New research from Cato Networks, shared exclusively with CyberScoop, demonstrates that an AI agent paired with a purpose-built technical harness can execute complete attack chains with minimal human direction. Across six simulated scenarios, the agent achieved domain administrator privileges and Active Directory access, sometimes in as little as 40 minutes.
The research paired OpenAI’s ChatGPT 5.5 and GPT 5.5-Cyber models with Cato Networks’ own tooling. The agent started with limited resources: an external Kali Linux attack host, a target’s public IP address, and a set of low-level domain credentials acquired through simulated phishing. It received no information about the target’s server type, operating system, internal network topology, or available attack paths.
What the Agent Did
From those starting conditions, the agent probed for additional intelligence, identified the target as a Microsoft Exchange server, mapped internal network topology, escalated privileges, and achieved domain admin access. It completed all stages of the attack autonomously.
“What was most surprising is that first we saw that it was capable of doing accelerated reasoning and attack, and interacting and doing all this by itself, like doing all of the stages of the attacks,” Guy Waizel, a tech evangelist at Cato Networks and one of the research authors, told CyberScoop.
The most successful scenarios occurred when the model received appropriate operational context from the technical harness. “It does support that it’s not just about the frontier model,” Waizel said. “We found that [our harness] really helps the reasoning” of the LLM.
The Harness, Not the Model
The research’s central finding reframes the AI cybersecurity debate. Policymakers and security experts have focused on the spread of more powerful frontier models. Cato Networks’ work suggests the technical infrastructure wrapping those models, what the industry calls a “harness,” determines operational effectiveness more than the underlying model itself.
Waizel noted that while the research used OpenAI models, other models would likely achieve similar results. As TechCrunch reported on July 14, the capabilities of models like GPT 5.5 are likely to be available in open-source form within a year.
Enterprise defenders are already building their own harnesses. Eric Doerr, chief product officer at Tenable, told CyberScoop that the company’s internal harness, called “Hexa,” benchmarks new commercial LLMs against consistent security tasks. “One of the first things we do when we get a [new] model is say ‘Well, let’s run it through Hexa and see what we learn,’” Doerr said.
Dan Rapp, chief AI and data officer at Proofpoint, described their harness “Satori” as critical infrastructure for keeping agentic AI on track. “You have raw intelligence, raw reasoning power, but to get these systems to perform the way you want to, both context engineering and the harness engineering are essential to actually get the systems to perform well,” Rapp told CyberScoop.
John Hopper, vice president of product engineering at SpecterOps, reinforced the point: “What it always boils down to is how effective you are with the tool calling… bringing in data, enriching the context.”
Why Harness Engineering Changes the Threat Model
The Trump administration has established a federal clearinghouse for AI-discovered vulnerabilities, and European groups are coordinating globally on AI cyber threats. Both efforts focus primarily on model capabilities.
Cato Networks’ research suggests that focus may be misplaced. If harness engineering is what transforms a general-purpose LLM into an effective autonomous attacker, then restricting model access addresses only part of the problem. Enterprise defenders and attackers alike are building infrastructure that makes any sufficiently capable model dangerous when properly directed.
For security teams evaluating their own agent deployments, the takeaway is concrete: invest in the orchestration layer. The model powering an autonomous agent matters less than the tooling, context, and operational framework surrounding it.