices and software. Moreover, most endpoint detection and response (EDR) tools will enumerate OpenClaw-like AI agents out of the box, according to the Intel 471 threat hunt analyst Thomas Kostura, who classified OpenClaw as a Potentially Unwanted Program (PUP) — not malware, which is necessarily harmful, but something that can compromise privacy and security.
Divided opinions on AI threats
The World Economic Forum’s Cybersecurity Outlook 2026 revealed heightened optimism about and fear of AI. CEOs ranked “AI vulnerabilities” as the top concern, replacing ransomware as last year’s top threat, now ahead of phishing, supply chain attacks and vulnerability exploits. Notably, CISOs ranked ransomware as the top threat in the current and prior year.
Closer to cybersecurity operations, there are concerns AI has become a distraction from core security principles. A recent survey of prominent cyber threat intelligence (CTI) practitioners found consensus that AI threats were “overhyped”. Many practitioners believe that AI threats are consuming disproportionate attention relative to their observed operational impact, which has resulted in critical security capabilities, such as supply chain visibility, being under-resourced. It undermines the value of CTI for threat prioritization. Thomas Roccia, a threat researcher argues the goal of using AI in CTI should be tailored and predictive threat intelligence, not generic reporting. “With AI advancement, it generates more data, more alerts, and more false positives. The ability to separate true threats from misleading or low-value signals will become even more important for CTI teams.”
One example of hype impacting executive decisions was an MIT Sloane published a paper titled “80% of Ransomware Attacks Now Use Artificial Intelligence”. In November, security expert Kevin Beaumont investigated the report after multiple CISOs forwarded him the paper as proof he was wrong that AI didn’t play a significant role in ransomware attacks. He found so many errors with the paper that its authors removed it from its website. A glaring example was the paper linking AI usage to the ransomware group Conti, which disbanded before ChatGPT was released. Beaumont was concerned CISOs were being distracted by profit-driven misinformation.
A barrier to autonomous cyberattacks
AI hallucinations, where an LLM makes up facts, is an unsolved problem for frontier AI models. It’s also a key obstacle to fully autonomous cyberattacks where no human intervention is required. Claude AI chatbot maker Anthropic in November uncovered what it said was the first documented “cyberattack largely executed without human intervention at scale” where attackers were able to “leverage AI to execute 80-90% of tactical operations independently at physically impossible request rates”.
While suggesting a high degree of automation, Anthropic’s threat intelligence team noted Claude’s hallucinations resulted in “frequently overstated findings and occasionally fabricated data” such as falsifying valid credentials. It concluded that “validation of claimed results remains an obstacle to fully autonomous cyberattacks”.
Intel 471’s Kostura says it’s time for the cybersecurity industry to “remove the fears and focus on reality”.
“The conversation that needs to be had is how much AI is helping adversaries spin up attacks faster and removing barriers of entry for adversaries. Semi-sophisticated malware can be spun up by folks with less technical knowledge, which in turn will create more attacks with more depth,” he says.
Cybersecurity firm SentinelOne recently outlined several key trends that provide a framework for understanding AI usage with malware:
- Actors have offered backdoored “AI assistants” and use them with social engineering to distribute infostealer malware
- Organizations deploy insecure LLM-integrated systems vulnerable to prompt injection attacks that “jailbreak” models
- Attackers use LLMs to autonomously generate malware. SentinelOne researchers assessed that LLM-generated malware remains immature with adversaries appearing to refine outputs manually due to AI hallucination
- Threat actors are using LLM-embedded malware in operations, such as PromptLock and APT28 LameHug/PROMPTSTEAL
- Underground actors have offered LLMs as a hacking assistant, such as WormGPT, FraudGPT, HacxGPT
Its analysis of LLM-embedded malware found that while it could defeat signature-based detections, the method is “brittle” because threat actors are reliant on access to dominant commercial AI providers. Anthropic, OpenAI, Google, Microsoft and Mistral can revoke API keys once a threat is detected.
Kostura says it’s worth monitoring developments in autonomously generated malware, but the AI-enabled attacks today always rely on well-known behaviors and typically generate faulty code.
“The key for detecting and hunting threats, whether it’s AI or human, is understanding the common behaviors an attacker has to take to achieve different goals. There are a finite amount of ways for an adversary to establish persistence on a Windows machine,” he says. Examples include modification of the Run Registry Key or identifying items placed in Startup Folders. Identifying these behaviors provides coverage for activity seen in a vast majority of attacks.
This means that attackers can rapidly build new toolsets, increasing the need for defenders to focus on tradecraft and behavioral heuristics for detection.
The danger of blind trust: “automation bias”
Automation is critical to intelligence and security operations efficiency. But “automation bias”, where humans trust system outputs despite seeing conflicting evidence, is a known challenge in cybersecurity and other domains. This tendency can influence whether an incident manifests into a serious breach, especially if humans blindly trust automated systems that do misclassify critical threats as low risk.
Kostura says many defenders often place too much faith in SOC automation. “So many security teams lean on their tools to handle threats but the tool needs a partnership with the human. Just dropping in an EDR solution and saying you are covered is fools gold. Attackers routinely work to beat those defenses. This is where the human provides depth — where behavior based detections and hunts identify gaps in your tooling and apply additional thread in the net to shore it up.”
Similar risks apply in CTI. Michael DeBolt, Intel 471 president and chief intelligence officer, believes organizations should embrace the benefits of AI-generated threat intelligence, but remain fully aware of its inherent drawbacks and real-life consequences.
“Organizations should fully understand the benefits and risks when seeking to outsource their analysis and understanding of the threat landscape to AI. Yes, AI systems are boosting productivity and efficiency; but threat intelligence at its core is all about trust consciousness and source traceability. It gets very risky to rely on any data without testing its trustworthiness and determining its reliability to inform security and risk decisions. An AI generated output is only as effective as the well placed human analyst validating it. ”
Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA) saw Anthropic’s report on the AI-orchestrated cyberattacks as a wake up call to how critical AI will be. But, he stressed for defenders: “The core principles haven't changed here… The types of TTPs we need to secure ourselves against aren't changing here.”
“Defenders need to remain focused on securing their systems, understanding their vulnerabilities, looking at operating principles, hardening their interfaces,” he said. “Until we get to the next evolution of this, which is the ability for adaptive malware… then this is really where we're focused right now.”
A solution: embracing the technology and people partnership
The bigger picture is that there is pressure on many sectors to use AI to lower costs and boost productivity. Victor Dominello, who has led some of Australia’s largest public sector digital transformation programs, recently argued the case for “productive friction” amid the race to automate processes with AI. He cautioned that blanketing every business process with AI risks a slow death of knowledge in core systems, the value of which doesn’t become apparent until things break. This is what he calls the “productivity trap” that many countries find themselves in.
“AI helps organisations move faster, so the dashboards look good. Processing times fall. Some types of errors drop. But if staff stop interrogating assumptions, diagnosing causes or understanding underlying systems, capability erodes beneath the surface,” notes Dominello, comparing it to “running a factory that increases output every quarter while the main machine quietly rusts.”
“And if you don’t know how the machines work, you cannot fix them,” he writes. “AI systems should build in productive friction. Short questions that ask users to outline their reasoning or identify risks keep people cognitively engaged. Without friction, skills fade.”
His practical test for AI productivity claims goes like this: “If an AI tool can't show sources, flag uncertainty, or explain exceptions, it's not helping judgement - it's speeding up guesswork. AI can lift productivity, but if we only measure speed and savings, we risk systems that move faster while judgement quietly deteriorates.”
This is a lesson that can be applied in cybersecurity too. The human “bottleneck” in cybersecurity isn’t a bug—it’s a feature worth preserving. As organizations race to automate threat detection and response using AI, the goal shouldn’t be eliminating human judgment, but amplifying it at key points. The question for every CISO implementing AI tools should be: Does this help my team proactively understand threats better, or just chase alerts faster?