Cyberattacks Are Becoming Compute Wars

shaimagz1 pts0 comments

Cyberattacks Are Becoming Compute Wars · Shai Magzimof

Shai Magzimof

EN<br>עב

Cyberattacks Are Becoming Compute Wars

July 12, 2026

As compute scales, so does the number of agents that can attack many targets at once, and the number that can defend them. Agent wars are compute wars, and compute wars are chip and energy wars.

In September 2025, a Chinese state-linked group ran AI agents against roughly thirty targets. The model handled 80 to 90 percent of the tactical work; humans selected targets and intervened at four to six decisions per campaign.

One operator can now run many agents against the same target in parallel. Compute determines how many attempts run at once and how long they continue.

One agent, copied across the cluster. The limit on the swarm is inference budget, not headcount.

A cyber operator can put an agent behind a cloud account and let it research targets, test exposed systems, write tools, check results, and retry across many paths. The orchestrator copies it across the cluster the way Agent Smith copies himself; each copy hunts the same target down its own path, a field of Sentinels searching in parallel.

What the measurements show

In March 2026, the UK AI Security Institute published results from a 32-step simulated corporate-network attack. The same 10 million-token budget took GPT-4o (August 2024) through 1.7 steps on average and Claude Opus 4.6 through 9.8. A tenfold increase in that budget improved performance by as much as 59 percent, with no plateau inside the tested range. These benchmarks used controlled environments without active defenders; real-world reporting shows growing autonomy, while full end-to-end attacks remain disputed.

Different models, same token budget

1.7 steps<br>9.8 steps<br>GPT-4o<br>Aug 2024 version<br>Opus 4.6<br>Feb 2026<br>10M tokens each

Newer models completed more steps at the same token budget.

Same model, larger token budget

10M tokens<br>100M tokens<br>up to 59%<br>more progress

The same model made more progress with a larger token budget. The curve shows direction and endpoint gain, not an absolute step count.

A 100 million-token Opus 4.6 attempt cost about $80 with prompt caching. An operator can spend that budget on one long trajectory or many independent attempts; a long trajectory can recover from mistakes, while parallel attempts explore more paths at the same time. Tokens don't convert cleanly to megawatts; serving details dominate.

AISI also tracks a cyber time horizon, measuring how long an agent can work at 80 percent reliability under a fixed token limit. As of February 2026, that horizon was doubling roughly every 4.7 months.

In May, Google reported high confidence that a criminal actor had used AI to help discover and weaponize a zero-day. It also documented malware that used a model to interpret system state and generate commands dynamically.

On July 1, Sysdig reported what it assessed as the first documented end-to-end agentic ransomware operation. The agent adapted to errors, established persistence, reached a production database, and destroyed data. Sysdig did not observe where the root credentials for the final server came from and could not independently verify the agent's exfiltration claim. Six days later, the UK NCSC said it had still not seen a fully autonomous attack across the complete intrusion lifecycle; the Sysdig case is important evidence, though not yet settled consensus.

Across these cases, the entry points remain ordinary: exposed software, missing patches, reusable credentials, and reachable internal services.

The model is only one part of the attacker

The swarm is only as good as what steers it. The orchestrator decides which agents run, which paths they take, and which results survive into the next session.

Provider telemetry can reveal activity outside researchers cannot see. In the September 2025 case, Anthropic's logs showed the model performing 80 to 90 percent of the tactical work while humans selected targets and intervened at four to six critical decisions per campaign. Only a handful of intrusions succeeded. The public report does not let outsiders reconstruct the attribution, degree of autonomy, or full denominator independently.

The system around the model decides which tools it can call, how long it can work, which paths run in parallel, which results are checked, and what survives into the next session. AISI improved one scaffold and reached the same success level on a cyber development set at roughly one-eighth the token cost.

What the orchestrator preserves between sessions is target state: working credentials, network topology, failed paths, software versions, and how the target responded to prior attempts. Accurate state is what converts isolated attempts into a campaign; stale or wrong state sends future attempts down paths that already failed.

A service response, working credential, changed permission, or successful database query gives the agent a machine-readable result it can act on....

agent budget token compute wars model

Related Articles