CleverHans’s prototype AI-powered worm replaces a hard-coded exploit with an autonomous agent that reasons about each target, finds an opening, and keeps moving, closer to an automated penetration tester than a traditional worm. NotPetya did billions of dollars in damage in 2017 without any of that intelligence; an objective-driven successor would be materially harder to contain. The defensive playbook doesn’t really change (strong IAM, segmentation, least privilege, fast patching, monitoring, Zero Trust, real IR plans), but the weight on every one of those controls goes up sharply when attackers no longer need a predetermined path through your environment.
I recently read a piece of research from CleverHans that gets at a future a lot of security people have seen coming for years: AI-powered worms that can reason, adapt, and spread on their own.
Research article: CleverHans latest research.
For most of the history of malware, worms have depended on a specific vulnerability. Defenders find the weakness, patch it, and the worm loses most of its ability to spread. That has been the basic rhythm of the whole field.
The CleverHans team built something that breaks the pattern. Instead of hard-coding a single exploit, their prototype uses an AI agent to look at each target, find an opening, pick an attack path, and keep moving through the network. It behaves less like a traditional worm and more like an automated penetration tester. (For a broader take on agent-shaped risk on personal infrastructure, see Your Computer, Your Agent, Your Risk.)
It is still a research project, but it points at a real shift in how we should think about risk.
The old threat was “exploit vulnerability X.” The new one is closer to “get access to that system, and figure out how yourself.” That difference is bigger than it sounds.
Reading the paper brought back one of the worst security incidents I have watched up close.
In 2017, while I was at Hill+Knowlton, part of WPP, the company got hit by NotPetya. I had never seen anything like it. Machines could be infected within minutes of connecting to the corporate network, across WPP’s global operations, IT teams went into full emergency mode. Systems were shut down, services were pulled offline, and business stopped in places all over the world. Email, file sharing, collaboration tools, ordinary day-to-day processes, all of it gone at once.
Here is the part that stays with me. NotPetya wasn’t smart. It wasn’t using AI. It wasn’t reasoning about its surroundings or choosing its own path. It exploited known vulnerabilities and ran a fixed set of propagation techniques, and that was enough to become one of the most destructive attacks ever recorded. Billions of dollars in damage, worldwide.
Now picture NotPetya’s speed combined with an agent that can actually think.
Instead of hunting for one vulnerability, it could weigh dozens. Instead of following a set route, it could find new ones. Instead of stalling at a patched system, it could go looking for another way in.
That is the scenario the CleverHans work asks us to take seriously.
The strange comfort here is that the defensive playbook barely changes:
- Strong identity and access management
- Network segmentation
- Least-privilege access
- Fast patching
- Continuous monitoring
- Zero Trust architecture
- A real incident response plan
What changes is the weight on each of them. These controls matter more, not less, once an attacker no longer needs a predetermined path through your environment.
For anyone running technology, the takeaway is that we are moving into a different phase. Past threats were exploit-driven, the next ones look objective-driven. Rather than being handed a specific vulnerability to use, an autonomous agent gets a goal and works out the route on its own.
Maybe AI-powered worms become common in a few years. Maybe they stay mostly in the lab. Either way the direction is obvious. Attackers are getting more adaptive, and our defenses have to do the same.
Frequently Asked Questions
What is an AI-powered worm?
An AI-powered worm replaces the hard-coded exploit at the core of a traditional worm with an autonomous AI agent. Instead of relying on one known vulnerability to propagate, the agent inspects each new target, picks an attack path, adapts when it gets blocked, and keeps moving, functionally it behaves much more like an automated penetration tester than a classic worm.
What did the CleverHans research demonstrate?
CleverHans built a prototype that swaps a fixed exploit for an AI agent making decisions in real time, choosing targets, finding openings, and picking propagation paths on its own. It’s still research, not a deployed threat, but it makes the architectural shift concrete: from “exploit vulnerability X” to “achieve objective Y, figure out the route yourself.”
Why does this differ from traditional malware like NotPetya?
NotPetya was devastating without any intelligence at all. It chained known vulnerabilities and a fixed propagation pattern into one of the most destructive cyberattacks ever recorded. An objective-driven AI worm wouldn’t be bounded by a static playbook. It could weigh dozens of vulnerabilities, find alternate paths when patches blocked one, and adapt to unfamiliar environments, at machine speed.
How does objective-driven malware change defensive priorities?
The defensive playbook stays familiar, strong identity and access management, network segmentation, least-privilege access, fast patching, continuous monitoring, Zero Trust architecture, and a real incident response plan. What changes is the weight on every one of those controls. They matter more, not less, once an attacker no longer needs a predetermined path through your environment.
Are AI-powered worms a near-term threat or a future one?
Today it’s a research-stage capability, not a live in-the-wild threat at scale. The direction is the important part: attackers are getting more adaptive, models are getting cheaper and more capable, and the gap between “automated penetration tester” and “autonomous worm” is narrower than it was a year ago. Defenders should be hardening for objective-driven adversaries now rather than waiting for a first major incident.
What should security teams do first?
Start with the controls that limit blast radius regardless of attack path, strong identity, segmentation, and least privilege. Add fast patching and continuous monitoring so a single foothold doesn’t sit unnoticed long enough for an agent to pivot. Treat Zero Trust as architecture, not a slogan, and rehearse the incident response plan against scenarios where the adversary chooses its own propagation path instead of following a known one.