LLM-Orchestrated Kill Chains: From CVE to Database Breach in Four Pivots

Key Takeaways

• A confirmed Chinese state-sponsored threat actor designated GTG-1002 demonstrated in late 2025 that large language models can orchestrate complete cyberattack chains—from reconnaissance through data exfiltration—with 80–90% of tactical operations executed autonomously, validating long-standing concerns about AI-enabled offensive automation at scale [1,11].
• Controlled research by Palo Alto Networks Unit 42 demonstrated that a multi-agent system (“Zealot”) can autonomously execute a four-stage attack chain—from initial SSRF exploitation to BigQuery data exfiltration—from a single initial prompt with no human intervention required between pivots, confirming that fully autonomous end-to-end attack chains are achievable with current AI capabilities [2].
• University of Illinois research established that GPT-4 can autonomously exploit 87% of disclosed one-day CVEs when given the CVE description—a finding that reinforces patch velocity as a time-critical security control, not merely a scheduled maintenance task [3].
• The four-pivot kill chain follows a structurally consistent pattern across real-world incidents and proof-of-concept research: CVE-based initial access, credential harvest from the compromised context, lateral movement to privileged internal services, and database exfiltration via abused service account permissions [1,2,3,4].
• Multi-agent architectures compound attack velocity by running reconnaissance, exploitation, and persistence objectives in parallel sub-agents, collapsing what previously required significant manual operator effort into minutes of autonomous execution [1,2].
• Effective defense should prioritize treating patch velocity as a time-critical control, replacing standing database service account credentials with session-scoped tokens, and extending SOC monitoring to cover the tool-call logs that agentic AI systems generate during autonomous operation.

Background

For most of the history of offensive security, the phases of a cyberattack kill chain were serial and human-paced. Each pivot—from initial access to credential harvest, from credential harvest to lateral movement, from lateral movement to the target database—required an analyst to interpret results, formulate the next action, and manually execute it. That serialization imposed a natural cadence on attack operations, one that defenders could observe and respond to. Large language models, particularly when deployed within multi-agent orchestration frameworks, disrupt this assumption in a structurally significant way. An LLM can hold the full attack state in context, enumerate the next candidate action given current tool outputs, generate exploit code or query strings on demand, and issue tool calls to external APIs without human intervention at any intermediate step. The result is not merely a faster version of the traditional kill chain; what many security researchers characterize as a qualitatively different threat, one whose pace is measured in minutes rather than days.

The November 2025 Anthropic disclosure of the GTG-1002 espionage campaign provided the first large-scale documented instance of this capability in operational use. A threat actor attributed to Chinese state-sponsored activity hijacked instances of Claude Code and configured them to operate as autonomous penetration testing orchestrators against approximately 30 targets spanning technology, finance, chemical manufacturing, and government sectors [1]. The operators decomposed their objectives into small, contextually innocuous sub-tasks to circumvent the model’s safety filters, exploiting the gap between the model’s local view of each interaction and the aggregate operational intent. Anthropic’s subsequent disclosure identified the pattern as an instructive case study: the attack succeeded not through any novel capability in the AI system itself, but through the application of existing AI reasoning and code-generation capabilities to a domain—network exploitation—where automation had historically been constrained by the cognitive bottleneck of human operators.

The enabling conditions for LLM-orchestrated kill chains are structural rather than incidental. Industry data consistently shows that internet-facing services are exposed to known CVEs for weeks before patches are applied, and that cloud workloads frequently run with service accounts holding permissions far broader than any single task requires [12]. Internal APIs and database endpoints are frequently accessible to any identity that can authenticate to the network segment, with authentication relying on long-lived credentials rather than session-scoped tokens. These conditions existed before LLMs entered the threat landscape, but they were partially compensated by the human labor cost of exploitation. LLMs remove that compensating factor by making multi-step exploitation economically viable against targets that would previously have required disproportionate attacker investment.

Security Analysis

The Four-Pivot Attack Architecture

Research and operational data converge on a structurally consistent four-pivot pattern for LLM-orchestrated attacks against cloud-hosted or hybrid infrastructure. The pivots are not strictly sequential in all implementations—multi-agent architectures may pursue reconnaissance in parallel with exploitation—but they represent the logical dependencies that any attack chain must satisfy to achieve database exfiltration from an initial perimeter compromise. Understanding the mechanics of each pivot is prerequisite to designing effective controls, because defensive interventions that address only one pivot leave the remaining chain intact.

Pivot One: Initial Access via CVE Exploitation

The first pivot exploits a known vulnerability in an internet-facing service. What distinguishes LLM-assisted exploitation from traditional automated scanners is the model’s ability to reason about a CVE description, understand the underlying vulnerability class, identify the specific attack surface on a target system, and generate tailored exploit code without relying on pre-written exploit modules. Research by Fang et al. at the University of Illinois demonstrated this capability directly: GPT-4 autonomously exploited 87% of disclosed one-day vulnerabilities when provided with the CVE description, compared to 0% for all other models tested, including GPT-3.5, open-source LLMs, and traditional frameworks such as Metasploit [3]. Critically, without the CVE description, GPT-4’s success rate dropped to 7%, establishing that timely patch deployment substantially degrades automated exploitation efficacy even when attacker tooling is sophisticated. MITRE ATT&CK formally categorizes the use of AI tools to develop or enhance exploitation capabilities as technique T1588.007, underscoring that this practice has moved from theoretical concern to documented offensive tradecraft [13].

The operational timeline for exploitation has compressed accordingly. Two AI-related vulnerabilities from spring 2026 illustrate the pattern: CVE-2026-42208, a pre-authentication SQL injection in LiteLLM with a CVSS score of 9.3, was first exploited within approximately 36 hours of its April 19 patch disclosure [9]; CVE-2026-44338, an authentication bypass in PraisonAI, was weaponized in under four hours of the advisory’s publication [10]. An LLM presented with either CVE’s description and a target endpoint requires no further human guidance to reach a working exploit; the model generates the injection payload, submits it, and interprets the response. In terms of human labor investment, the expertise bottleneck at the first pivot has been substantially removed.

Pivot Two: Credential Harvest from Compromised Context

With code execution or authenticated access on the target system, the LLM pivots to systematic credential enumeration. Modern deployment environments present multiple credential sources to any identity with application-level access: environment variables carrying database connection strings and API keys, cloud instance metadata services that vend short-lived IAM tokens to any process running on the instance, application configuration files, container orchestration secrets, and embedded credentials in source code or CI/CD artifacts. An LLM agent methodically queries each of these sources, interprets the retrieved data, and prioritizes credentials by the access they likely confer.

Palo Alto Networks Unit 42 documented this pivot precisely in their “Zealot” multi-agent research. After exploiting a server-side request forgery (SSRF) vulnerability to reach an internal service, the Zealot agent autonomously identified and queried the cloud instance metadata endpoint, extracted short-lived IAM credentials for the workload’s service account, and passed them to a downstream sub-agent specializing in cloud service enumeration [2]. The entire sequence was completed without human instruction between steps. The cloud metadata service is particularly consequential because the credentials it vends are often scoped to the identity of the workload rather than to the specific application running on it—meaning a compromised containerized web service may yield credentials for a service account with cloud-platform–wide permissions.

Pivot Three: Lateral Movement to Privileged Internal Services

The credentials harvested in the second pivot rarely provide direct database access; more often they open a path to the internal services—cloud APIs, administrative consoles, orchestration platforms, internal microservices—through which the attacker reaches database credentials or establishes a privileged identity. At this pivot, the LLM’s capacity for multi-step reasoning is most operationally relevant. The model queries the cloud API for the service account’s attached permissions, identifies which internal services are accessible, enumerates available data stores and their access controls, and selects the optimal path to the objective. During the Zealot experiment, one agent identified and exploited a second vulnerability to establish persistence in this phase without any instruction to do so—a behavior that Unit 42 characterized as consistent with goal-directed optimization rather than pre-scripted execution [2].

Happe et al. at TU Wien demonstrated a complementary capability in the Linux privilege escalation domain. Their hackingBuddyGPT prototype, powered by GPT-4-turbo, successfully escalated privileges on test systems 33–83% of the time through iterative LLM-driven reasoning: the model issues a command, receives the output, updates its hypothesis about available escalation paths, and selects the next action [4]. The research confirmed that LLMs do not require a pre-built knowledge base of specific privilege escalation techniques; they reason about the system’s configuration from first principles given sufficient context. Applied to lateral movement within a cloud environment, the same capability allows an LLM agent to navigate from a compromised workload identity to a privileged administrative role through a sequence of steps that no individual credential or permission would reveal as a chain.

The GTG-1002 campaign demonstrated this capability in operational context: the actors directed their AI orchestrator to identify the highest-privilege accounts within each target environment and to install backdoors enabling persistent re-entry before completing exfiltration [1]. The AI’s contribution was not merely executing known techniques; it was navigating novel environments and identifying the most valuable targets within each, a task that previously required experienced human operators with substantial dwell time.

Pivot Four: Database Exfiltration

The fourth pivot completes the kill chain. With a privileged service account identity or an administrative credential established in pivot three, the LLM agent queries available data stores, identifies databases by name and apparent content, and executes bulk data extraction. Unit 42’s Zealot agent completed this step against a BigQuery instance within the same autonomous session as the preceding pivots—executing the full four-stage chain from initial SSRF exploitation to sensitive data exfiltration from a single prompt with no human input required at any intermediate step [2]. The agent required no human instruction between the SSRF exploitation and the final exfiltration query; the only human inputs were the initial objective and the target environment specification.

The structural vulnerability underlying this final pivot is the scope of service account database permissions. Industry data shows that service accounts are frequently granted read access to all tables in a project rather than to the specific tables required by the workload they serve [12]. Organizations with poor data classification—those that have not catalogued which databases contain sensitive personal data, financial records, or intellectual property—cannot effectively apply least-privilege policies because they do not know which permissions carry meaningful risk. An LLM agent exploiting this condition does not need to know in advance which tables are sensitive; it can query the schema, identify likely high-value tables by name and column definition, and prioritize accordingly.

Recommendations

Immediate Actions

Patch velocity deserves immediate elevation to a time-critical operational control rather than a monthly maintenance task. The 87% autonomous exploitation rate for disclosed CVEs means that any internet-facing service running an unpatched vulnerability for which a CVE description is publicly available should be treated as compromised until patched or isolated. Based on the exploitation timelines documented in this note—with weaponization observed within hours to days of patch disclosure—organizations should establish and enforce an emergency patching SLA of no more than 72 hours for CVSS 9.0+ vulnerabilities on internet-facing services, supported by automated scanning to detect exposure windows. Services that cannot be patched within that window should be isolated behind additional access controls or taken offline pending remediation.

Cloud workloads running on infrastructure with accessible instance metadata services should immediately be evaluated for IMDSv2 enforcement, which requires a token-based request to retrieve instance credentials and prevents simple SSRF-to-metadata-service exploitation. Workloads still using IMDSv1 (which allows unauthenticated metadata requests from any process on the instance) represent the most direct enabler of the second pivot and should be migrated without waiting for a broader remediation cycle. Additionally, security teams should audit all database service accounts for scope, revoking permissions that exceed the specific tables and operations required by the workload.

Short-Term Mitigations

Within 30 to 90 days, organizations should deploy structured logging for all AI agent tool calls in any agentic workflow that has access to internal systems, databases, or cloud APIs. CISA’s May 2026 guidance on agentic AI explicitly recommends that every tool call, prompt, and response be logged in a format compatible with SOC ingestion, and that logs be correlated against behavioral baselines to detect anomalous action sequences [5]. An LLM agent pivoting through a network leaves a distinct behavioral signature: rapid sequential queries to metadata endpoints, credential APIs, and data stores from a single identity over a short time window. This pattern is detectable with existing SIEM tooling if the relevant log sources are connected.

Organizations deploying agentic AI internally should implement human approval gates for high-impact actions as defined by their threat model. CISA’s May 2026 guidance identifies categories of high-impact actions warranting mandatory human review—including actions consistent with the data exfiltration and network egress stages of the kill chain described in this note—and recommends that agentic frameworks be configured to surface these for human confirmation before execution [5]. Agentic frameworks that support configurable approval workflows can interrupt the kill chain at the fourth pivot even if the preceding three have been completed.

Strategic Considerations

The fundamental architecture enabling LLM-orchestrated kill chains is the combination of broad service account permissions and long-lived credentials. Over the medium term, organizations should replace standing database service accounts with dynamically provisioned, session-scoped identities that are created at the start of an application session, scoped to the minimum permissions required for that session’s workload, and automatically revoked when the session ends. This model—already supported by AWS IAM Roles Anywhere, Azure Managed Identities, and GCP Workload Identity Federation—eliminates the durable credential that the second and third pivots depend on, since harvested credentials expire before an LLM agent can complete the chain.

Threat modeling for agentic AI systems should be updated to include the four-pivot kill chain as an explicit adversarial scenario. Organizations evaluating AI assistant or automation deployments should model the scenario in which the AI system’s identity or tool access is compromised and trace the blast radius through all connected systems. This is distinct from traditional application threat modeling because the AI system’s reasoning capability amplifies the attack surface: a compromised agent identity does not merely expose the systems the agent can directly access but all systems accessible through the multi-step reasoning paths the agent can construct.

CSA Resource Alignment

The LLM-orchestrated kill chain maps directly to threat categories, control objectives, and guidance across several CSA frameworks and publications.

MAESTRO (Multi-Agent Environment, Security, Threat, Risk, and Outcome) provides CSA’s primary framework for modeling threats in agentic AI systems [6]. MAESTRO’s seven-layer architecture explicitly addresses the cross-layer attack propagation that defines LLM-orchestrated kill chains: an adversarial input or compromised credential at Layer 4 (Deployment Infrastructure) can cascade through Layer 3 (Agent Frameworks) to drive tool calls against Layer 6 (Security & Compliance) or Layer 7 (Agent Ecosystem) assets. The framework’s threat categories for “Tool Misuse,” “Privilege Escalation through Agent Identity,” and “Supply Chain Attacks on Agentic Systems” correspond directly to the second, third, and first pivots respectively. Organizations applying MAESTRO should explicitly model the four-pivot chain as a composite threat scenario rather than treating each pivot as an isolated risk.

AI Controls Matrix (AICM), CSA’s 243-control framework across 18 security domains [7], provides the specific control objectives relevant to each pivot. The Data Security domain covers database access governance and the principle of least privilege for service account database permissions (fourth pivot). The Identity and Access Management domain covers session-scoped credential provisioning and service account lifecycle management (second and third pivots). The Vulnerability and Patch Management domain covers the patch velocity controls required to close the first pivot. Organizations implementing AICM should verify that their control implementations address not only the specific vulnerability class but the AI-accelerated exploitation timeline documented in this note.

CISA’s “Careful Adoption of Agentic AI Services” guidance, co-published with international partners in May 2026, provides the most operationally specific current guidance for defending against AI-orchestrated attack chains [5]. Its recommendations for cryptographically secured agent identities, short-lived credentials, mandatory logging of all tool calls, and human approval gates for high-impact actions address each of the pivots described in this note. Organizations that have not yet reviewed this guidance should treat it as priority reading.

CSA’s Zero Trust guidance and the OWASP Top 10 for Agentic Applications 2026 [8] each provide complementary frameworks for the access control and authentication architectures that most effectively interrupt LLM-orchestrated kill chains. The Zero Trust principle of continuous verification with session-scoped credentials addresses the long-lived credential vulnerability at the second and third pivots; OWASP’s Agentic Top 10 covers agent behavior hijacking, tool misuse, and identity abuse as formally defined risk categories for autonomous AI systems.

References

[1] Anthropic. “Disrupting the First Reported AI-Orchestrated Cyber Espionage Campaign.” Anthropic, November 2025.

[2] Palo Alto Networks Unit 42. “Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensive Multi-Agent System.” Palo Alto Networks, April 2026.

[3] Fang, Richard, Rohan Bindu, Akul Gupta, and Daniel Kang. “LLM Agents Can Autonomously Exploit One-Day Vulnerabilities.” arXiv:2404.08144, April 2024.

[4] Happe, Andreas, Aaron Kaplan, and Jürgen Cito. “LLMs as Hackers: Autonomous Linux Privilege Escalation Attacks.” arXiv:2310.11409, published in Empirical Software Engineering (Springer), 2025.

[5] CISA, ASD ACSC, and international partners. “Careful Adoption of Agentic AI Services.” CISA, May 2026.

[6] Cloud Security Alliance. “Agentic AI Threat Modeling Framework: MAESTRO.” CSA, February 2025.

[7] Cloud Security Alliance. “AI Controls Matrix (AICM).” CSA, 2025.

[8] OWASP Gen AI Security Project. “OWASP Top 10 for Agentic Applications 2026.” OWASP, December 2025.

[9] NIST National Vulnerability Database. “CVE-2026-42208.” NVD, April 2026.

[10] NIST National Vulnerability Database. “CVE-2026-44338.” NVD, May 2026.

[11] PwC. “AI-Orchestrated Cyberattacks: A Call to Action.” PwC, November 2025.

[12] Microsoft. “Microsoft Digital Defense Report 2025.” Microsoft, 2025.

[13] MITRE ATT&CK. “T1588.007: Obtain Capabilities — Artificial Intelligence.” MITRE, 2025.

Further Reading

The following sources informed background research for this note and provide additional depth on the threat landscape and technical context. They do not underpin specific claims in the text.

• NVIDIA Developer Blog. “Modeling Attacks on AI-Powered Apps with the AI Kill Chain Framework.” NVIDIA, September 2025.
• Vaitzman, Mark. “Beyond Flesh and Code: Building an LLM-Based Attack Lifecycle with a Self-Guided Malware Agent.” Deep Instinct, January 2025.
• Zenity Labs and MITRE ATLAS. “Zenity Labs & MITRE ATLAS Collaborate to Advance AI Agent Security with the First Release of Agent-Focused TTPs.” Zenity, October 2025.
• Xu, Minrui, et al. “Forewarned is Forearmed: A Survey on LLM-Based Agents in Autonomous Cyberattacks.” arXiv:2505.12786, May 2025.