Frontier AI Cyber Capabilities¶
Summary¶
Frontier AI models are rapidly changing the cost, speed, and scale of cyber operations for both attackers and defenders. The UK's AI Security Institute (AISI) evaluated 7 frontier models on simulated enterprise attack scenarios; the best-performing model (Claude Opus 4.6, Feb 2026) completed ~15.6 of 32 attack steps — a 6× improvement over 18 months — at a cost of ~£65 per attempt. Defenders retain a structural advantage by being able to "shape the battlefield," but only if they maintain strong security baselines and proactively deploy AI for defense.
Details¶
AISI Evaluation Findings (March 2026)¶
The UK AI Security Institute evaluated the cyber capabilities of 7 frontier AI models released before March 2026. Models were tested in two simulated environments: - A 32-step enterprise network attack estimated to take a human expert ~14 hours end-to-end - A more complex industrial control system (ICS) attack scenario
Enterprise Network Results¶
| Model | Steps (no extended time) | Steps (extended time) | Best single run |
|---|---|---|---|
| Claude Opus 4.6 (best, Feb 2026) | 9.8 / 32 | 15.6 / 32 | 22 / 32 |
| Best model 18 months prior | < 2 / 32 | — | — |
Key data points: - In 18 months, the leading model went from <2 steps to 15.6 steps (~6× improvement) - No public model has completed the full 32-step scenario end-to-end (as of March 2026) - Extended processing time reliably improves results with no additional attacker skill required - Cost per full attack attempt: ~£65 — the limiting factor is increasingly funding, not expertise
ICS Scenario¶
AI performance was significantly more limited, but the most recent models were the first to make any consistent progress — and in some cases found attack approaches the scenario designers hadn't anticipated.
Why Capabilities Are Improving So Fast¶
Two reinforcing trends:
- Rising capability ceiling — Each model generation completes more attack steps than the last. The gap between generations is large and growing.
- Falling cost — Extended processing time improves results; at ~£65 per attempt, full attacks are increasingly affordable. Cost democratizes offense.
Current Limitations¶
Despite rapid progress, current models (pre-March 2026) still fall short of end-to-end attack completion:
- Context loss over long operations — Models lose track during extended multi-step sequences
- Specialist knowledge gaps — Performance drops sharply in reverse engineering, cryptography, and malware development (less training data)
- Multi-step coordination failures — Struggle with operations requiring concurrent processes
- Inconsistent results — Same model, same time budget can produce very different outcomes across runs
- Detectability — Current AI attack activity generates noticeable security alerts; detectable in environments with effective monitoring
"These aren't permanent barriers. They are areas where the rate of improvement has already been rapid, and where even modest extensions to processing time or human-AI teaming can result in substantial gains." — [source: ncsc-frontier-ai-cyber-defenders]
Implications for Defenders¶
"Defenders should assume that at least some attackers already have access to capable AI tools." — [source: ncsc-frontier-ai-cyber-defenders]
- Open-weight models can have safeguards removed entirely, making responsible developer protections irrelevant for determined actors
- The barrier to entry for sophisticated cyber attacks is shifting from expertise to funding
- Capabilities are dual-use: the same skills (vulnerability identification, exploit development) apply to both offense and defense
Frontier AI for Cyber Defense¶
NCSC identifies three areas where AI offers game-changing defensive potential:
1. System Hardening (Reducing Attack Surface)¶
AI-enabled security testing tools can now: - Scan continuously at machine speed - Identify vulnerabilities and misconfigurations automatically - Test exploitability and map complex attack paths - In early demonstrations: autonomously generate and apply code patches
Emerging initiatives pointing toward faster vulnerability discovery and remediation: - DARPA AIxCC challenge - Google CodeMender - OpenAI Codex Security
"Vulnerability discovery and remediation happen far more quickly, reducing attackers' windows of opportunity." — [source: ncsc-frontier-ai-cyber-defenders]
2. Threat Detection and Investigation¶
LLM-enabled tools can: - Triage alerts and correlate signals across diverse logs - Generate summary reports to support analyst decision-making - In the future: retain contextual information over time, deploy honeypots, initiate targeted investigations
This could enable detection of slow, subtle intrusions that evade traditional threshold-based approaches. Risks: over-reliance on automated judgment, reduced transparency.
3. Automated Mitigation and Response¶
Some organizations are exploring autonomous response (no human in the loop): - Block traffic, quarantine processes, revoke access
Reduces time between compromise and containment. Key risk: incorrect responses can exceed the original attack's impact — service disruptions, data loss, operational failures.
The Defender Advantage: Shaping the Battlefield¶
Defenders hold a structural advantage that attackers cannot replicate:
- Collaborative intelligence — Defenders can share insights globally, openly. Attackers cannot.
- Environment control — Defenders can configure, monitor, and adjust their own systems; attackers must adapt to whatever they find.
- AI amplifies asymmetry — When defenders use AI to correlate signals, understand normal behavior, and distinguish genuine threats from noise, they gain disproportionate benefit. Attackers must be stealthy every time; defenders only need to catch them once.
"Defenders have the ability to 'shape the battlefield'; that is to shape their environment to make it work better for them and disadvantage the adversary." — [source: ncsc-frontier-ai-cyber-defenders]
When the Advantage Erodes¶
The advantage is not guaranteed. It narrows when: - Attackers adopt AI more effectively than defenders - Baseline cyber security is weak (poor data quality for AI systems) - AI-enhanced security tools are themselves deployed insecurely (expanding attack surface)
Priority Actions¶
NCSC's recommended baseline (the most effective, non-experimental steps):
| Control | Why It Matters for AI-Enabled Attacks |
|---|---|
| Accurate asset inventories | AI-enabled attackers scale against unknown/unmanaged assets first |
| Robust access controls | Limits lateral movement; reduces attacker options |
| Secure configuration | Reduces exploitable misconfigurations at machine speed |
| Comprehensive logging | Enables AI-assisted detection; without logs, AI defenders are blind |
"AI won't compensate for weak security foundations, but it will amplify both strengths and weaknesses." — [source: ncsc-frontier-ai-cyber-defenders]
Key Claims & Data Points¶
- AISI evaluated 7 frontier models on multi-step cyber attack scenarios — [source: ncsc-frontier-ai-cyber-defenders]
- Claude Opus 4.6 (Feb 2026) completed an average of 15.6 / 32 enterprise attack steps with extended processing time — [source: ncsc-frontier-ai-cyber-defenders]
- 18 months ago, the best model completed fewer than 2 steps; now it completes 15.6 — a 6× improvement — [source: ncsc-frontier-ai-cyber-defenders]
- No public model has completed the full 32-step scenario end-to-end (as of March 2026) — [source: ncsc-frontier-ai-cyber-defenders]
- A full attack attempt costs ~£65 at current pricing — [source: ncsc-frontier-ai-cyber-defenders]
- Current AI attack activity generates noticeable security alerts and is relatively easy to detect — [source: ncsc-frontier-ai-cyber-defenders]
- Open-weight model safeguards can be modified or removed entirely — [source: ncsc-frontier-ai-cyber-defenders]
- AI will more quickly enable rapid scaling of attacks against "soft" rather than "hard" targets — [source: ncsc-frontier-ai-cyber-defenders]
Open Questions¶
- When will a frontier AI model complete the full 32-step enterprise attack scenario end-to-end, and what capability milestone drives it? (raised by: concepts/frontier-ai-cyber-capabilities, 2026-04-15)
- How does AI-enabled attack cost (~£65/attempt) compare to traditional skilled-attacker costs — at what cost threshold does AI fundamentally change the economics of targeted attacks? (raised by: concepts/frontier-ai-cyber-capabilities, 2026-04-15)
- What monitoring and detection tooling is most effective against AI-generated attack activity, given that current models generate noticeable alerts? (raised by: concepts/frontier-ai-cyber-capabilities, 2026-04-15)
- As AI attack behavior becomes stealthier, how does the detectability advantage erode — and how quickly? (raised by: concepts/frontier-ai-cyber-capabilities, 2026-04-15)
- How do the AISI evaluation results translate to real-world attacker operations — what does the gap between simulated scenario and live network exploitation look like? (raised by: concepts/frontier-ai-cyber-capabilities, 2026-04-15)
- Does the ICS attack scenario performance track the enterprise network performance with a lag, and what does parity look like for critical infrastructure? (raised by: concepts/frontier-ai-cyber-capabilities, 2026-04-15)
Related Articles¶
- concepts/ai-red-teaming
- concepts/prompt-injection
- concepts/openclaw-security
- concepts/agentic-workflows
Sources¶
- Why Cyber Defenders Need to Be Ready for Frontier AI — NCSC blog by Paul J and Alan Steer (March 2026); AISI evaluation of 7 frontier models on enterprise and ICS attack scenarios; defender advantage framework