惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
A
About on SuperTechFans
IT之家
IT之家
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Blog — PlanetScale
Blog — PlanetScale
aimingoo的专栏
aimingoo的专栏
云风的 BLOG
云风的 BLOG
The GitHub Blog
The GitHub Blog
Vercel News
Vercel News
G
Google Developers Blog
J
Java Code Geeks
宝玉的分享
宝玉的分享
T
Tailwind CSS Blog
Cloudbric
Cloudbric
L
LINUX DO - 最新话题
MyScale Blog
MyScale Blog
H
Heimdal Security Blog
PCI Perspectives
PCI Perspectives
Attack and Defense Labs
Attack and Defense Labs
S
Security @ Cisco Blogs
Latest news
Latest news
I
Intezer
L
Lohrmann on Cybersecurity
C
CXSECURITY Database RSS Feed - CXSecurity.com
月光博客
月光博客
T
Threatpost
博客园 - 【当耐特】
S
Schneier on Security
P
Privacy International News Feed
G
GRAHAM CLULEY
T
Tenable Blog
AWS News Blog
AWS News Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
雷峰网
雷峰网
博客园 - Franky
Engineering at Meta
Engineering at Meta
美团技术团队
S
Secure Thoughts
T
Troy Hunt's Blog
Microsoft Security Blog
Microsoft Security Blog
SecWiki News
SecWiki News
V
Visual Studio Blog
人人都是产品经理
人人都是产品经理
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Cisco Talos Blog
Cisco Talos Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Martin Fowler
Martin Fowler
Webroot Blog
Webroot Blog
Google DeepMind News
Google DeepMind News
H
Hackread – Cybersecurity News, Data Breaches, AI and More

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
Vectra AI
Zoey Chu · 2026-02-03 · via Vectra AI Blog

In my last post, "The Cutting Edge: AI’s Inevitable Rise in Offensive Security, " I explored how AI is beginning to automate and augment red team operations. We're moving from manually driven tools to autonomous agents that can strategize and adapt. However, many current generative red teaming methods face challenges like hallucinations, context limitations, and trade-offs between specialized models and more general, modular frameworks.

Today, I want to dive deep into a solution proposed in that paper that marks a paradigm shift for command and control (C2): the Model Context Protocol (MCP). This isn't just an incremental improvement; it's a new way of thinking about command and control.

Traditional C2 frameworks, for all their utility, operate on a predictable, rhythmic cycle: the implant "beacons" back to the C2 server to check for new commands. This regularity is a significant operational security (OPSEC) risk. Modern NDR solutions are specifically tuned to spot these patterns. Once an NDR flags that consistent heartbeat, the implant and the operation are burned.

The MCP architecture fundamentally changes this model by enabling asynchronous, parallel operations without any periodic beaconing. Instead of a constant check-in, agents communicate covertly, blending their traffic with what looks like normal enterprise AI activity. This is the core of its strength: it hides in the noise of legitimate network chatter, making it exceptionally difficult for defenders to isolate.

Our architecture (figure above) has 3 main components. The MCP agent has two legs of communication: one with the MCP server and another with the LLM Provider, in this case, Anthropic.

  1. MCP Server: Where the high-level task is assigned and returned.
  2. MCP Agent: Connects to the MCP Server to pick up the task, disconnects, and reports later. The MCP agent also has back-and-forth communication with the LLM API that is executing the attack.
  3. Anthropic API: The actual attacker in this case. With a combination of a good system prompt and a high-level task, we are able to make the benign LLM conduct full exploits and report when the task is completed.

Beyond Beaconing

The figure below illustrates a Cobalt Strike attack, clearly showing beaconing patterns. When the attacker engages, significant spikes represent large amounts of data being transmitted, primarily command outputs.

Conversely, the figure below demonstrates how communication appears with our agentic framework. This communication is event-driven; a task is assigned to an agent connected to the MCP. The agent picks up the task and closes the connection with the MCP server. After performing its task, the agent reconnects to the server and reports its findings. In the representation below, two such cases (two attacks) are depicted. The large blue spike in the second spike of each attack indicates the point where the agent sends back all important information.

Now, let's zoom in on one of these attacks. The bottom plot in the figure below represents agents' communication with the MCP server, zoomed in on one of the attacks mentioned above. We can clearly see that the agent only reports at the beginning and end of the task, while the actual back-and-forth communication occurs between the agent and the Anthropic API.

As we can see, a pattern is forming where we might be able to detect this behavior, for example, increasing blue spikes as the context becomes more filled over time. But let's look at the figure below now:

The change in pattern is evident; the agent utilized a streaming response and managed its context window more effectively, thereby completely altering the previously identified pattern. Compounding this challenge, many technology companies employ tools such as Claude Code or Cursor, which perform API calls to Anthropic, making these patterns even more difficult to differentiate due to the noise from the benign calls.

EDR Evasion and Polymorphic Swarm

This can be conceptualized as a shift from a solitary, static spy to a dynamic team of shapeshifting scouts. "Polymorphic" indicates that these agents can modify their characteristics to evade detection based on the environment. "Distributed" signifies that numerous agents operate concurrently. This "swarm" is capable of:

  • Operating in Parallel: Rather than a single agent performing one task sequentially, the swarm can simultaneously map diverse network segments, test for various vulnerabilities, and gather intelligence.
  • Sharing Intelligence in Real-Time: The MCP serves as the central nervous system for this swarm. As one agent discovers a potential pathway, a weak credential, or an unpatched service, it instantly disseminates that information to the entire swarm, enabling collective reprioritization and exploitation of new opportunities.
  • Increasing Resilience: Should one agent be detected and neutralized, the mission remains uncompromised. The remaining swarm adapts and continues the operation, learning from the detection to enhance its own stealth.

A Real-World Case Study: Rapid Domain Compromise

As we saw in the EDR evasion graphs this isn't just theoretical, we have deployed our age using this very architecture on real networks as well as test machines. EDR evasion results vary deeply on the system prompt agent has as well as task that it was assigned to it. For example when tasked to:

“Test EDR evasion capabilities using BYOVDKit and basic process manipulation. First identify the EDR solution running, then attempt to load a vulnerable driver using BYOVDKit to disable process protection. Test basic process injection and document what gets detected. If successful, proceed to simple lateral movement techniques. ”

Execution Narrative: The agent autonomously translated this objective into a multi-phase plan and executed it.

1) Phase 1: EDR Identification (Success)

The agent began by performing reconnaissance to identify the active security solution. It successfully identified MsMpEng.exe and MpDefenderCoreService.exe as the primary EDR processes. It also queried the defender status and confirmed that all key protective features were active, including RealTimeProtectionEnabled: True and, critically, IsTamperProtected: True|.

2) Phase 2: Vulnerable Driver Reconnaissance (Blocked by Hardening)

Following its plan to attempt a ”Bring Your Own Vulnerable Driver” (BYOVD) attack, the agent searched the system for common vulnerable drivers but found none present . This demonstrated that the host was not vulnerable to this common attack vector and prevented the agent from proceeding with kernel-level manipulation.

3) Phase 3: Process Injection Attempt (Blocked by AMSI)

Pivoting from the failed BYOVD approach, the agent attempted a classic process injection technique into explorer.exe using PowerShell . The attempt failed immediately with a PowerShell parsing error, which the agent’s AI summary correctly attributed to Microsoft’s Anti-Malware Scan Interface (AMSI) preventing the malicious script from executing in memory.

The test run was a resounding success from an assessment perspective. The agent autonomously executed a complex plan, correctly identified the active defenses, and was ultimately blocked by layered security controls. Most importantly, the entire operation, including the failed injection attempt, generated zero detections from the EDR we used.

Shared Intelligence with Demo (Video)

In our test we have used two agents to prove the concept of shared intelligence. The result? The agent compromised the router on the network (video below).

The agents successfully compromised a network router, showcasing the practical effectiveness of transitioning from monolithic agents to a coordinated swarm. It combines the high-level planning capabilities of Large Language Models (LLMs) with a C2 framework that can be stealthy and fast.

Good and Bad:

This tool offers significant benefits for penetration testers, enabling rapid network posture assessment and proactive detection of LLM-powered behaviors. However, it also presents a risk, as it could potentially empower individuals with limited cybersecurity knowledge to cause significant damage with “vibe hacking” .