Skyhawk AI Red Team seizes AWS organisation in seconds

Skyhawk Security said its AI Red Team took control of a company's full AWS organisation during an autonomous attack simulation that began with low-level access in a production cloud environment.

The research, focused on a financial services company, tested whether an AI-driven attacker could move from a low-privilege role to control of a production AWS organisation. Skyhawk said the simulation completed that escalation in seconds.

The exercise did not depend on a software flaw, an obvious misconfiguration, or unusually broad permissions. Instead, the route to control relied on a sequence of legitimate roles, permissions, and settings that had been intentionally configured and were individually valid.

That finding points to a gap in many established cloud security approaches, which often focus on broken settings or excessive access. Skyhawk said the target environment had followed accepted security practices and was using a cloud-native application protection platform.

A conventional graph view of the customer's environment did not reveal a viable attack route. Static attack graph analysis also failed to show a path from low privilege to organisation-wide control, giving the security team confidence that the environment was secure, according to Skyhawk.

Skyhawk's adversarial model reached a different conclusion. The company said the AI system could reason across identities, permissions, and service boundaries, then chain those legitimate elements together until it obtained full organisational access.

IAM focus

The research comes as identity and access management remains central to cloud intrusions. Skyhawk cited industry data showing IAM is the initial access vector in more than 70% of cloud attacks and is involved in about 83% overall.

Against that backdrop, Skyhawk argued the case shows the limits of IAM rightsizing alone. If an attacker can combine approved permissions in an unexpected sequence, a cloud estate may still be exposed even after a business reduces access and removes known weaknesses.

Skyhawk said the attack did not require building or running a frontier AI model. It argued that this makes the result more serious because it suggests the method is within reach of more conventional attackers using agentic AI tools.

Once that level of access is obtained in a production cloud environment, the consequences can be severe. Control of an AWS organisation can give an intruder reach across multiple accounts and services, creating risks of operational disruption, data loss, and wider compromise within a business.

Chen Burshan, Chief Executive Officer at Skyhawk Security, said the findings challenge the assumptions behind much of current cloud defence.

"For years, cloud security has centered on finding what is broken. This case shows that in the era of AI Autonomous Attacks, that model is no longer sufficient. The company we worked with during this research was doing a great job. Nothing in their environment was broken," Burshan said.

Burshan added that the simulation succeeded despite strong existing controls.

"Their security team had done the work and they were part of a leading CNAPP's 'zero critical findings club,' but our AI Red Team was still able to get full organization control. The risk lived in a chain of legitimate capabilities an Agentic AI-enabled attacker would utilize. To defend against AI Autonomous Attacks and prevent breaches, defenders must simulate what an attacker can actually do, build controls around the full attack and stop the attacker at AI speed," he said.

Dynamic problem

Skyhawk's broader argument is that cloud defence is shifting from a static configuration exercise to a dynamic contest over how approved components can be combined. In that view, the key issue is no longer only whether a setting is wrong, but whether an attacker can use several correct settings to achieve an unintended result.

Rob Strechay, Principal at Smuget Consulting, said that shift is forcing a rethink in security operations.

"Agentic AI is changing cybersecurity from a static configuration problem into a dynamic systems problem," Strechay said.

He said existing investment in vulnerability management and misconfiguration reduction may not be enough against AI-led adversaries.

"Organisations have invested heavily in identifying vulnerabilities and reducing misconfigurations, but AI-powered adversaries can reason across identities, permissions and cloud services in ways traditional tools were never designed to anticipate. The next phase of cloud security will be defined by continuously validating how an autonomous attacker could exploit legitimate capabilities before they become a business risk," he said.