How Skyhawk’s Agentic AI Red Team took control of a production AWS organization in seconds, starting with a single low-privilege role, and without a single misconfiguration to exploit.

The finding

Skyhawk Security set out to test a simple question: what can an autonomous, AI-enabled attacker actually do inside a real cloud environment? So we pointed our Agentic AI Red Team at a fintech company’s production AWS organization.

By every standard the security industry has taught us to trust, this team was doing it right. Permissions and roles were configured and right-sized. They ran a leading cloud-native application protection platform (CNAPP). They had cleared their critical findings and were members of the “zero critical findings club.”

Starting from a single low-privilege role, our AI Red Team took over the entire production organization in seconds. That is game over.

Why this one is different: There was nothing to find.

Cloud security has always operated on a comforting assumption: breaches come from mistakes. Find the misconfiguration, remove the excessive permission, patch the vulnerability, and the risk becomes manageable.

This attack had none of those things to find.

There was no vulnerability to patch. No excessive permission to strip away. No misconfiguration alert to remediate. Instead, our AI Red Team identified a chain of legitimate permissions and capabilities, each one individually valid, each one intentionally configured, and by dynamically manipulating roles across the privilege boundary, moved step by step from low privilege to complete organizational control.

No individual setting was wrong. The risk lived entirely in the combination. And notably, no frontier AI model was required to build or execute the attack — putting this capability within reach of a far wider range of adversaries than most teams assume.

When the dashboard is green and the graph said “safe”

The most unsettling part: a static attack graph analysis of the same environment showed no viable route from low privilege to organizational control. The tooling gave the security team a green light and a false sense of confidence.

An AI-enabled attacker doesn’t accept that static picture. It reasons across identities, permissions, and services, manipulating legitimate capabilities to create a path that no point-in-time graph would ever surface. The gap between “no viable route” on paper and “full takeover” in practice is exactly the blind spot this research exposes.

Cloud security has centered on finding what is broken. This case shows that in the era of AI Autonomous Attacks, that model is no longer sufficient. The risk lived in a chain of legitimate capabilities an Agentic AI-enabled attacker would utilize.

The industry data already describes this attack, it just hasn’t named it.

Identity compromise underpinned 83% of cloud compromises in Google’s latest Cloud Threat Horizons report. Crowdstrike’s Global Threat Report 2026 found 82% of 2025 detections were malware-free, attackers using valid credentials and native tooling to blend into normal activity. Additionally, the Crowdstrike report shows speed has collapsed: average breakout time is now 29 minutes, with the fastest observed at 27 seconds.

Google’s researchers have already documented threat actors using LLMs to automate credential harvesting and move from a developer’s laptop to full cloud administrative access. Datadog’s research shows that even AWS-managed policies that look benign, AWSMarketplaceFullAccess among them, can be chained into full account administrator.

Every one of those findings points at the same blind spot. Our research is what it looks like when an AI attacker walks straight through it.

What actually defends against this

If following best practices can still be weaponized into a full takeover, the answer isn’t another list of things to fix. It’s a shift from finding what’s broken to continuously validating what’s reachable.

Skyhawk pre-maps the attack paths in your specific environment before they’re exploited, and updates continuously as your architecture and controls evolve. It understands which behaviors, permission changes, and configuration shifts lead toward a breach — and it alerts at the first few steps of an attack sequence, long before an attacker reaches their objective. When a threat is in motion, teams can respond immediately through native Jira and ServiceNow integrations or trigger automated actions to stop the breach before it completes.

Because the frightening question a CISO now has to answer for the board isn’t “how do we fix this?”

It’s “how would we even know?”

Skyhawk Security’s AI Red Team Stops AI Autonomous Attacks

With Skyhawk Security, you will know. Skyhawk’s AI Red Team rehearses the attacks so that it has “seen” the attack and the platform knows when it “sees” the attacks again and can stop them.

The AI Red Team identifies valuable business assets and then maps out all the paths and graphs, and how they can be dynamically manipulated, to gain access to these assets. It then prioritizes what needs to be addressed in the cloud based on the business value of the at-risk asset. It could recommend updates to roles or permission, cloud configuration changes, and where changes cannot be made, the platform will remember the “attacks” and can take steps to stop the progress of the attack and prevent the breach.

Book a meeting with our technical team to learn more.