Check Point Annual AI Security Report 2026 — AI shifts from attack accelerant to autonomous operator, with the agent's trusted config store as the new persistence surface
Check Point Research's Annual AI Security Report 2026 frames the year's shift as "AI has crossed from assistant to operator": where AI once helped attackers prepare, CPR now observes it doing the hands-on work inside live intrusions, spanning a China-nexus espionage campaign and a criminal breach of multiple Mexican government agencies, and spreading from nation-states to ordinary cybercriminals (Check Point Research, 2026-07-14). Two developments matter most to a defender rather than to a headline. First, AI now builds deployment-ready tooling whose AI provenance is invisible in the finished artifact — CPR cites one developer producing VoidLink, an 88,000-line command-and-control framework, in under a week using an AI environment, illustrating how the tooling-development timeline collapses even for non-experts. Second, and more durable, attackers are moving from transient prompt-injection strings to abusing the agentic architecture itself: CPR reports that the reliable bypass is now "a planted configuration file an agent loads and trusts across sessions," a persistence class that survives context resets and re-authentication in a way one-shot prompt injection does not.
CPR also reports a maturing criminal AI-tooling market — phishing-as-a-service kits shipping with a jailbroken language model built in, and conversational AI voice-agent services running vishing and one-time-passcode theft at scale — alongside a rise in indirect prompt injection (CPR's telemetry shows detections of longer malicious payloads climbing sharply between March and May 2026) and persistent enterprise data leakage through unsanctioned GenAI use. Most actors, CPR notes, favour jailbroken mainstream commercial models over self-hosted ones.
AI has crossed from assistant to operator.
the durable bypass is now a planted configuration file an agent loads and trusts across sessions.
ATT&CK mapping
2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Resource Development TA0042
T1587.001Develop Capabilities: Malware
Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
Initial Access TA0001
T1566Phishing
Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Sources
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.