The Delegation Bump: How Cybercriminals Are Weaponizing Agentic AI
This is a div block with a Webflow interaction that will be triggered when the heading is in the view.
“Do what you do best and outsource the rest.”
Nearly three decades after the founder of modern management theory coined that line, cybercriminals are putting it into practice. They’re delegating and enjoying a real efficacy and efficiency bump because of it. But they’re not delegating to teams. Or even to humans. They’re delegating to AI agents.
That delegation has reshaped how attacks are built and run. Agentic systems now plan, adapt, and execute attacks without waiting for human direction. Human cybercriminals still set attack goals. Yet decisions that once required coordination or review now happen continuously and autonomously. Crucially, many of those decisions take place during setup, before an attack is ever launched or detected.
For defenders, the impact of this shift is dramatic. Key attack milestones now occur before alerts surface or before incidents are logged. And by the time defenders recognize that an attack is underway, it is often moving at a pace that is difficult to slow, let alone stop – leaving ex post facto remediation as the only option.
In this blog, we’ll examine how attackers delegate reconnaissance, phishing, and malware operations to agentic AI, how this delegation reshapes the attack lifecycle, and why prevention needs to shift towards the same autonomous pace.
Delegating Reconnaissance: Where Attacks Take Shape
Reconnaissance used to be a one-time step. Attackers would quietly scan the landscape, find a foothold, then leverage the results to move forward to their next phase. Agentic AI shifts reconnaissance into high gear and makes it never-ending.
Today, attacker agentic AI systems collect signals continuously - scanning your infrastructure as it evolves, mapping identities as they change, identifying emerging and existing exposures, feeding those results into the setup process, and pivoting in real-time.
What’s more, agentic AI-powered exploration and setup run as one uninterrupted process. That means that as reconnaissance unfolds, infrastructure adapts with it. Domains are registered, hosts are provisioned, certificates are issued, and fallback paths are prepared. Cybercriminal agentic AI systems collect data and build the environment needed to act on it nearly simultaneously.
This environment becomes the attacker’s springboard. Its components determine how the system will reach its targets, how it will adjust along the way, and how long it can stay active. And luckily for defenders, those infrastructure choices are identifiable. We call them Indicators of Pre-Attack (IoPAs) and they show us what the attacker is building, what it’s built to do, and where it’s likely to go next.
Adaptive Phishing Powered by Autonomous Infrastructure
Phishing is being delegated to agentic AI, too. These systems handle the full stack of phishing - registering domains, issuing certificates, rotating assets, and refining campaign lures. Each part of phishing infrastructure is adapted as conditions change, all without human input.
And it works. According to Microsoft, Phishing campaigns built with agentic AI are achieving staggering click-through rates of 54% and above, compared to just 12% for manually created attacks. Setup times have dropped from hours or days to just minutes. Given this, it’s no surprise that over 82% of recent phishing emails were created with AI.
But agentic AI-powered phishing, too, leaves breadcrumbs. Even when the message evolves, the setup leaves a trail. Domain registrations still follow familiar naming logic. Certificates and kits continue to reuse infrastructure patterns. These IoPAs surface before any user clicks. They show which personas are being targeted, which brands are being impersonated, and how the attacker plans to reach the inbox.
When Malware Runs on Its Own
Malware operations no longer comprise isolated payloads that are dropped into the target environment. They, too, are delegated by cybercriminals to agentic AI systems that manage where malware is placed, when it activates, and how it stays operational once deployed. These systems choose delivery vectors, test responses, and adjust their tactics – all without human direction.
Agentic AI-powered payloads are so effective because they observe the environment first. They check for installed software, services, or endpoint monitoring tools. They can delay execution until business hours, if relevant, or wait for specific ports to open or watch for traffic between known internal assets. And they self-correct – if the initial payload does not execute, a backup loader can autonomously kick in. All of this, too, requires infrastructure. Agentic AI defines IP ranges, staging servers, and command-and-control routes as part of setup. These decisions create patterns – IoPAs that show how the system is being built to run.
In late 2025, Anthropic detected the first documented large-scale cyberattack that was executed without significant human intervention. The attack was a cyber espionage campaign carried out by a Chinese state-sponsored group, and targeted some 30 organizations. The attackers manipulated Claude Code so it could execute around 90% of the attack’s tactical work independently - reconnaissance, vulnerability discovery, credential harvesting, lateral movement, and data extraction. The AI code accomplished this at speeds that would have been impossible for human operators - executing thousands of requests per second across multiple simultaneous intrusions.
Where Delegation Leaves the Door Open
Delegation to agentic AI changes both how attacks are carried out and where defenders need to act. Traditional detection relies on Indicators of Compromise (IoCs), which surface only after execution. But agentic AI makes that timeline obsolete. The systems it runs define infrastructure early and make operational decisions long before payloads move.
That’s what makes Indicators of Pre-Attack (IoPAs) so critical. IoPAs reveal the structure behind agentic AI-powered automation - what attackers are putting in place, which systems they’re preparing to target, and how that capability will behave once activated. They offer an early look at what’s coming, and a way to stop attacks before they even get started.
Attackers are delegating to agentic AI to plan, stage, and adapt without pause. Defenders need to outsource, too. Pre-attack prevention is the only sustainable way to meet automation with automation - and to disrupt what’s being built before it can launch.
Talk to us to find out how Malanta’s pre-attack prevention can help you disrupt agentic AI attacks before they launch.
