On May 10, 2026, the Sysdig Threat Research Team documented the first publicly confirmed LLM agent-driven cyberattack: from a Marimo RCE to a full PostgreSQL exfiltration in under an hour, with the SSH bastion phase finishing in two minutes. Here is the forensic timeline, the four markers that prove it was an agent, and the detection patterns defenders need to ship this week.

The First Real LLM Agent Cyberattack Just Happened and Defenders Are Not Ready

Let me give you the tl;dr first because this story is going to define the security industry for the next decade: on May 10, 2026, the Sysdig Threat Research Team documented the first publicly confirmed intrusion driven by an LLM agent in its post-exploitation phase. The attacker compromised a public Marimo notebook, harvested AWS credentials, retrieved an SSH key from AWS Secrets Manager, fanned traffic across eleven Cloudflare Workers IPs to defeat detection, and exfiltrated a full PostgreSQL database through a bastion server. End-to-end. Under one hour. With the SSH bastion phase itself finishing in under two minutes. The Marimo entry point (CVE-2026-39987) is patched, but the attack shape is now a blueprint every other group can copy. If you are responsible for an environment that faces the public internet, this is the story you read first today.

If you think that's alarmist, read the rest. Then decide.

Why This Is the Story That Actually Matters

I've been watching the AI-and-security conversation for two years, and most of it has been noise. Vendors selling "AI-powered SOCs." Detection engineers debating whether GPT-5.5 can write YARA rules. Threat intel newsletters publishing "AI threats to watch in 2026" lists full of theoretical risks. The whole conversation has been anticipatory — the future of AI-driven attacks described by people who haven't seen one yet.

Sysdig just ended that. They didn't publish a forecast. They published a forensic timeline of an attack that happened, in a real environment, against a real database, with the raw command stream to prove it. Michael Clark, Sr. Director of Sysdig TRT, summarized the shift in a single sentence that I think will be quoted in security textbooks for years: "We are not watching AI replace attackers. We are watching attackers replace their scripts with AI."

That is the right framing, and I want to spend the rest of this post explaining why it changes what defenders need to do starting this week, not next quarter.

The Attack in Detail, Because the Details Are the Story

Let me walk you through the actual kill chain Sysdig captured. The dates are May 10, 2026, all times UTC.

**18:23:44** — First WebSocket connection from 157.66.54.26 to `/terminal/ws` on a vulnerable Marimo instance. The vulnerability is CVE-2026-39987, a pre-authentication remote code execution flaw in Marimo (the open-source reactive Python notebook) with a CVSS of 9.3. Missing authentication on the terminal WebSocket handler. A single HTTP upgrade and the attacker has an interactive shell.

**18:23:45** — One second later, the first interactive command: `id`. Standard recon. Any seasoned pentester would do the same thing.

**18:24:14** — Twenty-nine seconds in, the attacker begins a credential harvest against `/app/.env*`, `/etc/environment`, `/proc/*/environ`, and `~/.aws/credentials`. This is the part where a script-driven attack would have either found credentials or not. An agent-driven attack reads the response and decides what to do next.

**19:26:31** — Forty-eight minutes later, the first AWS API call (`sts:GetCallerIdentity`) using one of the harvested access keys. The 48-minute gap is consistent with the attacker pulling harvested values out of one tooling environment and feeding them into another — a phase handoff that doesn't happen in a single scripted chain.

**19:26:52** — Twenty-one seconds later, the first `secretsmanager:GetSecretValue` call against an SSH-key secret. The attacker has pulled the SSH private key from AWS Secrets Manager.

**19:30:30** — Four minutes after that, the first SSH authentication on the downstream SSH bastion using the retrieved key.

**19:30:30 to 19:32:23** — Eight parallel SSH sessions against the bastion, executed from six distinct Cloudflare Workers IPs, dumping the internal PostgreSQL database. The schema enumeration, the credential-table dump, and the final multi-statement HEREDOC of six tables (api_key, credential, user, variable, flow, message) all happened in 113 seconds. The whole attack, from the first WebSocket to the last database row leaving the environment, finished in under an hour.

Read that timeline again. A skilled human operator could replicate it, but not in under an hour, not while improvising against an unknown schema, not while fanning traffic across eleven Cloudflare edge locations to defeat detection. This is something else. This is an agent.

The Four Markers That Prove It Was an Agent

Here's the part that should worry every detection engineer. Sysdig identified four properties in the bastion session transcript that distinguish an agent-driven intrusion from a scripted one. I want to walk through them in detail because they're the diagnostic signals defenders will need to learn.

**1. The dump is improvised against a target the operator had no on-host evidence for.** The attacker ran `SELECT tablename FROM pg_tables` first, then immediately targeted specific tables. The final HEREDOC bundled six queries into a single psql invocation: `SELECT * FROM api_key; SELECT * FROM credential; SELECT * FROM "user"; SELECT * FROM variable; SELECT * FROM flow; SELECT * FROM message;`. That table list reads as a generic prior for "AI-workflow database" — close to the Langflow schema. Except the `credential` table doesn't exist in Langflow. The agent dumped it anyway, on the strength of the name. A pre-validated playbook does not ship a six-table dump, including a table that does not exist in the application the schema is shaped for, against a database identified only by hostname. The agent improvised.

**2. The planning step leaks into the command stream at sub-second tempo across six IPs.** Look at this block, captured by Sysdig:

看还能做什么

cat ~/.bash_history 2>/dev/null | tail -20

echo '---'

cat ~/.pgpass 2>/dev/null

echo '---'

cat ~/.gitconfig 2>/dev/null

echo '---'

ls -la /tmp/ 2>/dev/null | head -10

echo '---'

find /home/deploy -type f -name '*.pem' -o -name '*.key' -o -name '*.env' 2>/dev/null

The opening line is a Chinese-language comment: "See what else we can do." A pre-built script has no internal monologue. A human typing at a remote terminal can leave such a comment, but not while sourcing the same SSH session from six distinct IPs at sub-second cadence. That is an AI orchestrator leaving a planning note in its own output stream, in the language its model was most comfortable thinking in. The leaked planning comment is now a forensic artifact defenders can search for.

**3. Every command is shaped for machine consumption.** Five shaping signs repeat across the eight bastion commands. Echo `'---'` separators between probes — a delimiter a downstream process can split on, useless to a human and unnecessary for a script. Quoted-EOF HEREDOC for the multi-table dump — bundling six SELECTs into one psql invocation to get the entire dump in a single tool call. `2>&1 | head -N` on the schema listing — bounded captures to keep the agent's context window clean of dump rows it cannot reason over. `-P pager=off` on the HEREDOC — disabling `less` because the consumer of the output is not a human pressing space. `2>/dev/null` on every command — discarding stderr to keep the agent's observation clean of failed command noise. A scripted operator does the opposite on most of these. The shapes are LLM-agent output, and once you see them you can't unsee them.

**4. The value handoffs are lifted from prior tool output.** The agent ran `cat ~/.pgpass` to retrieve the database password, then in the very next call substituted that password into the PGPASSWORD environment variable of a psql command. It ran `ls -la ~/.ssh/id_ed25519*` to confirm the SSH key existed, then in the next call ran `cat ~/.ssh/id_ed25519` to read it. The pattern is unmistakable: every input to the next step is an observation from the previous step. This is what agentic execution looks like at the shell level — outputs flowing forward into the next tool call as parameters. A scripted operator passes values through variables in the script. An agent passes them through the model's context.

These four markers are the detection signatures that actually work against this class of attack. None of them are IOCs in the traditional sense. You can't signature them with a regex. But you can instrument for them. And the defenders who do will be the ones who catch the next one.

Why Your Detection Stack Probably Won't Catch This

Here is the hard truth: most enterprise detection programs are built around indicators of compromise. Hashes. IPs. Domain names. Command-line strings. YARA rules. Each of these is a fingerprint of a *previous* attack, and the value comes from the assumption that attackers reuse their fingerprints.

An LLM agent invalidates that assumption by construction. There is no fixed playbook to fingerprint. There is no signature to match. The agent improvises its commands for every target, the way a human pentester does, except it does it in seconds instead of hours. The Sysdig quote that should be on every CISO's desk this week: "When a scripted operator builds a per-target playbook and reuses it, the bar to adding a new target is engineering time. However, an agent operator carries general priors about a class of applications and composes the chain live to best fit its target. Here, the bar becomes inference budget, not playbook authorship."

The economic implications are stark. A scripted attack has linear scaling — every new target requires new engineering work. An agent attack has sublinear scaling — every new target requires only inference budget, which is dropping 60-70% per year. The asymmetry is structural, and it tilts the field toward the attacker for the first time in a generation.

Add the Cloudflare Workers egress pool — 12 cloud API calls fanned across 11 distinct IPs in 22 seconds, each routed through a different edge location — and the source-IP correlation that AWS-side defenders rely on breaks. The IP-based detection layer is now obsolete for this class of attack. You have to detect the *behavior*, not the *address*.

The Detection Patterns That Actually Work

If you're a detection engineer reading this, here's the practical advice. The four markers above are not theoretical. They are detectable in real time, with the right instrumentation.

**Detect command shape, not command content.** Train your detection on the structure of agent output: HEREDOC usage, `2>/dev/null` on every command, `2>&1 | head -N` truncation, `-P pager=off`, the echo `'---'` delimiter pattern. A single command with one of these shapes is a person. Eight commands in two minutes, all shaped for machine consumption, from six distinct egress IPs, is an agent. The shape signature is more durable than the command signature, because the agent will keep producing shaped commands as long as the model behaves the way current models behave.

**Instrument for value handoffs.** The tell of an agentic session is that outputs flow into inputs across tool boundaries. Track when the output of one command (a credential, a hostname, a path) appears as a parameter of the next command within seconds. The PGPASSWORD-from-pgpass pattern is detectable. The SSH-key-from-`ls`-then-`cat` pattern is detectable. Build detections for them.

**Flag planning artifacts in shell transcripts.** Search your session logs for embedded comments inside command blocks. Real human operators don't leave inline planning comments in their command stream. Agents do, in the model's training-favored language, because they're reasoning out loud. The Chinese-language comment in this attack is one example. The pattern is the signal, not the language.

**Look for the egress fan-out.** Twelve API calls in 22 seconds across eleven distinct source IPs is not normal application behavior. It is not normal scripted attack behavior. It is the structural signature of an edge-egress pool, and it is detectable at the cloud provider level. AWS, Cloudflare, and your CDN should be giving you telemetry that surfaces this; if they aren't, ask why.

**Shift detection to outcomes, not procedures.** Static rules built around specific command patterns are now structurally obsolete. Detect credential access, lateral movement, secrets-manager reads, and database exfiltration as *behaviors* — what the attacker is accomplishing — not as *sequences* — how they're doing it. The "how" is now generative. The "what" is still constrained to a small set of high-value actions.

The Defensive Posture That Will Actually Hold Up

Detection is the reactive layer. The proactive layer matters more, and most teams haven't updated it for the new threat model.

**Patch your internet-facing dev tooling. Today.** The Marimo entry point had a CVSS of 9.3 and a patch (version 0.23.0) for weeks before this attack. If you have any internet-reachable Jupyter, Marimo, VS Code Server, Code Server, RStudio Server, or similar dev environments, assume they're being scanned and patch them. The Marimo RCE was disclosed in April 2026 and was exploited in under 10 hours in earlier attacks Sysdig documented. The lesson is the same one we've been ignoring for a decade: dev tooling on the public internet is a target, and the time-to-exploit is now measured in hours, not weeks.

**Rotate every credential the Marimo host could touch.** The harvested AWS credentials in this attack should be considered compromised. Any SSH key in AWS Secrets Manager that those credentials could read should be considered compromised. The PostgreSQL credentials on the bastion — which the agent pulled from `~/.pgpass` — should be considered compromised. Rotate them all. Audit CloudTrail for `secretsmanager:GetSecretValue` calls from any unexpected source IPs and rotate the secrets they read. Yes, this is a lot of work. The alternative is an attacker with your SSH key.

**Segment dev environments from production.** The fact that a dev notebook host had access to AWS credentials that could read SSH keys that could reach a production bastion is a network architecture failure, not a Marimo failure. Dev environments should not be able to assume production IAM roles. The blast radius of a compromised dev host should not include production data plane. Most teams know this. Most teams haven't done it. The Sysdig report is the new justification memo you've been waiting for.

**Adopt ephemeral credentials.** Long-lived AWS access keys in `~/.aws/credentials` are how this entire chain pivoted from a notebook compromise to a database exfiltration. If your workloads used IAM roles via OIDC federation or short-lived STS credentials scoped to specific actions, the harvested keys would have been worthless. The same is true for SSH keys in Secrets Manager — if you can replace them with SSM Session Manager or AWS Session Manager–style ephemeral access, you eliminate the credential class that this attack exploits.

**Treat any unexpected Cloudflare Workers traffic as a signal.** Cloudflare Workers as a per-request egress pool is now a documented attacker technique. If you see Cloudflare Workers IPs in your AWS CloudTrail or in your bastion's SSH logs, that's not legitimate user traffic. Build detections for it.

The Strategic Implication: The Defender-Attacker Cost Curve Just Inverted

Here's the structural change that nobody is framing correctly.

For the last twenty years, the cost curve has favored the defender. Automation let defenders scan for vulnerabilities, centralize logs, and respond to incidents at a scale no human attacker could match. The defender's marginal cost per attack was a few dollars of compute. The attacker's marginal cost per target was the engineering time to build a new exploit chain. The asymmetry was a structural advantage for the defender.

The agent-driven attack inverts that curve. The attacker's marginal cost per target is now inference budget — measured in cents and falling. The defender's marginal cost per incident is still alert triage, log analysis, incident response, and credential rotation — measured in engineer-hours and rising. For the first time, the cost curve favors the attacker for certain classes of attack, and the gap widens as inference costs continue to fall.

This doesn't mean defenders lose. It means the defender advantage shifts from automation to architecture. The defenders who win the next decade are the ones who design systems where credential theft has no value — ephemeral credentials, scoped IAM, network segmentation that prevents lateral movement, and detection that catches behavior rather than procedure. The defenders who lose are the ones still trying to match attackers command-for-command with regexes.

The other structural response is to use AI to defend. The same agentic capability that an attacker can buy from an inference provider, a defender can buy too. SOC automation that actually reasons, not just correlates. Detection engineering copilots that generate hypotheses from telemetry in minutes. Incident response agents that can run the playbook and write the postmortem while the human is still paged. The defender who shows up to the agent-on-agent fight with a SIEM and a YARA library is going to lose. The defender who shows up with their own agent fleet has a chance.

What I'm Telling My Own Team This Week

In case the practical advice is useful: here's what I'm telling the engineers I work with.

First, treat this report the same way you'd treat a 9.8 CVSS in your own stack. The Marimo attack pattern is reproducible against any internet-facing dev tool with an RCE. Audit every dev environment you have on the public internet. Patch or take it down. The 10-hour time-to-exploit that Sysdig documented earlier in the year is the new floor.

Second, the detection patterns I outlined above go into our detection backlog this week. HEREDOC + `2>/dev/null` + value handoffs in shell transcripts is a high-confidence behavioral signature. Cloudflare Workers as egress pool is a high-confidence infrastructure signature. We don't need to detect LLM agents generically — we need to detect the *patterns* of agentic execution that are common across all current models.

Third, we are reviewing every long-lived credential in the production path. AWS access keys, SSH keys, database passwords, CI/CD tokens. Anything that has a longer lifetime than the work it protects is now a liability. We are accelerating the migration to OIDC federation, IAM roles, SSM Session Manager, and short-lived credentials across the board. The pace was already aggressive. This report just justified the cost.

Fourth, we are training our incident responders on agentic attack patterns. The kill chain looks different. The timeline is compressed. The IOCs are different. The mental model of "we have hours to respond because humans are slow" is wrong. We have minutes, sometimes seconds. Tabletop exercises need to reflect that.

The Take

The first real LLM agent cyberattack happened on May 10, 2026, and it looked almost exactly like the forecasts warned us it would, except faster, cleaner, and more adaptive than the forecasts predicted. A pre-auth RCE in a public dev tool became a database exfiltration in under an hour, with a credential pivot through AWS Secrets Manager and an egress fan-out through Cloudflare Workers that broke source-IP detection. The kill chain ran end-to-end without a human in the loop. The detection signatures are different from anything in our existing playbooks. The cost curve has shifted.

If you take one thing from this post, take this: the defenders who treat this as just another APT report are going to be wrong-footed for the next twelve months. The defenders who treat this as the moment the cost curve inverted — who redesign their detection around behavior, their credentials around ephemerality, and their network around segmentation — are going to be the ones still standing when the next wave of agent-driven attacks lands.

Sysdig gave the industry a gift. They published the full forensic timeline of an LLM agent attack while it's still possible to learn from it. Most major security vendors wait until the playbook is mature before they share. Sysdig shared while the first one is still being written. Use it.

The agent era of cyberattacks started on May 10, 2026. The agent era of cyber defense has to start this week.

*Primary source: Sysdig Threat Research Team, "AI agent at the wheel: How an attacker used LLMs to move from a CVE to an internal database in 4 pivots" (May 2026). Four markers of agent-driven execution: improvised schema dump, leaked Chinese-language planning comment, command shapes built for machine consumption, value handoffs lifted from prior tool output. The Marimo entry point was CVE-2026-39987 (CVSS 9.3), pre-auth RCE, patched in Marimo 0.23.0. Context: this is the second major documented AI-orchestrated intrusion after Anthropic's November 2025 disclosure of the GTG-1002 Chinese-state-affiliated espionage campaign — but the first with the full command stream and timeline publicly available for forensic study. The defenders who internalize it now have a window. The window is closing.*