Kill Chains and Coffee - Episode 1

7.2.26
WRITTEN BY
Armadin
Kill Chains and Coffee - Episode 1
With AI-generated attacks proliferating across the threat landscape, Armadin VP of Product Greg Heon highlights all the ways Armadin is fighting back. He shares what AI attacks look like, how organizations must respond, and why Armadin is turning world-class red team expertise and expansive AI tooling into the industry’s most powerful human-plus-machine solution.

Q: What’s your perspective on the new wave of AI-driven hyperattacks?

We know AI is changing cybersecurity, because adversaries are already using it. It’s really effective, so every customer we work with is trying to understand how to prepare their organization and determine what their cybersecurity strategy should be.

The landscape has changed, because five years ago you would just do your quarterly, semiannual, or annual patch. And when you found a vulnerability, you would fix it. But the rate at which threats are being discovered today is scary. It’s not a quarterly cadence anymore. It's much more frequent.

I don't know of a better way to prepare for what's coming than to try to attack yourself with the very best AI attacker and use that data to see what it can do against the environment you’ve been hardening over the last few decades. That’s the reason why Armadin specializes in running real AI hyperattacks against real environments.

"The rate at which threats are being discovered today is scary."

It’s not just about a web app or a pre-production sandbox. We're running attacks that cross modalities to help you understand exactly how an adversary acts. We leverage AI to do it really fast and comprehensively against every single thing you own.

Q: Could you provide an example of what a typical attack might look like?

If you look at a real attack in a real environment, it starts with discovery. We're trying to understand what’s facing the internet that belongs to the enterprise—classic attack surface management. In a recent engagement we found a web server that had an exposed directory listing on the internet. It was a misconfiguration.

Most ASM products would call this a low-severity alert. In this case it wasn’t. There was a folder on the exposed directory listing with the name DLL. It turns out that folder contained the source code for the web app. Once we had source code access, the web app started to fall apart.

We had to find that asset in the first place, and once we had remote code execution in the data center, we were in an assumed breach test.

The key point is, you need to know how those problems with the web server could be used in a real attack. That's where Armadin specializes. We're really good at finding kill chains, all paths in, all the time. And we help our customers sever these kill chains quickly because we treat them like security incidents.

Real kill chain walkthrough on YouTube

Q: Is this particular attack unique or something that could apply to any customer environment?

We get a lot of leverage from reusing the same findings across all customer environments, including emergent threats. For example, there was a GlobalProtect vulnerability disclosed in early May, and Rapid7 wrote a blog post about it in late May.

Within hours of seeing that blog post, we had a proof-of-concept exploit and ran it against every customer-facing asset we had. We found one that was actually exploitable. In this case, the customer had a GlobalProtect VPN sitting in front of their OT environment.

"Running real attacks in real environments requires humans for safety."

Because it was an OT environment, they didn't want to do any vulnerability scans against it. So they were flying completely blind to the exploitable vulnerability, and we were able to give them clear guidance within a matter of hours.

That highlights the power and scale of the Armadin technology. We can build something once and roll it out everywhere. We don't have to write a script and hope it works, because the AI can reason about what it sees and attack in a novel way based on the context as it interacts with the target.

Q: Why is the Armadin approach different from others?

We’re seeing a pattern of remote code execution from the perimeter. Every time we run an external assessment using the power of our own AI hyperattacks, we find at least one way in and have remote code execution inside the perimeter.

Most red teams are given multi-month missions to reach a certain objective. They try to get in from the outside, but 90-plus percent of the time they get in through social engineering because it's easier to break people than systems. In contrast, we're spending far less time and money but still getting remote code execution against organizations that have pumped $100 million into their security over a period of years.

Q: How do you perform these types of novel attacks? Is it the combination of red team humans and AI, or tools and specializations?

At our core, Armadin is a product and technology company. But running real attacks in real environments requires humans for safety. We've built a ton of technical controls and sophistication to make sure the AI doesn't go off the rails. Our team is always in the loop for safety.

"Our customers are already changing their expectations thanks to the speed and scale at which we operate."

We have an expert team of red teamers who can notice when the AI didn't follow up on a potential issue where they would have personally pulled on the thread and extended the attack further. I think that’s a huge superpower, because the combination of human plus machine gives our customers the best possible understanding of the exploitable risk in their environment.

They know exactly how long a kill chain is and what they need to fix it.

Q: Are you integrating novel items from the wild to train the Armadin platform?

Yes. There are a lot of really smart attackers in the world. And while we certainly push the frontier in the absence of any data, we steal from the available threat intelligence data to make our attacker better. It’s a no-brainer, because it helps us support our customers when there’s an emergent threat.

When we find a CVE in the wild, we can quickly work it into our attacker. The good news is our AI can generate an exploit on the fly for something it’s never seen before, but it can also leverage technology it already knows.

That helps us provide the best coverage across all modalities. Our customers are already changing their expectations thanks to the speed and scale at which we operate.

Stay Ahead of Whatever Threats May Come

To explore how Armadin can help you prepare for the new wave of AI hyperattacks, be sure to request a demo.

Continue reading
Kill Chains and Coffee - Episode 1
Blog
7.2.26
Kill Chains and Coffee - Episode 1
Exploiting Root Execution in Claude Cowork’s Sandbox
Blog
7.1.26
Exploiting Root Execution in Claude Cowork’s Sandbox
Writeup to Weaponization: CVE-2026-3199 LLM-Assisted RCE Exploitation
Blog
6.11.26
Writeup to Weaponization: CVE-2026-3199 LLM-Assisted RCE Exploitation