Autonomous Defense
AI agents are rewriting the rules of cybersecurity
Attackers are exploiting unpatched vulnerabilities and polymorphic malware that traditional signature-based tools miss. Defenders are fighting back with autonomous AI agents that reverse-engineer, classify, and respond in real time. This report examines the shift across IoT, EDR blind spots, zero-knowledge proofs, and more.

Not long ago, cybersecurity was a game of signatures: defenders collected hashes of known malware, wrote rules, and waited for the next static match. Attackers responded with polymorphic code that changed its fingerprint on every execution, then with zero-day exploits that had never been seen, let alone cataloged. The gap between what attackers can do and what defenders can catch has widened to the point where traditional tools are no longer sufficient.
Now a new paradigm is emerging: autonomous defense. AI agents, such as those capable of reverse-engineering suspicious binaries, classifying novel attacks, and even proving identity without revealing secrets, are beginning to close the gap. This special report examines five distinct fronts in that battle, from the embedded systems that have gone years unpatched to the cryptographic primitives that could underpin agent-to-agent trust.
FatFs: seven bugs, twenty years, zero patches
In the IoT world, the FatFs file system module has been a workhorse for two decades, running on microcontrollers in everything from medical devices to industrial sensors. It also contains at least seven documented vulnerabilities, and no official patch has ever been released for most of them.
FatFs is not open source in the modern sense. It is a single-file C library maintained primarily by one developer. When researchers discover a buffer overflow or a path traversal, they often have to file an issue and wait. Some bugs have been pending since firmware images shipped in the early 2000s. The result is a structural liability for the entire IoT ecosystem, where devices are rarely updated and even more rarely audited.
Autonomous defense agents could change this by scanning embedded binaries for known and unknown variants of the FatFs vulnerabilities, then generating micro-patches on the fly, but only if the industry adopts a shared taxonomy for embedded firmware agent communication. Without that, the seven bugs remain a ticking time bomb.
Project Ire: what six EDRs could not see
The LOTUSLITE malware family has long been a headache for enterprise defenders. It is designed to evade endpoint detection and response (EDR) systems by using living-off-the-land techniques, legitimate tools, and delayed execution. In a controlled test, six commercial EDRs failed to flag its behavior.
Project Ire is an experimental autonomous agent that reverse-engineers samples from scratch, without relying on signature databases or pre-trained models. It disassembles the binary, maps system call sequences, and builds a behavioral profile in real time. When presented with a LOTUSLITE variant that the EDRs had missed, Project Ire identified the core evasion loop within minutes.
The lesson: signature-based detection is a rearview mirror. Behavioral analysis by autonomous agents, while computationally heavier, offers a path forward that does not depend on having seen a threat before. The challenge is scaling this to production environments without false-positive fatigue.
Vega: proving identity without exposing it
As agents take on more responsibility, such as patching systems, interrogating binaries, and coordinating responses, the question of trust becomes acute. How does one agent know that another is who it claims to be? How does a human operator verify an agent's actions without revealing credentials to a potentially compromised host?
Vega proposes a solution based on zero-knowledge proofs (ZKP). Instead of transmitting a password, API key, or cryptographic certificate, an agent can produce a proof that it possesses the secret, without revealing the secret itself. This has profound implications for cybersecurity: an autonomous defender can authenticate itself to a logging service, a patch repository, or another agent without exposing material that could be reused by an attacker.
The ZKP protocol has been implemented in Rust and runs on embedded-class hardware, making it viable for IoT edge nodes as well as cloud instances. Vega is still experimental, but it points to a future where identity and trust are mathematically verifiable rather than administratively assumed.
Fable 5: a common severity scale for jailbreaks
Prompt injection and jailbreak attacks on large language models have proliferated faster than the industry can classify them. One researcher's critical is another's moderate. Anthropic's Fable 5 framework proposes a standardized severity scale, analogous to the Common Vulnerability Scoring System (CVSS) used for traditional vulnerabilities.
The scale ranges from L1 (trivial, easily caught by base filters) to L5 (multi-step indirect injection that exfiltrates data without triggering any guardrail). By providing a common taxonomy, Fable 5 enables automated agents to triage incidents: an L1 jailbreak can be ignored; an L4 may require agent-mediated isolation; an L5 triggers a full incident response workflow.
The framework has already been adopted by two open-source red-teaming tools and is being reviewed by a working group at the OWASP LLM Top 10 project. If it gains traction, it could become the de facto standard for agent-based defense against prompt attacks.
Hide My Email: a bug that ruins trust
Apple's Hide My Email service, which generates disposable email addresses to protect user privacy, was found to contain a bug that could expose the real forwarding address under certain conditions. For a feature whose entire value proposition is anonymity, this is not just a bug; it is a betrayal of trust.
The vulnerability was disclosed responsibly and patched quickly, but it illustrates a broader point: as platforms build privacy-preserving features, they must also harden them against the same agent-driven attacks they aim to prevent. An attacker armed with an autonomous reconnaissance agent could have chained the Hide My Email bug with other iOS vulnerabilities to profile users at scale.
Autonomous defense agents, in turn, must be trusted to report such findings without leaking them. This is where ZKP-based authentication (as in Vega) and behavioral classification (as in Project Ire) converge: an agent that discovers a trust-eroding bug must be able to prove its finding to a human analyst without exposing the vulnerability to the network.
Conclusion: behavior versus signature
Cybersecurity is becoming a war of agents. Attackers deploy autonomous malware that morphs, waits, and learns. Defenders counter with autonomous agents that reverse-engineer, classify, and patch. The old arms race of signature updates is giving way to a new one: behavior versus signature, context versus pattern, zero-knowledge versus zero-day.
The five fronts explored here, FatFs, Project Ire, Vega, Fable 5, and Hide My Email, each demonstrate a piece of the puzzle. No single agent or framework will solve the problem. But together, they point to a future in which defense is no longer reactive, but autonomous.