Sygnia Finds AI-Driven Attack Enabled Rapid Cloud Compromise
Sygnia, the foremost global cyber readiness and response firm, released the initial findings from its investigation into an active cyberattack in which a lone threat actor used AI as a force multiplier to financially extort a global enterprise. The investigation found evidence of attacker-developed scripts, highly parallel activity, and rapid, environment-specific adaptation across cloud services. Together, these attributes are consistent with agentic AI-assisted workflows designed to execute attacks at a speed and scale beyond what is typically expected from a single human operator.
Also Read: GitOps and Infrastructure as Code: Building Fully Automated Cloud Operations
Rather than relying on novel malware or zero-day exploits, the threat actor used AI to execute multiple well-known cloud attack techniques across a broad attack surface at a pace that significantly outstripped the victim’s ability to respond. Conducted within an AWS environment, the intrusion did not exploit a single misconfiguration. Instead, it chained together weaknesses across application services, AWS resources, source code repositories, CI/CD pipelines, runtime components, and data stores. Simultaneously, the threat actor rapidly performed credential discovery, secrets harvesting, cloud enumeration, deployment pipeline abuse, runtime modification, database access, and operational disruption.
“Cloud intrusions stemming from exposed secrets and weak identity controls are nothing new. What stood out in our investigation was the speed at which the attacker moved after gaining initial access and the sheer volume of malicious activity executed within a remarkably compressed timeframe,” said Avi Dayan, Vice President of Incident Response at Sygnia. “An attack that would have typically taken weeks to execute all happened under 72 hours. This case underscores a growing challenge for defenders: as large language models and agentic AI become more accessible, they have the potential to lower the barrier to entry, accelerate attack workflows, and enable less sophisticated or resource-constrained threat actors to operate with unprecedented speed and scale.”
Rather than following a conventional step-by-step attack path, this AI-assisted intrusion unfolded across multiple fronts simultaneously. As new opportunities were identified, the threat actor appeared to execute numerous standard post-compromise techniques in parallel, compressing what would typically take minutes or hours into seconds. For example, in one observed second, the threat actor leveraged four different access keys belonging to four separate accounts, all from the same source IP address and user agent. This activity is consistent with automated, centrally orchestrated, and potentially AI-agent-driven execution.
Also Read: Infrastructure as Code Security: Why Policy as Code Is Becoming Essential
Additionally, each newly acquired access key was rapidly leveraged to enumerate associated permissions and accessible resources, allowing the threat actor to efficiently identify the highest-value opportunities for lateral movement and data access. Within the data layer, the investigation revealed several hundred unique SQL queries executed across dozens of databases, rapidly enumerating schemas and identifying relevant data. Similar behavior was observed in the application layer, where the threat actor mapped relationships between SQS queues, vulnerable workers, payload injection points, and deployment-related files used to manage clusters. Together, these behaviors demonstrate rapid, environment-specific adaptation consistent with AI-assisted or centrally orchestrated activity capable of processing context and tailoring actions at a speed that exceeds what would typically be expected from a human operator.
This attack underscores how AI can amplify the impact of existing security caps, exposing shortcomings in enterprise readiness, visibility, and operational maturity. These findings reinforce Sygnia’s CISO Survey 2026, which found that 73% of 600 surveyed senior IT security decision-makers do not believe their organizations would be fully prepared to respond to a serious cyberattack if one occurred tomorrow.
Write to us [wasim.a@demandmediaagency.com] to learn more about our exclusive editorial packages and programmes.