Living-Off-the-Land 2.0: How Autonomous AI Agents Are Weaponizing LOTL Tradecraft — And What It Means for Cyber Underwriting

The cybersecurity community has tracked living-off-the-land (LOTL) attacks for over a decade. The technique — using legitimate system tools and binaries already present on a target machine rather than dropping custom malware — is mature, well-documented, and devastatingly effective. The LOLBAS project currently catalogs over 200 Windows binaries that can be abused for offensive purposes, and PowerShell appears in approximately 71% of LOTL attacks.

What’s new in 2025/2026 isn’t the technique. It’s the operator.

The Convergence: Autonomous Agents Meet Mature Tradecraft

The individual pieces of this threat have existed for years. LOTL is established tradecraft. AI agents are increasingly capable. What’s changed is that these two capabilities are now converging at precisely the moment both have reached operational maturity.

Three research developments make this concrete rather than speculative:

RapidPen: IP-to-Shell Without Human Intervention

The RapidPen research framework demonstrated full autonomous compromise — starting from only a target’s IP address, the agent performed reconnaissance, identified vulnerabilities, exploited them, and established shell access with no human in the loop. This wasn’t a controlled demo against a vulnerable test target. It was a general-purpose attack automation framework that adapted its approach based on what it found at each stage.

The significance for underwriting: the “time-to-compromise” metric that many risk models rely on is compressed when the attacker doesn’t need sleep, doesn’t make emotional decisions, and can parallelize across hundreds of targets simultaneously.

AutoAttacker: Replicating the Skilled Operator

AutoAttacker went further, demonstrating high success rates in automating 14 distinct “hands-on-keyboard” post-breach attack techniques across different operating systems. These weren’t simple script executions — they replicated the decision-making process of a live operator: escalating privileges, moving laterally, establishing persistence, and adapting tactics when initial approaches failed.

For underwriters, this matters because the “post-breach” phase — the dwell time between initial access and impact — has traditionally been where detection and response capabilities create value. If the attacker operates faster and more consistently than human responders, the detection window narrows.

The Autonomous Agent Threat Model

The ultimate threat scenario, articulated in recent security research, is a fully autonomous agent deployed with a specific objective, running local inference (no command-and-control traffic to detect), and contacting its backend only upon task completion. In long-term operations, the agent can:

• Execute tasks slowly to avoid behavioral detection thresholds
• Adapt tactics from system to system within a network
• Be explicitly instructed to use only living-off-the-land binaries — no custom tooling, no signatures to detect

This collapses three attacker constraints simultaneously:

Constraint	Human Operator	AI Agent
Cost	$150-400k/year for skilled red teamer	Compute cost, parallelizable
Skill	Years of training, uneven talent	Consistent execution of documented techniques
Detectability	Behavioral anomalies from human patterns	Can be tuned to operate within normal parameters

A human red-teamer who is patient, creative, and uses only signed Microsoft binaries is expensive and rare. An agent doing the same is cheap and parallelizable.

What’s Showing Up in Real Incidents

This isn’t theoretical. The tradecraft patterns are already visible in active campaigns:

Storm-1175 / Medusa Ransomware

Microsoft’s threat intelligence teams have tracked Storm-1175’s Medusa ransomware campaigns extensively. These attacks systematically use living-off-the-land binaries — PowerShell for execution and enumeration, PsExec for lateral movement, and Impacket for authentication manipulation. The attack chain from initial access to domain-wide encryption relies heavily on tools that are legitimate components of Windows administration.

The relevance: every step in this attack chain is a technique that autonomous agents have already demonstrated they can replicate. The human-operated version is the blueprint; the agent-operated version is the scalability multiplier.

Asian Critical Infrastructure Campaigns

Recent attacks against critical infrastructure in Asia combined custom malware with modified open-source utilities and LOLBINs to maintain persistent presence within targeted environments. The attackers used legitimate administrative tools for lateral movement, making the traffic difficult to distinguish from normal system administration.

This is the detection challenge in microcosm: when the attacker uses the same tools as the administrator, signature-based detection fails by design.

The Current Baseline vs. The Trajectory

A critical caveat: the volume of fully autonomous agent-driven LOTL attacks observed in the wild in early 2026 is still small relative to human-operated campaigns. Most current incidents involve AI-assisted reconnaissance or initial access automation, with human operators still making key decisions during post-breach phases.

But underwriting on the current baseline is a mistake. The trajectory is what should drive risk assumptions:

• 2024: AI used for reconnaissance, phishing generation, initial exploit selection
• 2025: Demonstrated autonomous post-breach execution in research settings
• 2026: Beginning of agent-assisted campaigns in the wild (current state)
• 2027+: Widespread autonomous LOTL operations expected as agent frameworks mature

The Underwriting Implications

This is where the analysis matters for your book. The marginal new risk from LOTL 2.0 isn’t “AI can hack” — it’s that the dwell time, lateral movement sophistication, and operational parallelism that previously required APT-grade human operators are becoming commoditized.

1. The Mid-Market Protection Gap Closes

Mid-market insureds (€50M–€500M revenue) have historically benefited from an implicit protection: they were too small to justify the time and skill investment of a sophisticated human attacker. The economics of the attack didn’t work when a skilled operator cost $200/hour and could only target one organization at a time.

When an AI agent can execute the same tradecraft for pennies in compute cost and operate against dozens of targets simultaneously, that economic protection disappears. Mid-market organizations that previously “weren’t worth an APT’s time” become economically viable targets.

Underwriting action: Re-evaluate mid-market risk selection. Historical loss frequency data for this segment may understate future exposure if the attacker economics have fundamentally shifted.

2. Detection Controls Need Reassessment

Many mid-market and even enterprise insureds rely on controls that are specifically weakened by LOTL techniques:

• Antivirus/EDR signature detection: By definition, LOLBINs are signed, legitimate binaries. Signature-based detection fails.
• Network traffic analysis: LOTL generates legitimate administrative traffic patterns. Anomalous-only detection misses slow, deliberate LOTL operations.
• Periodic penetration testing: Tests a point-in-time posture against human-speed attacks. Doesn’t model continuous autonomous operations.

The controls that become more valuable under LOTL 2.0:

• Behavioral analytics: Not “what binary is running” but “is this usage pattern consistent with the user’s role and history?”
• Identity-based access controls: Limiting what authenticated users (and therefore compromised credentials) can do, regardless of what tools they use
• Privileged access management (PAM): Restricting lateral movement even when legitimate credentials are compromised
• Endpoint detection and response (EDR) with behavioral models: Detecting anomalous use of legitimate tools, not just anomalous binaries

Underwriting action: During risk assessment, weight behavioral analytics and identity-based controls more heavily than signature-based detection capabilities. Ask specifically about PowerShell logging, script block logging, and administrative tool monitoring.

3. Frequency vs. Severity Curves

Business Email Compromise (BEC) and ransomware frequency curves may steepen faster than severity curves — at least initially. Here’s why:

• Frequency increases because the attacker economics support targeting organizations that were previously below the threshold
• Severity may not increase proportionally because the same agent capabilities that improve attack execution also improve defensive automation — and because the fundamental impact (data exfiltration, encryption, business interruption) hasn’t changed
• Aggregate loss potential (frequency × severity) likely increases even if individual event severity stays flat

Underwriting action: Model scenarios with increasing attack frequency against mid-market segments while holding per-event severity assumptions constant. The portfolio-level impact may be material even without individual catastrophic events.

4. The “No Custom Malware” Problem for Forensics

One of the more subtle implications: LOTL attacks leave a fundamentally different forensic footprint than custom malware campaigns. When an attacker uses PowerShell, PsExec, and legitimate administrative tools, the forensic evidence is:

• Spread across normal system logs rather than concentrated in malware artifacts
• Difficult to distinguish from legitimate administrative activity
• Often subject to the same log retention policies that may not retain the granular detail needed for attribution

This has claims implications: incident complexity and cost may increase not because the attack is more destructive, but because the investigation is more difficult. Insurers should expect longer claim adjustment periods and higher forensic costs for LOTL-dominant incidents.

What to Watch: Leading Indicators

For underwriters and risk engineers tracking this threat evolution, the leading indicators to monitor:

1. Academic publications on autonomous attack frameworks — the RapidPen and AutoAttacker papers were early indicators. New publications demonstrate capability maturation.

2. Threat intelligence on LOTL-dominant campaigns — watch for campaigns where the tooling is overwhelmingly legitimate binaries with minimal custom malware. This indicates either tradecraft discipline or automation.

3. Speed of post-breach operations — if the average dwell time for specific threat groups decreases significantly while the sophistication of lateral movement holds constant, this may indicate automation rather than improved human tradecraft.

4. Parallel targeting patterns — multiple organizations in the same sector hit with similar LOTL chains within compressed timeframes suggests automated or semi-automated operations rather than sequential human campaigns.

5. Vendor claims about “AI-powered attacks” — these should be treated with healthy skepticism but tracked as sentiment indicators. When marketing catches up to capability, the capability is usually already deployed.

The Bottom Line

The convergence of agentic AI with LOTL tradecraft is not a future risk to monitor — it’s a current risk to price. The capabilities are demonstrated, the tradecraft is documented, and the initial incidents are visible. The question for underwriters isn’t whether this changes the risk landscape, but how quickly it changes and whether your pricing models and risk selection criteria are keeping pace.

The organizations that will fare best under this threat evolution are those that invested in behavioral monitoring, identity-centric security, and privileged access management — the controls that remain effective regardless of whether the attacker is a human in a hoodie or an agent in a container.

For everyone else, the implicit protections of the past — too small to target, too complex to automate, too expensive to operate at scale — are eroding faster than most risk models reflect.

---

This is the first post in our LOTL 2.0 Series tracking the convergence of autonomous AI agents and living-off-the-land tradecraft. Next in series: The Underwriting Playbook — risk selection criteria for the LOTL 2.0 era →