auto/attack

What is agentic red teaming?

Agentic red teaming is red teaming carried out by AI agents that plan, act, and adapt on their own — software that pursues a security objective, such as reaching Domain Admin, by choosing its own moves and chaining them, rather than following a fixed script or a person’s keystrokes. The agent decides what to try next from what it finds, the way a human red teamer would.

Two different things are called agentic red teaming

The term is used two ways, and the difference is the target. One is red teaming of AI — probing a model or an autonomous agent for jailbreaks, prompt injection, and unsafe actions (often with AI agents doing the probing). The other, the sense used here, is red teaming by AI against a network — autonomous software as the attacker. This guide is about the second: an agent that runs the offensive engagement itself.

How an agentic red team works

An agentic system runs a loop. It looks at what the network exposes, decides the most promising move, carries it out, and folds the result back into what it knows. A cracked ticket becomes a credential; that credential opens a host; the host holds a password reused somewhere better. Each finding changes the next decision, so the agent finds its own route to the objective instead of being handed one.

That loop is what separates an agent from a tool. It is AI penetration testing applied to a whole engagement — not one clever step, but a chain of them, chosen as the network gives them up.

Agentic red teaming vs a human red team

A human red team is a small group of specialists who work an engagement for a fixed block of days. An agentic red team is software: it runs whenever you deploy it, works many paths at once, and doesn’t tire or run out of hours. It brings the same judgment — pick an objective, find a route, chain what it discovers — at machine speed. What a human team does over weeks, an agent works through in minutes.

Agentic red teaming vs scripted automation

Automated penetration testing runs a fixed playbook: the same steps in the same order, stopping at the edge of the script. An agentic system decides instead of replaying — it reads what each result gives back and picks the next move, the way an intruder improvises.

How AutoAttack does it

AutoAttack is an autonomous adversary — agentic red teaming in practice. You deploy it as a single container inside your network, set the objective in plain English, and it works out the route, chains what it finds, and proves each step with captured evidence. The broader idea is autonomous penetration testing; the agent is what carries it out.

On hardened GOAD — the standard Active Directory proving ground — it reached Domain Admin across all three domains in a 0:51 median over ten independent runs. See the benchmark, or deploy it against your own network.

Deploy on your network