Claude attacks were 'Rorschach test' for infosec community, scaring former NSA boss

'It freakin' worked' says Rob Joyce - and shows how relentless AI agents can find holes humans miss

by · The Register

RSAC 2026 The now-infamous Anthropic report about Chinese cyberspies abusing Claude AI to automate cyberattacks was a Rorschach test for the infosec community, according to former NSA cyber boss Rob Joyce.

"There were people on one side who hated it," Joyce, who is now a venture partner at DataTribe, said during a Monday talk at RSAC. "They thought it was a meaningless distraction. There was another side who saw it as a significant insight into offensive operations."

Joyce sits firmly in the latter camp. "I saw this as a really important set of insights – and something really scary."

The Beijing-backed snoops considered a typical attack chain, broke it into small steps, then built a framework using agentic AI to carry out an intrusion attempt. The agents mapped attack surfaces, scanned target organizations' infrastructure, found vulnerabilities, and even researched and wrote exploitation code.

Once they were inside networks, China’s bots found and abused valid credentials, escalated privileges, and moved laterally. In some cases, the agents even found and stole sensitive data.

"But the number one thing to me is: it worked. It freakin' worked," Joyce said. "It brought a set of tools, it went against real-world targets, and it won.” He fears that continuing improvements to LLMs, and the fact they’re now effectively modular so crooks can quickly update their AI tools, means automated attacks will improve "exponentially."

Last year, in an interview with The Register, Joyce said AI will "soon" be a great exploit coder. On Monday, he told an audience of security experts and coders it’s already happened.

The upside? Agentic AI systems’ ability to find zero-day vulnerabilities and develop exploits at machine speed can be a boon defenders, too.

Projects like Google's Big Sleep, an AI agent that helps security researchers find zero-day flaws, have spotted several including a previously unknown exploitable memory-safety flaw in the widely-used OpenSSL library. OpenAI's Codex (formerly Aardvark) similarly uses agentic AI to detect and patch vulnerabilities in code, as does Anthropic's Clade Code Security.

"So across these three frontier models, all doing vulnerability research, they've shown that they can find vulnerabilities in major code," Joyce said.

"In the long term, we get much better code," he continued. "Google Chrome is going to benefit from the Google Big Sleep team, and it is going to be much harder to exploit the most popular web browser on the planet. But in the near term, the ability to find software vulnerabilities across massive code bases and vulnerabilities become exploits. That's a real risk."

Joyce quoted security researcher Sean Heelan, who analyzed OpenAI's then-Aardvark project and said:

The more tokens you spend, the more bugs you find, and the better quality those bugs are. You can also see it in my experiments. As the challenges got harder I was able to spend more and more tokens to keep finding solutions. Eventually the limiting factor was my budget, not the models. I would be more surprised if this isn't industrialized by LLMs, than if it is.

What this means right now, according to Joyce, is that information asymmetry favors machine attackers. “This is not a story about AI being smarter than the humans. It's about scale and patience, its [AI’s] ability to look at all of the techniques and components of that and develop the vulnerabilities. Machines don't get tired of reading code. They can review and review and review until they find that vulnerability."

So what does this mean for defenders? Joyce thinks they need to become "exceptional" at security basics.

That means using AI tools to review code and detect anomalies in patterns and behaviors, which can indicate that attackers are abusing a legitimate tool – or user – for malicious purposes.

Also, he recommends, start doing agentic red teaming against your organization to proactively find flaws and misconfigurations. "You are going to be red-teamed whether you pay for it or not," Joyce said. "The only difference is, you know who gets the results delivered to them." ®

Chinese spies told Claude to break into about 30 critical orgs. Some attacks succeeded: Anthropic dubs this the first AI-orchestrated cyber snooping campaignJessica Lyons, 13 Nov 2025Ex-NSA cyber-boss: AI will soon be a great exploit coderRSAC: For now it's a potential bug-finder and friend to defendersJessica Lyons, 30 Apr 2025OpenAI tries to build its coding cred, acquires Python toolmaker Astral: Deal helps company build out its Codex teamThomas Claburn, 19 Mar 2026Infosec community panics as Anthropic rolls out Claude code security checkerai-pocalypse: Not the first of its kindJessica Lyons, 23 Feb 2026