Wiz and Irregular find AI can crack complex targets for a few dollars but only with human guidance
The Israeli cybersecurity firms show that AI agents excel when guided by humans but struggle to act independently, revealing a new hybrid threat model for enterprises.
A new study by Israeli cybersecurity companies Wiz and Irregular offers a clear view of the capabilities, and current limitations, of artificial intelligence agents in the cyber domain. When given a clear and well-defined target by a human operator, AI agents can already execute cyberattacks quickly and at minimal cost. But when required to act independently, to select targets, prioritize actions, and adapt strategy, their effectiveness declines sharply.
The researchers constructed ten scenarios simulating real vulnerabilities based on well-known cyber incidents from recent years, including database exposures, cloud misconfigurations, and identity-verification failures. To ensure these were genuine challenges rather than theoretical demonstrations, each scenario was first solved by an experienced human researcher. AI agents were then tasked with identifying a vulnerability in a given environment and exploiting it until a “flag” was obtained, an unambiguous measure of success designed to minimize noise and interpretation errors. The results were striking: when provided with a specific objective, the AI agents successfully breached nine out of ten challenges, including complex multi-stage attacks, sometimes at a cost of just a few dollars per attempt.
From an economic perspective, the implications are troubling. Once a vulnerable asset is identified, attempts to exploit it become fast and inexpensive, even if not every effort succeeds. The low marginal cost allows attackers to rerun the same scenario repeatedly until a breach is achieved. In several cases, operations with an estimated economic value in the tens of thousands of dollars were executed for only a few dollars, and occasionally for less than one.
The picture changed dramatically when the agents were asked to operate across a broad environment without a predefined target. Success rates fell sharply, not all challenges were solved, and the cost per successful breach rose by a factor of two to two-and-a-half. The researchers observed that agents often scattered their efforts across multiple attack paths without pursuing any in depth, or conversely became stuck pursuing a single approach even after it proved ineffective. Unlike human researchers, who tend to recognize dead ends and shift direction relatively quickly, the AI agents repeatedly attempted variations of the same failing method.
The study’s conclusion is that AI agents are already far more capable than many assume. They can attack systems effectively, rapidly, and cheaply, provided they receive clear human guidance. Yet they are not autonomous attackers in the full human sense. The primary threat today is not AI acting alone, but the combination of a human operator who defines targets and strategy with AI that executes tasks at machine speed. For organizations, this means defensive assumptions must be continuously updated: the contest between attackers and defenders has entered a new phase.
Irregular is a security research lab that collaborates with leading AI developers such as OpenAI, Anthropic, and Google, as well as government agencies, to uncover deep risks in advanced models before public release. Last September, the company announced the completion of Seed and Series A funding totaling $80 million from Sequoia Capital and Redpoint Ventures.
