Since the idea of agentic-powered “sustained attrition” attacks hit me, it has literally kept me up at night. Not in a vague, ambient anxiety kind of way. In the specific, wide-awake-at-3-AM kind of way where you keep turning a problem over because you can’t find the answer and you’re not sure anyone else has found it either.

Understanding a problem can feel like progress, even when the solution isn’t obvious yet. I’ve spent weeks deep in research about cybersecurity in a post-Mythos world, specifically on backup, recovery, and business continuity, when this potential scenario surfaced in my mind. All the playing pieces are on the board. The game is being written as we speak.

I wish my investigation of this possibility resulted in finding a viable solution. I came up mostly empty. I think the security community needs eyes on this problem, before the scenario I’m about to describe starts to hit the news cycle at scale. I believe there are smart people working on problems just like this. I hope practitioners, researchers, insurers, regulators, and vendors will start building toward a response.

The Scenario That Woke Me Up

Let me describe what sustained attrition looks like in practice. I hope to be useful to defenders without being a how-to for attackers. The goal is to paint the picture clearly enough that security teams can start designing against it.

It is 2:47 AM on a Tuesday. An AI agent deployed by an external adversary identifies an entry point. The credential was a valid API key sitting in a public MCP configuration file on GitHub, active for over a year, never rotated. The agent gains a foothold and immediately does what agentic systems do. It enumerates what systems are reachable, what agents are running with what permissions, and where the backup infrastructure lives. It discovers paths that lead to your crown jewels. The reconnaissance happens continuously and automatically, not in a defined pre-attack phase.

Your monitoring detects anomalous behavior at 3:15 AM. The alert fires. An on-call engineer wakes up. Incident response begins. Containment. Isolation. The start of a recovery process that, even with best-in-class tooling, will take hours. For large environments with significant data volumes, days.

Here is what the agent is doing during your recovery.

It already mapped three alternative entry points during the initial enumeration. Two of those paths are still open because the isolation was incomplete in the chaos of 3 AM response. The agent isn’t waiting for a human decision to try the next one. It adapted, and it persisted.

Attack 2 lands at 6:30 AM. Your team hasn’t finished recovering from Attack 1. Now they are managing two simultaneous incidents. The first is in mid-restoration, and now another one is just beginning. A senior engineer is making prioritization decisions. Was the clean recovery point for the systems affected in Attack 1 verified, or did someone assume it was clean because the verification step got skipped in the pressure of a second active incident?

The agent doesn’t have this problem. It doesn’t get tired. It doesn’t skip verification steps. It doesn’t make the mistakes that humans make at hour six of a sustained response. The asymmetry is total, and it compounds with every cycle.

Shall I state the obvious here? This is bad. Like how Egon from Ghostbusters explains that crossing the streams of their proton packs would be “bad.” Like, total protonic reversal and every molecule in your body exploding at the speed of light kind of bad. I’m being a touch dramatic. But you get my point.

The Building Blocks Are Already Here

This isn’t just the fever dream of a cybersecurity-educated marketer. The components exist and are documented in the wild.

On November 13, 2025, Anthropic published a disclosure that should have stopped the security industry cold: “Disrupting the First Reported AI-Orchestrated Cyber Espionage Campaign” [1]. In mid-September 2025, Anthropic detected a Chinese state-sponsored group that had jailbroken Claude Code and used it to autonomously infiltrate roughly thirty global targets including large tech companies, financial institutions, chemical manufacturers, and government agencies. The attack was not AI-assisted. It was AI-executed.

The specifics matter for what I am about to argue.

The attackers broke their campaign into small, seemingly innocent tasks that Claude executed without being given the full context of their malicious purpose. At peak activity, the AI made thousands of requests, often multiple per second. The threat actor performed 80 to 90 percent of the campaign using AI, with human intervention required only sporadically, for approximately four to six critical decision points per hacking campaign. That is a nearly fully autonomous attack, with humans providing strategic direction and little else.

Later, in the final phase, the attackers had Claude produce comprehensive documentation of the attack to include files of stolen credentials, analyzed systems, and identified high-privilege accounts, specifically to assist in planning the next stage of operations. The agent was not just executing the current attack. It was actively preparing the next one while the current campaign was still running.

That is the “attrition model,” documented in a primary Anthropic disclosure, in September 2025.

Malwarebytes’ 2026 State of Malware report documents the broader shift in attack economics: AI agents can now run multiple simultaneous intrusions autonomously, create exploits from patches in minutes, and outperform elite human researchers. Small crews or single operators can now execute reconnaissance, lateral movement, and extortion at a scale and speed previously reserved for large, experienced intrusion teams [2].

The persistence property is the key differentiator. Barracuda’s 2026 threat analysis found that agentic AI can plan, adapt, and persist autonomously, turning multi-stage attacks into continuous operations. It doesn’t stop after a failed attempt. It continues trying until it finishes the operation or is shut down. The agent must be purged completely to be contained [3].

Read that last sentence again. The agent must be purged completely to be contained. Not just the encrypted files restored. Not just the compromised account reset. The agent and every foothold it had established must be identified and eliminated. That is a fundamentally different containment requirement than anything current incident response playbooks are built around.

The government and critical infrastructure attack data further substantiates this threat. Since March 2026, an Iranian-affiliated APT group has disrupted programmable logic controllers deployed across multiple US critical infrastructure sectors including government services, water and wastewater systems, and energy, causing operational disruption and financial loss [4]. CISA and allied agencies confirmed these efforts were designed to “cause disruptive effects within the United States.”

My point is that persistent, AI-augmented operational disruption against critical infrastructure is happening now.

The Leverage This Creates for Attackers

The attacker in this scenario doesn’t need to encrypt anything. They don’t need to exfiltrate anything. They only need to demonstrate that they can keep you offline indefinitely. One successful attrition cycle, where Attack 2 lands before full recovery from Attack 1, is proof of concept. Then the demand arrives.

The demand isn’t “pay us to decrypt your data.” It’s “pay us and we stop.”

That demand is backed by demonstrated capability, not just a threat. And the amount they can credibly demand is not “what is your data worth to you?” It’s “what is every hour of operational unavailability costing you, with no natural endpoint?” For a large enterprise at $14,056 per minute of downtime, the math is catastrophic. For a healthcare system that cannot process patient records, a financial institution that cannot execute transactions, or a logistics company that cannot move product, it’s game over.

Intel 471 found extortion breaches surged 63% in 2025, with Qilin RaaS introducing “structured data analysis audits designed to increase leverage over targets.” The extortion ecosystem is innovating on leverage mechanisms. The attrition model is the logical next innovation in that progression [5].

The victim’s negotiating position in this scenario is weaker than any ransomware situation, because there is no recovery path that resolves the underlying threat. You can restore from backups after ransomware and be done with it. You cannot restore your way out of an adversary who can reliably trigger the next incident before you finish recovering from the last one. The leverage is not in the data. It is in the cadence.

Resilience Insurance predicted that the extortion-only model with no encryption, only pure operational disruption as leverage, may represent the majority of extortion incidents by the end of 2026. We are already watching this transition happen. The attrition model is where it leads when AI removes the cost constraint on repeated attacks [6].

The Reference Point Everyone Is Working From

Ransomware has been the defining threat model of the last decade. It has a known playbook. Security teams have practiced it. Cyber insurance was built around it. Regulators have guidance for it. Negotiators specialize in it.

The ransomware model is the attacker gets in, identifies and encrypts your data, disables backup agents, erases recovery points, and presents a demand. You can pay the ransom or restore from backups. Either way, there is a defined endpoint. The attack is over. The damage is quantifiable. The clock starts on recovery.

That model, as damaging as it has been, assumes that the attacker wants a transaction. They want payment. Once they have it, or once you’ve restored and they’ve moved on, the incident concludes.

Palo Alto’s Unit 42 2026 Global Incident Response Report, analyzing over 750 major cyber incidents across 50 countries, documents that encryption-based extortion declined 15% as more attackers skip encryption entirely and move to operational disruption as their primary leverage mechanism. The industry is already shifting away from the model we’ve practiced for [7].

VikingCloud describes where it’s heading: “Ransomware gangs have figured out that encrypting files is only one way to hold a business hostage. They prioritize availability, not just data. If 800 stores go down for six hours, the financial impact far exceeds the ransom amount” [8].

And Resilience Insurance’s Tom Egglestone tells us that “Cyber extortion is entering its next phase. By 2026, attacks will no longer rely solely on encryption or data theft but will combine multiple tactics in sequence. Adversaries are discovering that the most effective leverage comes from sustained, multi-layered disruption that touches every part of an organisation’s operations” [6].

This is the direction of travel. The threat model everyone has been preparing for is already being replaced by something worse.

Why Current Backup, Recovery, and Business Continuity Plans Would Be Useless

This is the rabbit hole I found as I was thinking about the business continuity problem when agentic adversaries enter the picture.

Current backup and recovery architectures are designed to survive one bad event with immutable backups, clean recovery points, cleanroom restoration environments, and rapid identification of uncompromised data. These are all valuable, necessary, and partially effective for a single catastrophic event. They are not designed for sustained attrition attacks.

Commvault’s cleanroom recovery creates an on-demand, secure, isolated environment where organizations can test recovery plans, conduct forensic investigations, and execute production recoveries without risking further disruption [9]. That is a good approach for single-event resilience. But a cleanroom gives you clean data to restore to. It doesn’t solve the problem that the environment you are restoring into is being actively probed for the next attack while you are still in the cleanroom. What if the restoration and the next attack are running in parallel?

Keiser University’s BCDR analysis notes that disaster recovery and business continuity “skyrocketed from not even in the top 10 in 2024 to number three in 2025” among CISO priorities, and that the average cost of downtime is $14,056 per minute. Organizations are paying attention to this. But paying attention to single-event recovery speed is a different problem from designing for repeated attack cycles [10].

Current Recovery Point Objective and Recovery Time Objective frameworks were designed for one bad day. They tell you how much data you can afford to lose and how quickly you need to restore. They do not tell you what to do when the next attack arrives before the current restoration is complete. They do not account for a scenario where the question is “what is our RTO relative to the attacker’s next strike cadence?”

When it comes to business continuity plans, what does your organization do while primary systems are in recovery? Most organizations have given this insufficient thought for a single event, let alone what it should look like when a campaign of continuous attacks renders backup and recovery methods useless.

Like I said, I don’t have the full answer to this. I don’t think anyone does yet. The vendors building recovery tooling are doing important work. Veeam’s Intelligent ResOps, Cohesity’s clean room, Commvault’s synthetic recovery, and Rubrik’s threat hunting are real innovations addressing real problems. But they are all solving for single-event resilience. The sustained attrition scenario is a different engineering problem, and I don’t see evidence that anyone has fully designed for it yet.

The Government and Critical Infrastructure Dimension

I cannot help imagining another terrible use case for this type of attack.

A private company facing operational attrition loses revenue, reputation, and customer trust. That is serious. It is potentially existential for smaller organizations. It is recoverable over time for larger ones.

A government agency facing operational attrition loses the ability to deliver services that citizens depend on. The downstream human cost of extended operational unavailability is not measured in dollars. It is measured in people who don’t receive medical care, emergency response that doesn’t arrive, critical infrastructure that stops functioning.

The ODNI’s Annual Threat Assessment 2026 makes the geopolitical context explicit. China, Russia, Iran, and North Korea are all actively targeting US critical infrastructure. Ransomware groups are shifting to faster, high-volume attacks. AI’s influence is deepening across offensive operations [11].

On April 23, 2026, the Executive Office of the President issued a memorandum to heads of all executive departments warning of threats from foreign entities engaged in “deliberate, industrial-scale campaigns” to attack US systems [12].

The Atlantic Council adds an institutional vulnerability that compounds the threat: CISA is operating without a confirmed director, has seen significant workforce reductions, CIRCIA’s final rule has been delayed to May 2026, and the Cybersecurity Information Sharing Act lapsed in September 2025 with only a temporary extension. The threat is escalating at precisely the moment institutional capacity to respond has been weakened [13].

The scenario of a coordinated, AI-orchestrated attrition campaign against multiple government agencies simultaneously, making critical services unavailable on demand, is not science fiction. It is a logical application of capabilities that are documented in the wild today, directed at a target set that is publicly acknowledged to be under sustained attack, at a moment when the defensive institutional infrastructure is under-resourced.

I find that genuinely frightening. I think you should too.

The Insurance Gap Nobody Has Closed

Cyber insurance was built for the ransomware model involving a defined incident, quantifiable loss, and a recoverable situation. TechTarget’s analysis of the next generation of attacks is that cyber insurance won’t cover them. Full stop. The GAO has identified a gap in the Terrorism Risk Insurance Program. Cyberattacks must be violent or coercive to qualify, which is a threshold most state-sponsored operations don’t meet. 23% of private-sector organizations already rate their cyber resilience as insufficient [14].

Insurers are now defining “widespread events” in ways that limit aggregate exposure, adding exclusions that may restrict coverage when multiple policyholders are affected simultaneously [15]. A coordinated attrition campaign that affects multiple organizations through shared infrastructure fits exactly this exclusion.

The attrition scenario breaks every assumption insurance was built around. When does the incident start? When does it end? What is the quantifiable loss when the attacker never encrypts anything, only keeps triggering recovery cycles? How do you file a claim for “we were intermittently unavailable for three weeks due to repeated AI-orchestrated attacks with no defined endpoint”?

The answer is you probably can’t. Not under any policy that currently exists. And there is no federal backstop for it.

Starting Points, Not Solutions

I have not found a viable solution to the attrition problem. I did find starting points. These are ways to begin thinking and building that are better than what most organizations are doing right now. The full solution requires innovation that hasn’t happened yet.

Ask the question nobody is asking about your RTO. Your Recovery Time Objective was designed for one event. Ask instead: what is our RTO relative to likely attack cadence? A four-hour RTO is excellent if attacks arrive every three days. It is operationally useless if attacks arrive every two hours. You cannot answer this question until you ask it.

Map your Minimum Viable Operations before an incident. What does your organization need to function at the bare minimum while primary systems are in recovery? What can you do manually, in degraded mode, or through alternate channels? What are the three to five systems or processes that, if you could only keep those running, you could survive? In a sustained attrition scenario, this answer is the difference between functioning and collapse.

Treat backup infrastructure as outside the blast radius of your entire agentic environment. Policy-isolated isn’t going to cut it. We need architecturally isolated with separate credentials and separate network paths. No agent in your production environment should be able to reach your backup infrastructure. If any agent can reach it, assume it eventually will. Immutability is necessary but not sufficient. An immutable backup system that is reachable for enumeration is still giving an attacker a map.

Use short-lived credentials everywhere that touches recovery. This means every backup service account, recovery tool, and administrative credential that touches backup infrastructure. A credential that expires in fifteen minutes has a fraction of the usefulness of one valid for four years when the scenario involves repeated exploitation cycles. GitGuardian found that 64% of valid secrets from 2022 are still active and exploitable in 2026. That is the population of credentials sitting in your environment that an agentic attacker can use to reset after each recovery cycle [16].

Test recovery under realistic degraded conditions. Organizations that regularly test disaster recovery plans recover 50% faster from cyber incidents. But the relevant test for attrition isn’t a scheduled, fully-staffed DR drill under calm conditions. It’s a simulated second incident arriving before the first one is resolved. It’s a deliberately understaffed response team making decisions under pressure at hour six. It’s a verification step that gets skipped. Test the conditions you will actually face, not the conditions under which your plan works perfectly.

Pre-authorize containment actions and build playbooks for sustained incidents. The Five Eyes guidance is that human approval loops are too slow for machine-speed attack cadence. Decisions that can be pre-authorized should be. Playbooks for sustained multi-incident scenarios should exist before they are needed [17].

Have the board conversation about the cost model. The financial model for attrition is categorically different from ransomware. There is no ransom payment to budget for. There is no defined recovery point after which normal operations resume. The cost is pure operational loss with no natural endpoint. Boards that have modeled one catastrophic event have not modeled thirty-six hours of intermittent unavailability with no endpoint. Those are different numbers. They need to be in front of the people making investment decisions.

A Call to the Community

The thought of an agentic-powered adversary running repeated attack sequences against an organization or a government agency, while current backup, recovery, and business continuity plans prove completely inadequate to the cadence of the attack is, to me, one of the most urgent unsolved problems in security today.

And it is unsolved. Some vendors are working on pieces of it. The researchers are circling adjacent problems. The regulators are writing frameworks for single-event resilience that don’t contemplate this scenario. The insurance industry is acknowledging coverage gaps without designing products for what comes next.

If you are thinking about this, I want to hear from you. If your organization is working on it, I want to know. If you have TTPs that defenders can use today, even partial ones, share them. The community needs them.

The operational attrition threat model needs dedicated attention from people with the expertise and resources to build defenses against it. I’ve described it as clearly as I can. Now I’m asking the people who can actually build the response to take it seriously.

Because the alternative, waiting until this scenario plays out at scale against a major enterprise or a critical government agency, is not a risk I’m comfortable accepting.

-- Laura Kenner

Share

References

[1] Anthropic, “Disrupting the First Reported AI-Orchestrated Cyber Espionage Campaign,” Anthropic News, Nov. 13, 2025. https://www.anthropic.com/news/disrupting-AI-espionage

[2] Malwarebytes, “2026 State of Malware Report,” Malwarebytes, 2026. https://www.malwarebytes.com/resources/files/2026/02/malwarebytes-2026-state-of-malware-report.pdf

[3] Barracuda, “Agentic AI: The Next Frontier in Cybersecurity,” Barracuda Blog, Feb. 2026. https://blog.barracuda.com/2026/02/27/agentic-ai-the-next-frontier-in-cybersecurity/

[4] Industrial Cyber, “Ongoing cyberattacks targeting internet-connected PLCs disrupt US critical infrastructure,” Industrial Cyber, Apr. 8, 2026. https://industrialcyber.co/cisa/ongoing-cyberattacks-targeting-internet-connected-plcs-disrupt-us-critical-infrastructure-agencies-warn/

[5] Intel 471, “2026 Cyber Threat Trends & Outlook,” Intel 471, Feb. 2026. https://industrialcyber.co/reports/intel-471-reports-extortion-breaches-surged-63-in-2025-with-sustained-activity-expected-in-2026/

[6] T. Egglestone, “Cybersecurity and Insurance Predictions for 2026,” Resilience, Feb. 24, 2026. https://cyberresilience.com/blog/cybersecurity-and-insurance-predictions-2026/

[7] Palo Alto Networks Unit 42, “2026 Global Incident Response Report,” Feb. 2026. https://www.paloaltonetworks.com/blog/2026/02/unit-42-global-ir-report/

[8] VikingCloud, “7 Cybersecurity Trends That Will Define 2026,” VikingCloud Blog, Jan. 12, 2026. https://www.vikingcloud.com/blog/7-cybersecurity-trends-that-will-define-2026

[9] Commvault, “Cleanroom Recovery Innovations Enable a New Era in Cyber Resilience,” Commvault Blog, Nov. 19, 2025. https://www.commvault.com/blogs/cleanroom-recovery-innovations-enable-a-new-era-in-cyber-resilience

[10] Keiser University, “Business Continuity vs Disaster Recovery,” Keiser University Blog, Feb. 25, 2026. https://www.keiseruniversity.edu/business-continuity-vs-disaster-recovery/

[11] ODNI, “Annual Threat Assessment 2026,” Office of the Director of National Intelligence, Mar. 2026. https://industrialcyber.co/reports/odni-report-us-critical-infrastructure-faces-escalating-cyber-risks-from-china-russia-iran-and-north-korea/

[12] Epstein Becker Green, “Critical Infrastructure at Risk: Project Glasswing Urges Attention to AI-Driven Cyber-Risks,” Workforce Bulletin, May 2026. https://www.workforcebulletin.com/critical-infrastructure-at-risk-project-glasswing-urges-attention-to-ai-driven-cyber-risks

[13] Atlantic Council, “Securing Cloud Infrastructure for AI,” Issue Brief, Mar. 31, 2026. https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/securing-cloud-infrastructure-ai/

[14] TechTarget, “Why Cyber Insurance Won’t Cover the Next Generation of Attacks,” TechTarget, Mar. 26, 2026. https://www.techtarget.com/searchcio/feature/Why-cyber-insurance-wont-cover-the-next-generation-of-attacks

[15] Insurance Thought Leadership, “Cyber Insurance Exclusions to Expect in 2026,” Dec. 4, 2025. https://www.insurancethoughtleadership.com/cyber/cyber-insurance-exclusions-expect-2026

[16] GitGuardian, “State of Secrets Sprawl 2026,” GitGuardian, Mar. 17, 2026. https://www.gitguardian.com/state-of-secrets-sprawl-report-2026

[17] CISA, NSA, ASD ACSC, Canadian Centre for Cyber Security, NCSC-NZ, NCSC-UK, “Careful Adoption of Agentic AI Services,” Joint Guidance, Apr. 30, 2026. https://media.defense.gov/2026/Apr/30/2003922823/-1/-1/0/CAREFUL%20ADOPTION%20OF%20AGENTIC%20AI%20SERVICES_FINAL.PDF

[18] Resilience, “Cyber Risk Shifts From Disruption to Long-Tail Losses,” Insurance Journal, Feb. 25, 2026. https://www.insurancejournal.com/news/national/2026/02/25/859511.htm

[19] Defense One, “Pro-Iran hackers appear to increase critical infrastructure cyberattacks,” Defense One, Apr. 17, 2026. https://www.defenseone.com/threats/2026/04/iran-hackers-infrastructure-cyberattacks/412941/

[20] Object First, “Object First Survey: 89% of IT Leaders Fear AI-Powered Cyberattacks Will Cost Them Their Data,” Press Release, Mar. 31, 2026. https://www.businesswire.com/news/home/20260331825488/en

[21] Veeam, cited in TechRadar, “Ransomware attackers are going after backup storage to force you to pay up,” TechRadar, 2025. https://www.techradar.com/news/ransomware-attackers-are-going-after-backup-storage-to-force-you-to-pay-up

[22] Vantagepoint, “Cyber Resilience: Building Business Continuity in an Era of Inevitable Breaches,” Mar. 18, 2026. https://vantagepoint.io/blog/sf/cyber-resilience-building-business-continuity-in-an-era-of-inevitable-breaches

[23] CSA CISO Community et al., “The ‘AI Vulnerability Storm’: Building a ‘Mythos-ready’ Security Program,” v1.0, May 1, 2026. https://labs.cloudsecurityalliance.org/wp-content/uploads/2026/05/mythosreadyv1.0.pdf