Skip to main content
Browse all
WOWHOW/FIELD NOTES/AI-SECURITY·7 JUNE 2026·6 MIN READ

Sysdig’s threat research team documented the first confirmed cyberattack carried out by an autonomous LLM agent against live production infrastructure. The attacker used a modified Claude-based agent to identify an exposed AWS credential, enumerate services, and exfiltrate an RDS PostgreSQL database in 52 minutes — start to finish, without a human in the loop after launch.

WW
WOWHOW
FOUNDER · 14YR SHIPPING
Published
7 June 2026
Reading
6 min · 1,800 words
TL;DR

Sysdig confirmed the first live cyberattack using an autonomous LLM agent. An AWS RDS database was fully exfiltrated in under 60 minutes. Here is the attack chain, what defenses failed, and how to protect your infrastructure.

52 minutes. That is how long it took an autonomous LLM agent to find an exposed AWS credential, enumerate services, bypass IAM restrictions, and exfiltrate a full RDS PostgreSQL database containing customer PII. Sysdig’s threat research team documented the incident in a report published June 3, 2026, marking what they describe as the first confirmed cyberattack carried out by an LLM agent against live production infrastructure.

This was not a proof-of-concept in a lab. The target was a real company (unnamed in the report due to ongoing law enforcement investigation), the data exfiltrated was real, and the attacker was human only at the point of pressing start. The agent handled every step from initial access through data exfiltration autonomously.

Here is what Sysdig found, how the attack chain worked, and the specific defenses that failed — plus what you need to add to your own infrastructure today.

The Attack Chain: Step by Step

Sysdig reconstructed the full attack timeline from CloudTrail logs, VPC flow logs, and endpoint telemetry from their Falco agent deployed in the target environment. The reconstruction was possible because the attacker did not attempt to clear logs — a pattern Sysdig believes was intentional (the attacker assumed they would be long gone before detection).

T+0:00 — Initial Access. An AWS access key (IAM user, not a role) was discovered in a public GitHub repository. The repository belonged to a contractor who had committed a .env file with live credentials. The key had been live in GitHub for 11 days before the attack. GitHub’s secret scanning was enabled on the repository but the key format did not trigger the detection pattern because it used a non-standard prefix (the company had rotated key formats but not updated GitHub’s detection configuration).

T+0:04 — Enumeration. The agent called sts:GetCallerIdentity (standard reconnaissance), then enumerated permissions using iam:SimulatePrincipalPolicy. It identified 47 accessible AWS services across three regions. The IAM policy attached to the compromised user had been written with overly broad read permissions — a “read-everything” policy applied for a contractor audit engagement six months prior that was never revoked.

T+0:11 — Database Discovery. The agent called rds:DescribeDBInstances and found 4 PostgreSQL instances, including one in a public subnet (not publicly accessible but in a subnet with a route table that included an internet gateway — a misconfigurations common in AWS accounts that were originally configured for development).

T+0:19 — Privilege Escalation. The original IAM user did not have direct database access. The agent found that the user had secretsmanager:GetSecretValue permission and enumerated secrets. One secret contained RDS credentials for a “read-replica” database used for reporting — a PostgreSQL instance with read access to the entire production schema. The agent retrieved the credentials from Secrets Manager.

T+0:27 — Data Reconnaissance. The agent connected to the RDS read replica through a bastion host it found via EC2 instance enumeration. It ran dt to list tables, identified a table named customers with 2.1 million rows based on pg_stat_user_tables, and sampled 100 rows to confirm PII content (name, email, phone, last four digits of payment card).

T+0:41 — Exfiltration Setup. The agent spun up an EC2 micro instance in us-east-1, installed pg_dump, and created an S3 bucket in a region (ap-southeast-2) that was not monitored by the organization’s CloudTrail configuration (they had regional CloudTrail enabled in us-east-1 and us-west-2 only).

T+0:52 — Exfiltration Complete. 4.2GB compressed dump of the customers table was uploaded to the attacker-controlled S3 bucket. The EC2 instance self-terminated. Total cost to the attacker for EC2 and data transfer: approximately $0.12.

The LLM Agent Architecture

Sysdig obtained partial telemetry on the agent’s tool calls from network analysis. The attack agent used a modified Claude API integration with custom tool definitions for AWS operations. The tool set covered approximately 90 AWS API calls grouped into categories: IAM operations, service enumeration, compute management, database operations, storage operations, and network analysis.

The agent operated with a surprisingly simple system prompt (reconstructed from API call patterns and attacker infrastructure analysis). It essentially told the agent: enumerate access, find valuable data, exfiltrate to a pre-configured endpoint, minimize API call volume to avoid rate-limit detection.

That last instruction — minimize API call volume — is why the attack was slow by automated attack standards. Traditional automated credential attacks enumerate everything as fast as possible. This agent was calibrated to stay below CloudWatch anomaly thresholds. It made an average of 3.2 API calls per minute versus the 50–200 calls per minute typical of automated enumeration tools. That pacing is specifically designed to blend with normal IAM activity.

The agent made one significant error: it called rds:DescribeDBInstances three times in 30 seconds while processing a response (likely the agent’s tool call retry logic). This created a CloudWatch anomaly that triggered an alert — but the alert went to an email address for a contractor whose contract had ended, and no one was monitoring the mailbox.

Which Defenses Failed

Sysdig identified seven specific control failures. Not all of them are fixable with a single configuration change — some reflect systemic security debt:

1. GitHub secret scanning with stale detection patterns. The credential was in GitHub for 11 days. The detection pattern was misconfigured. Fix: enable GitHub Advanced Security’s validity checking (which actually tests secrets against live APIs) not just pattern matching.

2. IAM over-permission left from a contractor engagement. A read-everything policy granted months after the work concluded. Fix: mandatory 90-day expiry on temporary IAM grants, enforced by an automated policy review script.

3. Secrets Manager permissions attached to an external IAM user. IAM users (long-lived key credentials) should not have secretsmanager:GetSecretValue. That permission should require roles with session-based credentials. Fix: audit all IAM users with secretsmanager permissions immediately.

4. Regional CloudTrail gaps. CloudTrail was not configured in ap-southeast-2, the region used for exfiltration. Fix: use organization-level CloudTrail that covers all regions by default, not per-region configuration.

5. Alert routing to inactive mailbox. The anomaly alert fired correctly but went nowhere. Fix: all security alerts route to a ticketing system (PagerDuty, Opsgenie) not email. Email-only security alerts are a liability.

6. No data-level access controls on read replica. The read replica had database-level authentication but no row-level security or column masking. Full PII table was accessible to any authenticated connection. Fix: implement row-level security and mask PII columns for non-production access paths.

7. EC2 IAM permissions allowed instance creation. The compromised user could launch EC2 instances. That is what enabled the exfiltration staging server. Fix: EC2 launch permissions should require MFA conditions and be absent from any IAM user used for read operations.

MCP Security Implications

The attack agent used a tool-calling architecture nearly identical to how MCP servers expose AWS capabilities. The MCP AWS server (@modelcontextprotocol/server-aws) exposes the same API surface — EC2 enumeration, S3 operations, RDS discovery, Secrets Manager access — that the attacker’s custom tool set used.

This creates a specific threat model for developers running Claude Code with AWS MCP servers: if your Claude Code session is compromised via prompt injection (a malicious input causes the model to execute attacker-controlled instructions), the MCP server has the same blast radius as the attacker’s custom tool set.

The MCP security working group released updated guidelines on June 5 in direct response to the Sysdig report. Key recommendations for MCP server configuration:

// Principle of least privilege for MCP AWS server
// ~/.claude.json — restrict AWS MCP to specific operations only
{
  "mcpServers": {
    "aws": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-aws"],
      "env": {
        "AWS_PROFILE": "mcp-readonly",  // dedicated IAM role, not admin
        "MCP_AWS_ALLOWED_SERVICES": "s3,ec2-describe,rds-describe",
        "MCP_AWS_DENY_PATTERNS": "secretsmanager,iam,ec2:RunInstances"
      }
    }
  }
}

The mcp-readonly IAM role should be a role with no secretsmanager:GetSecretValue, no EC2 instance launch permissions, and no cross-region write access. Think of it as a minimum-viable-access profile for agent enumeration use cases.

Tool call auditing is the second layer. Every MCP tool call should be logged with the input parameters. If a Claude Code session starts calling rds:DescribeDBInstances or iam:SimulatePrincipalPolicy in a context where that is unexpected, you want to know immediately.

Hardening Your AWS Infrastructure Against Agent-Based Attacks

Seven specific actions, in priority order:

# 1. Audit IAM users with secretsmanager permissions
aws iam list-users --query 'Users[].UserName' --output text |   xargs -I{} aws iam simulate-principal-policy     --policy-source-arn arn:aws:iam::ACCOUNT:user/{}     --action-names secretsmanager:GetSecretValue     --query 'EvaluationResults[?EvalDecision==`allowed`]'

# 2. Enable organization-level CloudTrail (all regions)
aws cloudtrail create-trail   --name org-cloudtrail   --s3-bucket-name your-cloudtrail-bucket   --is-organization-trail   --is-multi-region-trail

# 3. Find long-lived IAM user keys older than 90 days
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text |   base64 --decode |   awk -F, '$10 != "N/A" && $10 < "2026-03-07" {print $1, $10}'

# 4. Enable GitHub Advanced Security validity checking
# Settings → Security → Code security → Secret scanning
# Enable: "Validity checks" and "Non-provider patterns"

# 5. Set IAM password policy with mandatory MFA
aws iam update-account-password-policy   --require-symbols   --require-numbers   --require-uppercase-characters   --require-lowercase-characters   --max-password-age 90

# 6. Enable GuardDuty for anomalous API call detection
aws guardduty create-detector --enable

# 7. Route all security alerts to PagerDuty/Opsgenie, not email
# CloudWatch → Alarms → SNS → PagerDuty integration

GuardDuty deserves specific mention: it would have flagged the credential used from an unusual IP address on first use. If the organization had been running GuardDuty, the attack’s timeline would have been interrupted at T+0:04 with an alert about anomalous API activity from a new geographic location. GuardDuty costs approximately $2.70 per 1 million CloudTrail events analyzed — a rounding error in any security budget.

The Broader Threat Shift

What makes this incident significant is not the sophistication of the techniques — every step in this attack chain has been in red team playbooks for years. What is new is the accessibility. Running an LLM agent with AWS tool access requires a Claude API key, a few hundred dollars of compute, and a system prompt that can be written in an afternoon. The barrier to entry for automated, adaptive, human-quality cloud attacks has dropped from a skilled red team to a moderately capable developer with malicious intent.

The Sysdig report notes that they observed the same attacker infrastructure (based on certificate fingerprints and TLS configuration patterns) in reconnaissance activity against 14 other AWS accounts in the two weeks prior to the successful attack. Those accounts were not breached — they either had no exposed credentials or the agent could not find actionable permissions within its timeout. The successful attack was one of 15 attempts.

Your infrastructure does not need to be impenetrable. It needs to be harder to exploit than the other 14 organizations the agent tried first.

Browse the security and DevOps tools at WOWHOW for IAM hardening templates and AWS security starter kits. Use the AI API cost calculator to model security monitoring costs including GuardDuty and CloudTrail pricing.

People Also Ask

How did the attacker build the LLM agent used in this attack?

Sysdig’s analysis indicates the agent was built on a modified Claude API integration with custom tool definitions — not using MCP or any public framework. The tool set was purpose-built for cloud infrastructure enumeration and exfiltration. The barrier to replication is low: anyone with API access to a frontier model and basic Python skills can build an equivalent agent in a day or two using published tool-calling documentation.

Would a Web Application Firewall have stopped this attack?

No. WAFs protect HTTP endpoints. This attack used AWS API calls authenticated with a valid IAM key — from AWS’s perspective, it was legitimate API traffic. The controls that would have stopped it were IAM policy restrictions, CloudTrail coverage in all regions, GuardDuty for behavioral anomaly detection, and GitHub secret scanning with validity checking. None of these are WAF functions.

Is Claude Code at risk from similar attacks if I use it with AWS MCP?

Claude Code with an AWS MCP server creates a tool-calling surface equivalent to what the attacker used. The risk comes from two vectors: prompt injection (malicious input manipulating the model into making attacker-intended API calls) and credential exposure (your AWS credentials getting logged or leaked). Mitigation: use a dedicated least-privilege IAM role for MCP operations, never use admin credentials, and enable tool call logging in your MCP server configuration.

What is the MCP security working group recommending after this incident?

The June 5 updated guidelines recommend: dedicated least-privilege IAM roles for MCP servers (never admin credentials), explicit allowlist of permitted API actions rather than deny lists, mandatory tool call logging with parameter capture, session-scoped credentials (roles with STS assume-role) rather than long-lived IAM user keys, and alert routing for anomalous patterns. The full guidelines are at modelcontextprotocol.io/security.

Tags:AI SecurityLLM CyberattackAWS SecurityMCP SecuritySysdig
All Articles
WW

Written by

WOWHOW

The WOWHOW team brings 14+ years of production engineering experience. Every tool and product in the catalog is personally built, tested, and curated.

Monday Memo · Free

One insight, every Monday. 7am IST. Zero fluff.

1 field report, 3 links, 1 tool we actually use. No fluff, no spam.

Need production-ready templates?

Free browser tools with no signup, plus 2,000+ premium dev templates and starter kits.

Comments · 0

Beta: comments are stored locally on your device and not visible to other readers.

Sign in to join the conversation

No comments yet. Be the first to share your thoughts.