Skip to content
AI Security Wire

Published

- 4 min read

By

Check Point 2026: AI Crosses from Assistant to Attack Operator

img of Check Point 2026: AI Crosses from Assistant to Attack Operator

For years, the framing was ‘AI helps attackers move faster.’ That framing is now out of date. The 2026 Check Point Research AI Security Report, published this week, makes the case for something more significant: AI isn’t helping attackers anymore. In many operations, AI is doing the attacking.

The report covers October 2025 through June 2026, drawing on telemetry from Check Point’s global customer base alongside documented threat campaigns. The headline finding is a named incident that makes the abstract concrete.

A Single Operator, Nine Government Agencies

A threat actor breached nine Mexican government agencies using two AI tools in tandem: Claude Code for network infiltration and exploration, and GPT-4.1 for data analysis and follow-on tasking. Across 34 attack sessions, the AI agents executed 5,317 distinct commands. The human operator directed the campaign at a high level. The AI executed it.

This is not a hypothetical scenario from a red team exercise. It is documented active exploitation. The operator did not need to write exploits, craft lateral movement scripts, or manually analyze network data. The AI did all of that.

Check Point also documents VoidLink, a command-and-control framework produced almost entirely via AI-assisted code generation. The C2 framework ran to 88,000 lines of malicious code and was completed in under one week. That kind of output would have required a skilled team working for months just five years ago.

The Enterprise Exposure Numbers

The telemetry from enterprise environments is just as concerning. Between 87 and 93 percent of organizations experienced at least one high-risk AI interaction every month over an eight-month window. The rate of high-risk GenAI interactions doubled year-over-year, from roughly 1 in 50 to 1 in 25. Business services hit nearly 6 percent, about 1 in 17 interactions.

The average organization now runs 10 distinct AI applications per month. Many of those applications are unsanctioned, meaning security teams have no visibility into what data is being processed, what prompts are being sent, or what outputs are being acted on. That shadow AI problem is now a core enterprise attack surface.

Prompt Injection on a Steep Curve

Prompt injection detections, the technique of embedding malicious instructions in content that an AI agent will process, rose roughly fivefold between March and May 2026. By May, they were approaching 1 percent of all observed prompts.

That sounds modest until you consider the scale. At millions of AI interactions per day across large enterprises, 1 percent is a substantial volume of active injection attempts. The sharp rate-of-change over two months suggests ongoing optimization of attack tooling, not random experimentation.

The Deepfake and Voice Fraud Picture

The identity forgery ecosystem is maturing faster than detection capability. Check Point reports that trained observers correctly identified AI-generated faces only 41 percent of the time. The general public managed around 30 percent. The FBI attributes over $250 million in losses to voice-enabled AI fraud.

Scattered Spider is named in connection with breaches at Marks and Spencer and Jaguar Land Rover during this period. ShinyHunters is linked to Salesforce customer targeting via AI-assisted phone campaigns. Both groups are running voice agents at scale for vishing and one-time password theft, not just for target research.

Phishing-as-a-Service kits now embed jailbreaked LLMs as a standard feature.

The Speed Problem

One of the quieter findings is the most operationally significant: exploits for newly disclosed vulnerabilities are now being produced within hours of public disclosure. Several government authorities have responded by mandating remediation timelines as short as 12 hours for critical internet-facing systems.

No security team patches at that speed through manual workflows. The remediation cycle is now a competition between attacker automation and defender automation, and most organizations are running the defender side manually.

Lotem Finkelstein, VP at Check Point Research, put it plainly: the expertise barrier separating capable attackers from the rest is disappearing. What used to require a skilled red team can now be delegated to an AI agent with a rough set of objectives and a target.

What This Means for Defenders

The report does not come with a neat prescription, but the logical implications are clear. Visibility into AI application usage is now as important as visibility into endpoints. Behavioral monitoring for what AI agents actually do, not just what prompts they receive, is the gap in most current detection stacks. And the window between vulnerability disclosure and active exploitation is no longer measured in days.

The shift from assistant to operator is not a future scenario to prepare for. It is the current operating environment.

References

Frequently Asked Questions

What is the main finding of the Check Point AI Security Report 2026?
Check Point Research documents that AI has shifted from a planning aid to the primary executor of attacks, running autonomous attack chains with minimal human oversight. The report coins this the shift from 'assistant' to 'operator' and backs it with named campaigns, including a breach of nine Mexican government agencies using Claude Code and GPT-4.1 that generated 5,317 AI-executed commands across 34 sessions.
How common are high-risk AI interactions in enterprise environments?
Between October 2025 and May 2026, 87 to 93 percent of organizations experienced at least one high-risk AI interaction per month. The rate of high-risk GenAI interactions doubled year-over-year, from 2 percent to 4 percent of all AI interactions. Business services had the highest exposure at nearly 6 percent.
What should security teams do in response to this report?
The report emphasizes three priorities: establish visibility into which AI applications employees actually use (average is now 10 per month, many unsanctioned), deploy behavioral monitoring for AI agent actions rather than just prompt filtering, and shorten vulnerability remediation timelines since exploits are now produced within hours of public disclosure.