Table of Contents

The Attack Architecture Your Controls Can’t See

Autonomous offensive AI is close to being commodity tooling. Here’s what it means for fraud, security, and payments leaders, and where the defensible ground actually is.

When Anthropic introduced Mythos, the industry conversation locked onto a single storyline: an AI that can find vulnerabilities at superhuman scale. That framing is understandable, and it misses the point.

The real breakthrough isn’t the model. Frontier models improve every quarter, and no single release changes the game on its own. What changed is the architecture around the model: a pipeline of goal-optimized agents, each handling a discrete piece of offensive work: reconnaissance, target analysis, exploit engineering, chaining findings into complete attacks, and iterating until the goal is reached. If you looked at the org chart of a nation-state offensive cyber unit, you would recognize the structure. Operations of that class used to require dozens of specialists working for a year or two. This runs with no people, and it runs overnight.

Vulnerability discovery is one thing you can ask an architecture like this to do. It is far from the only thing. Give it a business as the target rather than a codebase, and it will study that business the way an intelligence agency would: how the applications work, how customers behave, how money moves, where the processes bend, and how the defenses respond when pushed. Then it will work toward whatever objective it was handed, without fatigue and without cost pressure.

For now, capabilities like this sit with a handful of frontier labs that wrap them in governance. That won’t hold. Open-source models are widely expected to reach equivalent capability within months, with no comparable guardrails, and the skill required to operate them is essentially the ability to write a prompt. Fraud rings won’t need to build anything. They will simply download it.

Three assumptions this breaks

That an authenticated session means your customer is acting. Session hijacking has always been fraud’s Holy Grail precisely because it defeats everything: legitimate device, legitimate credentials, clean signals. It stayed rare because pulling it off demanded elite technical and operational skill. AI removes both requirements. An agent operating inside a customer’s browser can study the account, learn the customer’s patterns, and act in ways your controls were never built to question, because those controls assume a human is behind the wheel.

That your fraud strategy is a secret. It isn’t, or won’t be for long. These systems can infer most of a rule-based fraud stack from publicly available information, then confirm and complete the picture by probing your applications directly: response times, error messages, subtle UI changes that betray which controls fired. Run that probing through thousands of distributed accounts feeding one centralized brain, and your defensive playbook becomes an open book.

That detection means recognizing known patterns. Every control you operate today, on the cyber side or the fraud side, ultimately hunts for what has been seen before. These architectures are built to do the opposite: assemble thousands of previously unconnected pieces into attacks that have never existed. They work in three stages. First, reconnaissance: tens of thousands of probes, each one individually harmless-looking, that together map your business like a puzzle. Second, simulation: offline, invisible to you, where the attack is designed and refined. Third, execution: fast, novel, and unlike anything in your pattern library.

The uncomfortable truth is that stages two and three are uncontestable. You cannot see a simulation, and you cannot pattern-match an attack that has no precedent. The only stage where a defender can act is the first one. Starve the architecture of puzzle pieces and there is nothing to simulate and nothing to launch. Reconnaissance is the window, and it is open now.

Why “AI detection” mostly isn’t

A wave of vendors now claims agentic AI detection. Look closely at how most of it works: it recognizes agents that announce themselves. Well-behaved agents from major platforms declare what they are through headers, signatures, or registration schemes, and detecting a declared agent is trivial.

That approach fails exactly where it matters. A malicious agent is not going to raise its hand and disclose that it is up to no good. It will do the opposite: impersonate a human as convincingly as it can, randomize its behavior, and adapt in real time to any challenge you put in front of it. Agents are not bots. Bots follow scripts and leave fingerprints; agents think, react, and route around detection because evading you is part of the goal they were given. Any defense premised on self-declaration is a defense against the agents that were never the problem.

Detecting undeclared, adversarial agents is a fundamentally different discipline. It requires going deep into each agentic platform itself, frontier and open-source alike, and understanding how each one actually operates at a level where its tells surface no matter how hard it tries to blend in. That is research work, continuous and unglamorous, and it is the foundation everything else rests on.

What a real defense looks like

Three capabilities, layered:

  • Visibility. Know which of your traffic is agentic and which is human, identify the specific platform behind it by name, trace it to the accounts and sessions it touches, and understand its intent. Intent is the pivot: an agent comparison-shopping for its owner and an agent methodically mapping your controls can look identical at the traffic level. They are not the same thing, and your response to each shouldn’t be either.
  • Control. Translate that visibility into living policy. Which agents are welcome, what they may do, where the boundaries sit. These decisions will evolve as the threat landscape shifts and as your own appetite for agent-driven business matures, so the policy layer has to evolve with them.
  • Protect. Enforce those decisions with the controls that actually govern payments: authentication that establishes who is genuinely present, continuous trust that keeps re-asking that question throughout the session rather than trusting a single answer at login, and authorization that decides what any actor, human or agent, is allowed to do at the precise moment it tries to act. When control of a session can pass silently from a customer to an agent mid-flow, a front-door identity check is no longer a control. It’s a formality.

One more thing, because this is not only a threat story. Your customers’ agents are already arriving, and their volume will only grow: researching, comparing, transacting, managing accounts on their owners’ behalf. Blocking them all protects nothing and costs you revenue, locking you out of agent-driven commerce just as it takes shape. Ignoring them absorbs unbounded risk. The organizations that win will do neither: friction-free passage for good agents, a closed door for the rest, and the visibility to tell one from the other.

Where Transmit Security is Different

Transmit Security was founded by reverse engineers and penetration testers who went on to spend decades building the fraud and identity defenses that protect many of the world’s largest financial institutions. We understand offensive architectures because taking systems apart is where we started.

That DNA drives how we approach agentic detection. Our research teams dissect each agentic platform individually, studying how it operates deeply enough that its tells surface even when it is actively working to look human. This is a standing research program, not a signature update. New platforms and new versions appear constantly, and each one gets the same treatment.

Detection alone, though, is only intelligence. It becomes defense through orchestration: the layer that pulls identity, risk signals, and agentic insight together and drives real-time decisions across the entire customer journey. Orchestration is what makes continuous trust practical, evaluating every session as it unfolds and applying exactly the authentication, step-up, or block the moment calls for, so good agents and good customers move freely while everything else meets resistance. And it runs on a platform already proven at scale: Transmit Security is ranked a Leader by Gartner, Forrester, and KuppingerCole.

The window won’t stay open

Reconnaissance against your business may already be underway. It is invisible by design, and it is the one stage you can contest. To go deeper on the threat model and the defense architecture, read our datasheet, or contact your Transmit Security account team for a no-obligation executive briefing with CEO Mickey Boodaei: 45 minutes on your organization’s readiness, not a pitch.

Read the Datasheet:

The-Attack-Architecture-Your-Controls-Cant-See-July2026