ChatGPT’s Single Prompt Now Executes Full Cyber-Attack Chain

▼ Summary
– A single prompt enabled ChatGPT-5.5 to autonomously plan and execute a full offensive cyber-attack, achieving domain-level network access in under 40 minutes.
– Cato Networks tested the agent in a controlled Active Directory environment, where it performed reconnaissance, exploitation, privilege escalation, lateral movement, and exfiltration.
– The agent demonstrated adaptive behavior, devising new strategies like custom vulnerability probes and SMB-based tunneling when environmental conditions changed.
– The research focused on GPT-5.5, not the cybersecurity-specific model, to reflect publicly accessible frontier models available to attackers.
– The specific prompts were not disclosed to prevent malicious replication, and researchers noted the findings show AI can accelerate attack workflows and reduce required expertise.
A single, overarching instruction is all it takes to turn OpenAI’s ChatGPT-5.5 into a fully autonomous cyber-attack tool. According to new tests from security researchers, this large language model (LLM) can execute an entire offensive operation, from initial reconnaissance to achieving domain-level network access, in under 40 minutes.
The experiment was conducted by threat researchers at Cato Networks, a member of OpenAI’s Daybreak Program, which authorizes approved cybersecurity testing. Their goal was straightforward: determine how far an agentic AI attack could progress when a frontier model receives a single high-level objective and the autonomy to pursue it.
In a paper released on July 15, the firm detailed how the test unfolded inside a controlled Active Directory environment built to mimic a standard corporate network. The results were stark. After a single prompt, the AI agent independently planned and executed the entire attack lifecycle. This sequence included reconnaissance, exploitation, internal discovery, privilege escalation, lateral movement, and data exfiltration.
The research was driven by the growing reality that threat actors are increasingly weaving AI into their offensive operations, often attempting to jailbreak publicly available models that have built-in safety guardrails. Cato Networks chose to focus on the general-purpose GPT-5.5 rather than the cybersecurity-specific GPT-5.5-Cyber. As the company explained in a blog post, “While both GPT-5.5 and GPT-5.5-Cyber were evaluated during the research, the later scenarios focused on GPT-5.5 to better reflect the publicly available frontier models accessible to most attackers at the time of the study.”
To prevent malicious actors from replicating the work, the specific prompts used to direct the model have not been disclosed.
Across six different scenarios, Cato Networks observed that the agentic AI was remarkably flexible. When environmental conditions shifted, it quickly devised new strategies. For example, it generated custom vulnerability probes, modified its data collection workflows, and designed alternative communication paths to reach its goal. In one test, the agent even created a Server Message Block (SMB)-based tunneling method to move data through an existing foothold.
By synthesizing lessons from these six experiments, the model was able to execute the full offensive chain at speed, reaching its objective of admin-level privileges in roughly 40 minutes. Researchers attributed this success to the model’s ability to adapt. “Several executions demonstrated adaptive behavior when expected attack paths failed or environmental conditions changed,” they noted. “Rather than following a rigid sequence of actions, the agent adjusted its approach based on observations gathered during execution.”
The researchers were careful to add that while this shows adaptive problem-solving, it should not be interpreted as evidence of discovering novel attack methods. Still, they acknowledged that “frontier models can contribute goal-oriented problem solving during offensive operations.”
Cato Networks also cautioned that while the patterns were consistent across their tests, they may not be universally representative of all enterprise environments. Nonetheless, the findings offer critical lessons for cybersecurity leaders. As AI tools become more embedded in the workplace, malicious actors are actively seeking ways to exploit them, particularly to accelerate the speed of attacks. And this capability is expected to evolve.
“A threat actor is only one part of the risk,” said Dr. Guy Waizel, tech evangelist at Cato Networks. “The real capability emerges when that model is harnessed with orchestration, operational context, and battle-tested tools that can translate reasoning into action. Our research shows that this combination can dramatically accelerate known attack workflows, reduce the amount of hands-on expertise required, and enable more coordinated execution across multiple stages of the attack lifecycle.”
Infosecurity has reached out to OpenAI for comment.
(Source: Infosecurity Magazine)




