AI-assisted tooling makes specific intrusion phases faster and more precise. Reconnaissance is more systematic. Credential enumeration is more targeted. Lateral movement decisions, which path to take and which assets to prioritize, are increasingly guided by behavioral analysis on observed network data rather than slow manual trial and error.
This is documented in real campaigns. In July 2025, Ukraine’s national CERT (CERT-UA) disclosed LAMEHUG, the first publicly documented malware to integrate a large language model directly into its attack flow.3 Attributed with moderate confidence to APT28 (Fancy Bear), LAMEHUG used an LLM to dynamically generate system reconnaissance commands, including hardware enumeration, process listing, and network connection mapping, without any hardcoded instructions. Signature-based detection and traditional intrusion prevention systems were structurally blind to it because there was no static pattern to match.3
What AI does not change is the dependency structure that every intrusion still runs on. Whether the attacker uses AI tooling or not, they need to map the environment, discover workable credentials, understand what assets are present, and find a viable path to their target. Every step requires the attacker to read and trust environmental signals: network topology, directory structures, service availability, file artifacts, credential stores.
Sophisticated attackers, even those augmented by AI agents, still trust the environment they see. That is exactly what Fidelis Deception® exploits.
