Highly Autonomous Cyber-Capable Agents: Anticipating Capabilities, Tactics, and Strategic Implications

This report introduces the concept of"Highly Autonomous Cyber-Capable Agents"(HACCAs), AI systems capable of autonomously conducting multi-stage cyber campaigns at a level comparable to today's top criminal hacking groups or state-affiliated threat actors, and analyzes the security implications of their emergence. The report: (1) Defines what HACCAs are and forecasts when they might arrive, establishing a clear framework for an autonomous cyber agent that can operate across the full attack lifecycle without meaningful human direction; (2) Identifies five core operational tactics, detailing how HACCAs could sustain themselves in the wild, from autonomous infrastructure setup and credential harvesting to detection evasion and adaptive shutdown avoidance; (3) Analyzes the strategic implications, including how HACCAs could intensify interstate cyber competition, lower the barrier to entry for sophisticated operations, and proliferate advanced offensive capabilities to criminal groups and less-resourced state actors; (4) Flags two tail risks that deserve serious attention: the potential for autonomous cyber operations to trigger inadvertent cyber-nuclear escalation, and the possibility of sustained loss of control over rogue HACCA deployments; (5) Proposes seven policy recommendations across three goals: understanding the emerging threat, defending against HACCAs, and ensuring their responsible development and deployment.