ACCORDING to Unit 42, researchers built a multi-agent penetration testing PoC to test autonomous AI offensive capabilities in cloud environments, naming the agent Zealot and coordinating three specialist agents: Infrastructure, Application Security and Cloud Security.
In a sandboxed Google Cloud Platform environment, Zealot autonomously chained SSRF exploitation, metadata service credential theft, service account impersonation and BigQuery data exfiltration, with the Cloud Security Agent eventually writing data to a newly created bucket after overcoming permission gaps.
The approach uses a central supervisor agent that maintains a single source of truth and shares attack state with the specialist agents, allowing task delegation and iterative progress across reconnaissance, exploitation, privilege escalation and exfiltration phases. The authors note that while the architecture is LLM-agnostic, human intervention was still needed at times to prevent rabbit holes and resource exhaustion, and they observed occasions of initiative and emergent attack vectors by the agents.
The piece, published on 23 April 2026, highlights implications for defenders, including the need to audit misconfigurations and to match automation with automated detection and response. It also references Anthropic’s November 2025 report documenting AI-driven espionage, framing the discussion around autonomous cloud attacks and potential future malware-like deployments.