AI-Powered Attacks Are Already Here — And They're Winning
https://www.theregister.com/2026/03/23/claude_attacks_rorschach_rsac_rob_joyce/
Speaking at RSAC 2026, former NSA Cybersecurity Director Rob Joyce used the Anthropic report on Chinese cyber actors abusing Claude as a jumping-off point for a blunt assessment: AI-enabled offensive operations aren't a future threat — they're present reality.
The Beijing-backed operation decomposed a full attack chain into discrete steps, then built an agentic AI framework to execute it end-to-end theregister
— mapping attack surfaces, finding vulnerabilities, writing exploit code, escalating privileges, and exfiltrating data. Joyce's reaction was unambiguous: it worked.
The core insight isn't about AI being smarter than humans. It's about scale and patience — machines don't get tired reading code. They can review and review until they find the vulnerability. theregister
As LLMs become more modular and capable, that advantage compounds.
On the defensive side, the same capabilities are being put to work. Google's Big Sleep, OpenAI's Codex, and Anthropic's Claude Code Security are all finding real vulnerabilities in major codebases at machine speed. The long-term payoff is more hardened software. The near-term risk is that the same techniques are being weaponized faster than defenders can absorb.
Joyce's prescription for defenders: get exceptional at the basics, deploy AI to detect behavioral anomalies, and start running agentic red teams against your own infrastructure now. As he put it — you're going to be red-teamed whether you pay for it or not. The only question is who gets the results.
