Abstract: Artificial intelligence is reshaping the offence–defence balance in cyberspace. Drawing on recent cases (PromptLock ransomware, Auto-Exploit pipelines, and the Air Force’s DASH wargame) and a systematic review of academic articles, this study examines how AI alters tempo, cost, and thresholds in cyberspace operations. Findings show that AI accelerates offensive exploitation, enables polymorphism, and lowers expertise requirements, while defence depends on machine-speed decision support constrained by institutional readiness. The short-term tilt favours offence, yet policy-aware autonomy and resilient governance can restore partial parity. AI functions as a structural force influencing the trajectory of state competition in cyberspace.
Problem statement: How does artificial intelligence change the offence–defence balance in cyberspace?
So what?: States and defence organisations must invest in machine-speed defensive capabilities, clear rules for automated actions, and oversight structures to prevent AI-enabled offence from outpacing defence.
AI-Enabled Cyberspace Operations
Three recent cases underscore why the offence–defence calculus in cyberspace is currently shifting. By this calculus, we mean the relative ease, speed, and cost of launching cyberattacks compared to the difficulty of detecting, responding to, and recovering from them. First, PromptLock, a proof-of-concept created by researchers at New York University’s (NYU’s) Tandon School of Engineering to illustrate the potential harms of AI-powered malware, utilises an AI system to automatically generate malicious code that can scan a computer, steal files, and encrypt data for ransom. Because the code is freshly generated each time, the digital traces defenders usually rely on to detect attacks become unpredictable and much harder to spot.[1], [2]
Second, Auto-Exploit is a proof-of-concept created by two independent Israeli cybersecurity researchers, Nahman Khayet and Efi Weiss. Their goal was to demonstrate how AI could accelerate the development of exploits. The project demonstrates that attackers can now utilise AI to convert newly published information about software flaws into functional attack tools within minutes and at almost no cost, thereby reducing the time between when a vulnerability is disclosed and when it can be weaponised.[3] Third, on the defensive side, the U.S. Air Force’s DASH exercise showed how AI can support commanders by quickly sorting through data and suggesting the best available options. What previously took ten minutes of analysis could be reduced to near-instant decisions through human–machine teaming.[4]
These cases reveal a clear trend: offensive cyberspace operations are gaining speed, adaptability, and polymorphism (malware changes quickly and is difficult to detect); defenders can regain parity only if they achieve a decision advantage and cyber resilience at machine speed. By contrast, the classic model of cyber defence, blue‑team–centric exercises such as Locked Shields 2019 (LS19) that emphasise cyber Intelligence, Surveillance, Reconnaissance (ISR), because blue teams are scored not only on service availability but also on their ability to detect, assess, and communicate adversary activity through structured threat reports, situation summaries, and adversary assessments; and mission command within adhocratic teams, was engineered around human‑paced coordination.[5]
Offensive cyberspace operations are gaining speed, adaptability, and polymorphism; defenders can regain parity only if they achieve a decision advantage and cyber resilience at machine speed.
AI-Enabled Cyberspace Operations for Offence
Reviewing scientific abstracts on AI and cyberspace operations indicates three offence-relevant implications. First, AI compresses the Observe–Orient–Decide–Act (OODA)-loop for offensive cyberspace operations by automating reconnaissance, exploit development, and command and control; intelligent agents enable strategic, persistent campaigns with human-on-the-loop oversight.[6] Second, AI shifts the advantage toward “information fires”; poisoning, deception, and scalable content operations that alter defender decision-making and increase surprise.[7] Third, the integration of generative models into penetration testing (simulated attacks to evaluate security) and red team tooling (offensive tools used to test defences) expands reconnaissance, payload tailoring (customising malicious code for specific targets), and automated report generation, thereby reducing operator burden and accelerating kill chain execution.[8] Evidence in the corpus is consistent with increased speed, scale, and persistence. Mentions of cyber ISR and targeting appear in roughly two-thirds of abstracts, while autonomy and automation appear in over half.
The systematic review concludes that AI’s weaponisation enhances attack precision, personalisation, and evasion, thereby reducing the cost of imposing effects through tailored phishing, malware obfuscation, and adaptive payloads. Studies of weaponised AI detail code synthesis, environment modelling, and classifier evasion that enable more adaptive malware and campaign management.[9]
Looking ahead, autonomous agents and malware introduce continuous, machine-speed contests in which offenders can manoeuvre faster than defenders can act; proposals envision opposing swarms of “intelligent goodware” and “intelligent malware,” with complex interactions and diminished human salience.[10], [11]
Autonomous agents and malware introduce continuous, machine-speed contests in which offenders can manoeuvre faster than defenders can act.
In the cognitive domain, chatbots function as sentinels and antagonists, scaling spear-phishing, social engineering, and persuasion, which complicates attribution and potentially raises escalation risks in persistent engagement.[12] Implications for offence, therefore, include: (a) tempo advantage through automation; (b) improved targeting via cyber ISR; (c) lower marginal costs for bespoke effects; and (d) expanded attack surfaces in cyber, physical and cognitive spaces. Yet the literature also flags countervailing dynamics, poisoning, deception, and contested learning, that can blunt offensive advantage over time.[13] These findings imply that threat actors can operate with less expertise across domains, while commanders receive effective decision support in planning.[14]
AI-Enabled Cyberspace Operations for Defence
AI-enabled cyberspace operations are accelerating tempo and expanding operational reach across defensive and offensive missions. Large language models (LLMs) augment cyber ISR and analytic triage, translating telemetry into action and compressing decision cycles. Still, they may also introduce opaque failure modes (unpredictable errors in LLMs that are difficult to trace because they are complex, non-transparent systems) and prompt-surface attack vectors (adversarial inputs that manipulate the model into producing unintended or harmful outputs).[15]
Reinforcement-learning systems can operate at machine speed to strengthen networks, contain anomalies, and use deception against attackers. However, studies show they can be fragile: if attackers change tactics, these systems may fail, and in some cases, attackers can even trick them into thinking they are working correctly. To remain effective, such systems need constant testing with simulated attacks and careful monitoring to manage risks.[16]
Systems that combine reinforcement learning with LLMs can link together steps such as reconnaissance, gaining access, and fixing vulnerabilities. This suggests the possibility of future automated modules for defensive cyberspace operations (DCO), while also indicating that similar tools could be utilised for offensive cyberspace operations (OCO).[17] Early studies stress that such systems must still keep humans in control, follow clear rules, and be verifiable to ensure compliance with rules of engagement and international humanitarian law.[18] From a resilience perspective, LLM tools can improve detection, incident response, and recovery, but they also create new risks through manipulated training data (“data poisoning”) and methods that extract hidden information (“model inversion”). These risks demand stronger checks of supply chains and data integrity.[19]
Systems that combine reinforcement learning with LLMs can link together steps such as reconnaissance, gaining access, and fixing vulnerabilities.
Strategically, AI-enabled operations blur the lines between espionage, preparation, and low-level attacks, which complicates signalling and increases the risk of unintended escalation.[20] Machine learning can speed up attribution and help impose costs on adversaries, but relying too much on automated assessments risks misattribution in fast-moving crises.[21]
Governance frameworks for active cyber defence, therefore, stress the need to combine automation with legal authority, oversight, and predefined responses to preserve both commander intent and civilian protections.[22] Overall, AI is pushing cyber defence toward faster, more continuous operations where people and machines work together. Defence organisations should respond by investing in testing environments, safe automation, red- and blue-team exercises, and safeguards for data integrity and escalation management.
Research Methodology
This research began with a review of current global events, which discussed AI-enabled cyberspace operations. Three illustrative cases were identified: PromptLock, Auto-Exploit, and the Air Force’s DASH wargame. These cases highlighted the immediacy of the topic and prompted a systematic review of the academic literature to examine the implications of AI-enabled cyberspace operations for offence and defence.
To conduct this review, the research question was translated into Boolean operators tailored for the Elsevier Scopus database. The resulting search string was:
( “artificial intelligence” OR AI OR “machine learning” OR “generative AI” OR “large language model*” OR LLM* ) AND ( “cyber operations” OR “cyberspace operations” OR “cybersecurity operations” OR “offensive cyber*” OR “defensive cyber*” OR “cyber warfare” OR “cyber defense” ) AND ( ( “offense” OR “offensive” OR attack* OR “red team” OR adversary ) AND ( “defense” OR “defensive” OR “blue team” OR protection OR resilience ) ) AND ( policy OR governance OR strategy OR doctrine OR norms OR deterrence OR “decision-making” OR resilience )
This search returned 249 documents. After removing records without listed authors and eliminating duplicates, 236 articles remained in the cleaned dataset.
The next step involved keyword-based filtering of the dataset to focus on the two central dimensions of the research question. Filtering with offence-related terms (e.g., “offence,” “offensive cyber,” “attack,” “red team”) produced 96 articles that explicitly referenced AI, cyberspace operations, and offence-related mechanisms. Filtering with defence-related terms (e.g., “defence,” “defensive,” “blue team,” “resilience”) produced 99 articles whose abstracts addressed AI, cyberspace operations, and defence-related approaches.
From these subsets, abstracts that most explicitly described offence-enabling mechanisms, such as automation, deception, weaponisation, and LLM exploitation, were selected for synthesis into a structured overview. In parallel, abstracts focusing on defensive approaches, such as resilience, protection, and decision-support, were identified for integration into a complementary synthesis. Together, these two bodies of evidence provide the foundation for analysing how AI reshapes the offence–defence balance in cyberspace. In line with Nature’s editorial principles, which advocate for transparency in research methodology and authorial integrity, tools such as OpenAI’s ChatGPT-5 were used solely as a research assistant and grammar editor in this study, with full disclosure of their use.
Research Limitations
Several limitations shape the scope and interpretation of this study. First, the literature review is confined to works indexed in Elsevier Scopus. While Scopus provides comprehensive coverage of peer-reviewed scholarship, it excludes relevant sources such as policy reports, governmental publications, and classified military assessments, which may offer further insights into AI-enabled cyberspace operations. Second, the Boolean search strategy was carefully constructed to capture the offence–defence nexus, yet terminological variation poses a challenge. Articles employing alternative phrasing, such as “cyber offence” instead of “cyber attack” or “autonomous cyber defence” instead of “AI-enabled defence”, may have been overlooked. At the same time, some retrieved documents may include AI or cyber terminology without directly engaging with the research question.
Third, the process of data cleaning and keyword-based filtering, though systematic, risks excluding works that address offence–defence dynamics in less explicit terms. This concern is compounded by the reliance on abstracts rather than full texts. Abstracts, by their nature, provide selective accounts of contributions and may overemphasise technical mechanisms while underrepresenting normative, doctrinal, or governance dimensions.
Fourth, the real-world cases used as illustrative “wake-up calls” (PromptLock, Auto-Exploit, and DASH) were chosen for their immediacy and visibility. Although analytically sound, they cannot be assumed to represent the full spectrum of AI-enabled cyber activities across global contexts, particularly beyond Western security environments. Finally, the field itself is highly dynamic. The dataset reflects a snapshot in time (2025) and may not capture emerging developments, especially in areas such as the exploitation of generative AI or near-instant decision-support automation.
The real-world cases used as illustrative “wake-up calls” were chosen for their immediacy and visibility.
Despite these limitations, the study contributes novel insights by systematically narrowing a broad dataset to the most relevant cases. Drawing on seven offence-focused and eight defence-focused abstracts, it synthesises concrete mechanisms and approaches, providing a structured foundation for understanding how AI reshapes the offence–defence balance in cyberspace.
The Implications for the Offence-Defence Balance
This section describes how AI-enabled cyberspace operations alter the offence–defence balance by examining (i) baseline defender burden in complex exercises without AI acceleration, (ii) the impact of AI on offensive tempo, precision, and polymorphism, and (iii) the extent to which AI-enabled decision support can recover parity by compressing defensive decision cycles. “Offence–defence balance” denotes the relative ease, cost, and tempo with which threat actors can impose effects versus defenders’ ability to preserve mission assurance under time pressure. In this context, tempo advantage highlights the gap between how quickly attackers and defenders can move through the sense–decide–act cycle across the cyber kill chain (reconnaissance, exploitation, lateral movement, and command and control), a process that increasingly operates at machine speed.
The baseline burden on defenders is evident from a large, multinational cyber defence exercise, which indicates that defenders operate under significant stress, even before considering AI-accelerated attacks. LS19 fielded twenty-four blue teams from thirty countries in a two-day live exercise, each tasked with defending a simulated national infrastructure environment.[23] The technical scope was deliberately wide, covering critical services such as energy grids, financial platforms, and military command systems. Teams were evaluated across nine scoring categories, including attack impacts, availability of services, usability for simulated end-users, forensics challenges, responses to scenario injects, and the quality of threat and adversary reporting. This comprehensive scoring structure required participants to balance service uptime with the simultaneous production of intelligence products and responses to legal or media inquiries.
The baseline burden on defenders is evident from a large, multinational cyber defence exercise, which indicates that defenders operate under significant stress, even before considering AI-accelerated attacks.
The format created high event density, compressed timelines, and continual trade-offs between competing priorities. Real-time scoring was displayed on a visible leaderboard, which incentivised performance but also increased stress and competitive pressure. Post-exercise surveys recorded high levels of perceived difficulty and workload; on average, participants rated difficulty as 4.3/5 and workload as 3.9/5. Collaboration was judged effective within sub-teams, but cross-team coordination required frequent restructuring. Observers noted the emergence of an adhocratic organisational style, where sub-teams were rapidly reconfigured to address specific problems, and coordination meetings were kept deliberately short to avoid consuming scarce time.
The Swedish team alone relied on more than twenty chat channels, supported by a wiki and regular email communication, to coordinate reporting and defensive actions. Participants were required to produce multiple types of reports—threat reports, situation summaries, and adversary assessments —at prescribed intervals, regardless of the intensity of the red-team activity. Maintaining these outputs while also sustaining technical defences strained limited cognitive and organisational resources.
The Swedish team’s real-time “operational picture” (availability dashboard) illustrates the breadth of simultaneous checks (e.g., HTTP/HTTPS, IPv6, ping) that had to remain operational while attacks and administrative tasks accumulated. These data demonstrate that blue teams were already operating at the edge of human-paced coordination before the introduction of AI-accelerated offensive tools.[24]
AI-enabled compression of offensive tempo is demonstrated in recent research, which shows that LLM–augmented pipelines can transform public advisories and the changes developers made when fixing a flaw into working proofs of concept within minutes. “Auto Exploit” synthesised exploits for multiple vulnerabilities, some in less than fifteen minutes, by chaining automated analysis of common vulnerabilities and exposures (CVE) advisories and patches to generate vulnerable test applications and exploit code. The researchers then validated the exploits against patched and unpatched targets and reported costs on the order of a dollar per exploit.[25] This capability compresses the interval between disclosure and weaponisation, increases the number of viable attack paths explored in parallel, and lowers the expertise threshold for exploitation.
AI-enabled compression of offensive tempo is demonstrated in recent research, which shows that LLM–augmented pipelines can transform public advisories and the changes developers made when fixing a flaw into working proofs of concept within minutes.
The researchers behind Auto Exploit demonstrated that their prototype system could generate exploits for fourteen distinct vulnerabilities, many of which could be done within a timeframe of fifteen to thirty minutes.[26] By contrast, traditional exploit development often required weeks of skilled analyst effort. The automation pipeline combined multiple functions: natural-language parsing of CVE advisories, code comparison to identify patched vulnerabilities, generation of a deliberately weakened test application, creation of exploit code tailored to the weakness, and validation against both vulnerable and patched versions of the software. This workflow illustrates how LLMs can serve as accelerators across various stages of the offensive lifecycle, from reconnaissance to payload generation.
An additional finding was that the total cost of producing a proof-of-concept exploit fell to negligible levels. The researchers estimated that, including compute and LLM access, a working exploit could be generated for approximately one U.S. dollar.[27] This changes the economics of exploitation, making it feasible to explore many more potential vulnerabilities than would otherwise be cost-effective.
In net, faster attack speed increases the probability that an initially defensive patching backlog (unresolved software vulnerabilities waiting to be fixed) will be converted into a window of attack opportunity. With the ability to produce multiple validated exploits in parallel, offensive actors can scale their operations to a degree previously unattainable without significant specialist expertise.[28]
Polymorphism, deception, and indicator variance arise when AI agents embedded within malware pipelines introduce run-to-run variability in artefacts, hampering signature-based detection and accelerating adaptation to defensive feedback. The PromptLock proof of concept reportedly uses a locally hosted LLM through an open source tool that runs AI models locally to generate Lua scripts for enumeration, exfiltration, and encryption, while also composing ransom notes and performing content triage; by delegating script generation to the model, the operator gains polymorphism in indicators of compromise across executions.[29] This means that successive infections may present different hashes, command sequences, or script fragments, complicating efforts to detect attacks by traditional signature-matching techniques.
Polymorphism, deception, and indicator variance arise when AI agents embedded within malware pipelines introduce run-to-run variability in artefacts, hampering signature-based detection and accelerating adaptation to defensive feedback.
From a defender’s perspective, such variability substantially increases the search space for matching detector rules, undermines the utility of rapid Indicators of Compromise (IoC) sharing, and complicates correlation at scale. Threat intelligence teams often rely on consistent identifiers, such as file hashes, network traffic patterns, or encryption routines, to distribute signatures and coordinate detection across organisations. When these identifiers vary with each execution, indicators become less stable and therefore less effective as shared detection artefacts. This polymorphic behaviour has long been pursued in conventional malware. Still, the use of generative models lowers the cost of achieving such diversity and makes it accessible to less specialised adversaries.
Beyond technical polymorphism, AI also extends offensive reach into the cognitive domain.[30] The PromptLock code demonstrated functionality where the LLM was tasked with generating ransom notes and verifying whether exfiltrated data contained personally identifiable information. This ability to generate customised content demonstrates how LLMs can tailor communications to the victim, potentially increasing psychological pressure during extortion attempts. Similarly, generative systems can produce realistic phishing emails or social-engineering messages at scale, with subtle contextual variations that increase the likelihood of bypassing user suspicion. In this way, minor changes to analyst or user decision-making can cascade into large operational effects, such as delayed detection or inadvertent credential disclosure.[31]
Decision-centric defence, aimed at recovering parity through human–machine teaming, represents the defensive counterpoint where AI is used to compress decision cycles, elevate situational awareness, and pre-compute courses of action.[32] In the Air Force’s DASH wargame, AI-enabled microservices for “match effectors” ingested battle space data and produced ranked options with rationales, allowing battle managers to move from roughly ten-minute baselines to significantly shorter timelines.[33] This marked a shift from manual assessment of available effectors to an automated pipeline where software agents continuously scanned the operational picture, matched weapons systems to identified targets, and presented prioritised recommendations.
During the two-week event, industry teams and Air Force personnel stress-tested the system through multiple 45-minute simulation runs. The AI microservices were able to generate ranked lists of effectors within seconds, often providing explanatory reasoning that improved operator confidence. Battle managers reported that tasks that usually took ten minutes of cross-referencing between systems could be completed in less than one minute when the AI outputs were available.[34]
The AI microservices were able to generate ranked lists of effectors within seconds, often providing explanatory reasoning that improved operator confidence.
Although the DASH scenario focused on multi-domain command and control, including air, naval, space, and cyber effectors, the underlying pattern translates to cyberspace defence. The same principle can be applied to incident response: microservices could ingest telemetry from intrusion detection systems, correlate alerts with vulnerability databases, and present defenders with ranked containment options or recommended patches. Similarly, automated orchestration could pre-compute remediation sequences or compensating controls, allowing defenders to act faster and more consistently under pressure.
In practical terms, such systems reduce the cognitive load on blue teams by filtering vast volumes of raw data into manageable decision options. They also establish a human–machine teaming framework in which automation handles repetitive correlation, while human operators validate and authorise final actions.[35]
Net Assessment of Tempo, Cost, and Threshold Effects
Artificial intelligence shifts the balance by increasing the speed gap between attackers and defenders, making attacks more challenging to detect, reducing the cost and skill required to launch them, and forcing defenders to create rules and systems that enable decisions at machine speed.
Tempo is reshaped as defenders already under extreme stress in human-paced exercises face a widening gap once offensive pipelines generate validated exploits within minutes. When offensive pipelines generate validated exploits within minutes, advantage shifts toward first movers who can exploit disclosure lags and patch deployment friction. The implication is that defenders who continue to rely on manual triage or ad hoc playbooks will fall behind; the race increasingly becomes one between automated exploit generation and automated defensive coordination.
Detection asymmetry emerges because AI-enabled polymorphism destabilises traditional defences by varying indicators of compromise across successive executions. Indicators of compromise vary across executions, forcing defenders to continually retrain models and reauthorise detection rules. Currently, exercises reveal defenders already struggle to maintain reporting and service availability under load; chasing polymorphic IoCs intensifies this imbalance. The core asymmetry is not only speed but also the variability and instability of detection targets.
Decision support becomes a potential counterweight, as automation can reduce cognitive load and accelerate response if institutions integrate it effectively. AI offers a potential counterweight through human–machine teaming. Decision support automation can offset some tempo advantages, provided institutions are ready to integrate heterogeneous signals, coordinate across sub-teams, and authorise automated actions. Therefore, effectiveness depends on institutional readiness, policy-aware autonomy, pre-authorisation of playbooks, trustworthy data pipelines, and runtime assurance. Absent these, automation risks adding complexity faster than it reduces cognitive load.
Cost asymmetries shift disproportionately, with AI driving exploit generation toward near-zero expense while defensive expenditures remain fixed or escalate. Exploits that once required weeks of skilled effort and thousands of dollars can now be generated at near-zero marginal cost. Defence, by contrast, bears fixed and escalating costs for telemetry, staffing, and governance. This asymmetry reshapes the economics of cyberspace operations, amplifying the strain on defenders’ resources.
Cost asymmetries shift disproportionately, with AI driving exploit generation toward near-zero expense while defensive expenditures remain fixed or escalate.
Thresholds are lowered by AI, the expertise and resource barriers for offence. Capabilities once restricted to specialised actors, such as polymorphic malware, tailored phishing, and exploit generation, have become broadly available. Defensive automation, meanwhile, blurs boundaries between intelligence, persistent engagement, and low-intensity offence, creating a grey zone where intent and proportionality are hard to assess. Thus, thresholds are not only technical but institutional; the more automation is normalised in defence, the more it risks resembling offence in practice.
Escalation risks arise as an overlooked implication, with AI accelerating operations in ways that can undermine crisis stability. Faster exploitation cycles and polymorphic attacks reduce the time available for deliberation, while automated decision support tools encourage the rapid development of countermeasures. In a tightly coupled environment, misattribution or overconfidence in automated confidence scores could escalate incidents beyond their original scope. The compression of decision cycles, while tactically advantageous, increases the strategic risk of miscalculation and unintended escalation.
Co-evolutionary dynamics will characterise the contest, since AI in cyberspace will not remain static but instead drive continual adaptation between offence and defence. Offence and defence will continually adapt to each other’s innovations, resulting in a co-evolutionary race. Adversaries refine polymorphic payloads; defenders harden anomaly detection; attackers then probe those detectors with adversarial inputs. The outcome is unlikely to be decisive dominance by either side but a shifting equilibrium where marginal advantages matter. Strategic implication: investments in adaptability and learning capacity may matter more than one-off technological leaps.
Institutional readiness is decisive because technology alone does not determine outcomes. Organisations that can pre-authorise AI actions, integrate runtime assurance, and train personnel in human–machine teaming are better positioned to effectively exploit defensive AI. By contrast, rigid approval processes or weak data integrity safeguards risk turning automation into an additional layer of complexity rather than a source of resilience. The central implication is that AI’s defensive value is contingent upon doctrine, governance, and trust frameworks that incorporate human judgment into automated processes.
Institutional readiness is decisive because technology alone does not determine outcomes.
The net assessment is that the offence–defence balance tilts toward attackers in the short term due to faster attack speed, cost asymmetry, and polymorphism. Defensive AI can restore part of the balance but only under specific institutional conditions. Organisations that treat AI as an integrated component of doctrine and governance, rather than as isolated tools, will be better positioned to absorb shocks, impose costs, and maintain decision advantage.
Of the above-mentioned, three imperatives follow. First, invest in faster decision-making for defence by allowing certain defensive actions to be carried out automatically, with clear limits and safeguards in place. Second, harden data and model supply chains, as poisoning and drift are systemic risks. Third, recalibrate oversight and reporting obligations, which currently cannibalise scarce defender attention during crises.
Therefore, AI is a game-changer that redistributes tempo, cost, and thresholds in cyberspace. Its rapid adoption by adversaries magnifies asymmetries; its adoption by defenders offers only conditional recovery of parity. The decisive factor will be whether defence can institutionalise AI-enabled decision advantage faster than offence can exploit AI-accelerated opportunities.
Dr Gazmend Huskaj is the Head of Global Cyber and Security Policy at the Geneva Centre for Security Policy, Geneva, Switzerland. He holds a PhD in Computer and Systems Sciences from Stockholm University, where he defended his dissertation, “Offensive Cyberspace Operations: Implications for Sweden,” which spans political science, peace and conflict studies, and security studies. His research explores offensive cyberspace operations, intelligence, disinformation, and artificial intelligence at the intersection of technology and policy. In addition to his academic work, he has served in various conflict and post-conflict theatres with responsibilities in intelligence and security policy. The views expressed are the author’s alone.
[1] Derek B. Johnson, “Researchers flag code that uses AI systems to carry out ransomware attacks,” CyberScoop, August 26, 2025, https://cyberscoop.com/prompt-lock-eset-ransomware-research-ai-powered-prompt-injection/.
[2] Derek B. Johnson, “NYU team behind AI-powered malware dubbed ‘PromptLock’,” CyberScoop, https://cyberscoop.com/ai-ransomware-promptlock-nyu-behind-code-discovered-by-security-researchers/.
[3] Dark Reading, “Proof-of-Concept in 15 Minutes? AI Turbocharges Exploitation,” Dark Reading, https://www.darkreading.com/vulnerabilities-threats/proof-concept-15-minutes-ai-turbocharges-exploitation.
[4] Mikayla Easley, “AI tools accelerated battle management decisions during latest Air Force DASH wargame,” DefenseScoop, August 29, 2025, https://defensescoop.com/2025/08/29/air-force-wargame-dash-2-artificial-intelligence-battle-management/.
[5] Magdalena Granåsen et al., “Data Collection and Research in CDXs, Command and Control, Cyber Situational Awareness and Intelligence Perspectives on Cyber Defense,” 24th International Command and Control Research & Technology Symposium (2019).
[6] Sheila B. Banks and Martin R. Stytz, “Issues in development of … intelligent agents for strategic cyber attack.” (2014): 27–37.
[7] Christopher E. Whyte, “Problems of Poison: New Paradigms and ‘agreed’ Competition in the Era of AIEnabled Cyber Operations,” International Conference on Cyber Conflict, CYCON 2020May (2020): 215–232, doi:10.23919/CyCon49761.2020.9131717.
[8] Calvin Nobles, “The Weaponization of Artificial Intelligence in Cybersecurity: A Systematic Review,” Procedia Computer Science 239 (2024): 547–555, doi:10.1016/j.procs.2024.06.206.
[9] Muhammad Mudassar Yamin, Mohib Ullah, Habib Ullah, and Basel Katt, “Weaponized AI for cyber attacks,” Journal of Information Security and Applications 57 (2021), doi:10.1016/j.jisa.2020.102722.
[10] Anton Aleksandrovich Konev and Tatyana I. Payusova, “Large language models in information security and penetration …: a systematic review,” Scientific and Technical Journal of Information Technologies, Mechanics and Optics 25, no. 1 (2025): 42–52, doi:10.17586/2226-1494-2025-25-1-42-52.
[11] Paul Théron and Alexander Kott, “When Autonomous Intelligent Goodware Will Fight Autonomous Intelligent Malware: A Possible Future of Cyber Defense,” Proceedings, IEEE MILCOM 2019 (2019), doi:10.1109/MILCOM47813.2019.9021038.
[12] Hannah Szmurlo and Zahid Akhtar, “Digital Sentinels and Antagonists: The Dual Nature of Chatbots in Cybersecurity,” Information (Switzerland) 15, no. 8 (2024), doi:10.3390/info15080443.
[13] Christopher E. Whyte, “Problems of Poison: New Paradigms and ‘agreed’ Competition in the Era of AIEnabled Cyber Operations,” International Conference on Cyber Conflict, CYCON 2020May (2020): 215–232, doi:10.23919/CyCon49761.2020.9131717.
[14] Sheila B. Banks and Martin R. Stytz, “Issues in development of … intelligent agents for strategic cyber attack.” (2014): 27–37.
[15] William N. Caballero and Phillip R. Jenkins, “On Large Language Models in National Security Applications,” (2025), 10.1002/sta4.70057.
[16] Abby Morris et al., “Evaluating Reinforcement Learning Agents for Autonomous Cyber Defence,” (2025), 10.1002/ail2.125.
[17] Johannes F. Loevenich et al., “Design and evaluation of an Autonomous Cyber Defence agent using DRL and an augmented LLM,” (2025), 10.1016/j.comnet.2025.111162.
[18] Salam Al-E’mari et al., “Foundations of autonomous cyber defense systems,” (2025), 10.4018/979-8-3373-0954-5.ch001.
[19] Weiping Ding et al., “Large language models for cyber resilience: A comprehensive review, challenges, and future perspectives,” (2025), 10.1016/j.asoc.2024.112663.
[20] Christopher E. Whyte, “Problems of Poison: New Paradigms and ‘agreed’ Competition in the Era of AI-Enabled Cyber Operations,” (2020), 10.23919/CyCon49761.2020.9131717.
[21] Jim Q. Chen, “An intelligent path towards fast and accurate attribution,” (2019), 10.1007/978-3-030-01177-2_78.
[22] Donnie W. Wendt, “The Cybersecurity Trinity: Artificial Intelligence, Automation, and Active Cyber Defense,” (2024), 10.1007/979-8-8688-0947-7.
[23] Magdalena Granåsen et al., “Data Collection and Research in CDXs, Command and Control, Cyber Situational Awareness and Intelligence Perspectives on Cyber Defense,” 24th International Command and Control Research & Technology Symposium (2019).
[24] Idem.
[25] Dark Reading, “Proof-of-Concept in 15 Minutes? AI Turbocharges Exploitation,” Dark Reading, https://www.darkreading.com/vulnerabilities-threats/proof-concept-15-minutes-ai-turbocharges-exploitation.
[26] Idem.
[27] Idem.
[28] Idem.
[29] Derek B. Johnson, “Researchers flag code that uses AI systems to carry out ransomware attacks,” CyberScoop, August 26, 2025, https://cyberscoop.com/prompt-lock-eset-ransomware-research-ai-powered-prompt-injection/; Derek B. Johnson, “NYU team behind AI-powered malware dubbed ‘PromptLock’,” CyberScoop, https://cyberscoop.com/ai-ransomware-promptlock-nyu-behind-code-discovered-by-security-researchers/.
[30] Paul Théron and Alexander Kott, “When Autonomous Intelligent Goodware Will Fight Autonomous Intelligent Malware: A Possible Future of Cyber Defense,” Proceedings, IEEE MILCOM 2019 (2019), doi:10.1109/MILCOM47813.2019.9021038; Hannah Szmurlo and Zahid Akhtar, “Digital Sentinels and Antagonists: The Dual Nature of Chatbots in Cybersecurity,” Information (Switzerland) 15, no. 8 (2024), doi:10.3390/info15080443.
[31] Derek B. Johnson, “Researchers flag code that uses AI systems to carry out ransomware attacks,” CyberScoop, August 26, 2025, https://cyberscoop.com/prompt-lock-eset-ransomware-research-ai-powered-prompt-injection/; Derek B. Johnson, “NYU team behind AI-powered malware dubbed ‘PromptLock’,” CyberScoop, https://cyberscoop.com/ai-ransomware-promptlock-nyu-behind-code-discovered-by-security-researchers/.
[32] Mikayla Easley, “AI tools accelerated battle management decisions during latest Air Force DASH wargame,” DefenseScoop, August 29, 2025, https://defensescoop.com/2025/08/29/air-force-wargame-dash-2-artificial-intelligence-battle-management/.
[33] Idem.
[34] Idem.
[35] Idem.
