The 40-Minute Hack: One Prompt Is All It Takes
It took one sentence. A single, high-level prompt fed to OpenAI‘s ChatGPT-5.5 — and within 40 minutes, the model had mapped a network, escalated privileges, and seized domain-level control. That’s the finding from Cato Networks, a cybersecurity firm that tested how far a so-called agentic attack could go when a frontier large language model (LLM) is given autonomy and a clear objective.
The experiment, detailed in a paper published July 15, was run inside a controlled Active Directory environment built to mirror a typical enterprise. The result? The model planned and executed the entire attack lifecycle: reconnaissance, exploitation, internal discovery, privilege escalation, lateral movement, and exfiltration. All from a single prompt.
Why GPT-5.5? The Frontier Model Accessible to Attackers
Cato Networks didn’t just pick any model. They tested both GPT-5.5 and the cybersecurity-specific GPT-5.5-Cyber. But they focused on the general-purpose version. Why? Because it reflects what most attackers can actually get their hands on.
“While both GPT-5.5 and GPT-5.5-Cyber were evaluated during the research, the later scenarios focused on GPT-5.5 to better reflect the publicly available frontier models accessible to most attackers at the time of the study,” the firm explained in a blog post.
The exact prompts used to direct the model remain undisclosed. That’s intentional — revealing them would hand malicious actors a ready-made blueprint. But the broader lesson is clear: the safety guardrails on public AI models can be bypassed with the right framing.
Six Scenarios, One Adaptive Attacker
The researchers ran six different test scenarios. In each, the environment changed. The model didn’t break stride. It adapted on the fly.
When a planned attack path failed, the agent didn’t stall. It generated custom vulnerability probes. It modified its data collection workflows. It designed alternative communication paths. In one test, the model built an SMB-based tunneling approach to move data through an existing foothold — a technique that requires real understanding of how Windows networks operate.
“Several executions demonstrated adaptive behavior when expected attack paths failed or environmental conditions changed,” the researchers noted. “Rather than following a rigid sequence of actions, the agent adjusted its approach based on observations gathered during execution.”
That flexibility is what made the difference. By combining lessons from earlier scenarios, the model reached its objective — admin-level privileges — in roughly 40 minutes. Speed, they found, came from adaptation, not brute force.
What This Means for Enterprise Defenders
The researchers were careful not to overstate the findings. “While these observations should not be interpreted as evidence of novel attack discovery, they do suggest that frontier models can contribute goal-oriented problem solving during offensive operations,” they wrote.
In plain English: the AI isn’t inventing new attack techniques. It’s applying known ones faster and with less human input. That’s the real risk. A threat actor with moderate skills can now orchestrate a multi-stage attack that previously required a team of specialists.
“A threat actor is only one part of the risk,” said Dr. Guy Waizel, tech evangelist at Cato Networks. “The real capability emerges when that model is harnessed with orchestration, operational context, and battle-tested tools that can translate reasoning into action. Our research shows that this combination can dramatically accelerate known attack workflows, reduce the amount of hands-on expertise required, and enable more coordinated execution across multiple stages of the attack lifecycle.”
AI-Driven Attacks Are Accelerating — and Evolving
Cato Networks, a member of OpenAI’s Daybreak Program, stressed that the patterns they observed may not be universal across all enterprise environments. But the trend is unmistakable. AI tools are becoming more embedded in workplaces, and malicious actors are learning to weaponize them — especially to compress the timeline of an attack.
This capability is likely to improve. Frontier models are getting smarter, faster, and more accessible. Jailbreaking techniques are evolving. The window between a prompt and a breach is shrinking.
For cybersecurity leaders, the takeaway is straightforward: assume that attackers have access to AI agents that can plan, adapt, and execute. Defenses need to be just as dynamic. That means monitoring for unusual lateral movement, segmenting networks aggressively, and treating every prompt-engineered query as a potential reconnaissance probe.
Infosecurity has contacted OpenAI for comment. The company has not yet responded.