Decoding the world of cybersecurity

AI enters the live intrusion chain

Check Point research documents AI performing operational work during live intrusions, while enterprise telemetry shows rising prompt injection and sensitive-data exposure through routine AI use.

AI enters the live intrusion chain
Summary
  • Check Point describes AI supporting reconnaissance, exploitation, deployment, data analysis, and command execution during reported intrusions.
  • Long malicious prompt-injection detections rose approximately fivefold from March to May, while high-risk enterprise prompts doubled from 2% to 4%.
  • AI governance increasingly depends on the identities, tools, data, and execution permissions surrounding the model.

Check Point Software Technologies says artificial intelligence is performing operational work during live intrusions, while enterprise use is producing a parallel rise in data exposure and prompt-injection activity.

The company’s Annual AI Security Report 2026 brings together threat research, customer telemetry, and case studies covering criminal and state-linked activity. It describes AI agents supporting reconnaissance, exploit development, infrastructure deployment, data analysis, command execution, and operational decisions across multi-stage attacks.

One case cited in the report involved a single operator accused of compromising nine Mexican government agencies between late December 2025 and mid-February 2026. Recovered infrastructure reportedly contained 1,088 attacker prompts and 5,317 AI-executed commands across 34 sessions.

The attacker allegedly used Claude Code to assist with network access and exploration, while GPT-4.1 analysed stolen information and supported later activity. The case was previously documented through material recovered from attacker-controlled servers, although every affected agency and AI provider has not independently confirmed the complete account.

Check Point also points to VoidLink, an 88,000-line command-and-control framework reportedly produced through an AI development environment in less than a week. Finished code does not necessarily reveal how much was generated, edited, or reviewed by an AI system, complicating attempts to classify tooling by development method.

The report’s enterprise telemetry identifies a separate exposure inside legitimate AI use. Prompts classified by Check Point as high risk doubled from 2% to 4% over the year, equivalent to approximately one in every 25 interactions.

Organisations in the company’s dataset used an average of ten AI applications each month, including services that had not passed through formal approval. Business-services organisations recorded the highest rate of risky interactions, at 5.91%.

Much of the measured exposure arose when employees supplied approved tools with more context than the task required. Customer information, documents, source material, credentials, internal discussions, and regulated data can enter prompts because the user is attempting to obtain a more accurate or useful result.

Check Point also recorded an approximately fivefold increase in longer malicious prompt-injection payloads between March and May, approaching one per cent of observed prompts during May. Longer payloads are associated with instructions embedded in content processed by an agent rather than a user openly entering a malicious command.

The figures reflect Check Point’s detection definitions, customer population, and visibility, and do not represent a universal measure across every organisation or AI platform. They nevertheless show both hostile and routine interactions reaching business AI systems at greater scale.

The research summary places the model inside a wider system of identities, data connectors, memory, project files, tools, and execution environments. The authority assigned to those surrounding components determines how far a malicious or mistaken instruction can travel.

An AI assistant limited to a contained information source presents a different exposure from an agent connected to email, cloud storage, source repositories, terminals, finance systems, and administrative APIs. Tool permissions, transaction limits, approval steps, and logging need to reflect the consequence of each action.

Identity assurance is also affected as generated voice, images, documents, and live video reduce the reliability of visual or conversational verification. Payment changes, administrator resets, supplier onboarding, and executive requests require independent workflow controls rather than confidence in the identity presented during a call.

Established security controls continue to operate against AI-assisted attacks because generated commands ultimately reach conventional systems. Segmentation, least privilege, secure development, vulnerability management, logging, and recovery limit the same technical paths regardless of how the operator created the instructions.

AI can alter the speed and repeatability of the operation, allowing one individual to move through tasks that previously required several tools or specialists. Enterprise controls need to account for that pace without treating every intrusion as fully autonomous or removing human responsibility for the objectives and access behind it.

AI security now reaches beyond approval of individual applications. Organisations need to know which services are used, what information they receive, which identities they inherit, what actions they can perform, and whether those actions can be reconstructed during an investigation.

×