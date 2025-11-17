AI, cyber criminals and how companies can defend against this growing threat

Vibe hackers are kind of like fast zombies – those speedy, undead creatures first introduced in the 1980 film Nightmare City and popularized by the cinematic masterpiece 28 Days Later and the 2004 remake of Dawn of the Dead. Vibe hackers use artificial intelligence (AI) agents and tools to plan and execute cyberattacks by automating key stages of the attack. Not only does vibe hacking lower the barriers to entry for cyber criminals, but it also allows hackers to identify and execute attacks with the urgency and adaptability of a viral outbreak. If you dare, read on to discover more about this trend, how it has already been found in the wild and suggestions for how you can fortify your barricades before the horde arrives.

Vibe hacking: Fact, not fiction

Script kiddies – unsophisticated hackers who use prepackaged code and malware – are nothing new and have been around since at least the mid-1990s. But as the ubiquity and popularity of generative AI models have exploded over the past few years, so have the malicious use cases for these tools. From WormGPT to its successor FraudGPT or even jail-broken versions of popular large language models (LLMs), hackers (both skilled and unskilled) are increasingly turning to these tools; for example, they can use them to:

Conduct reconnaissance on targets

Create custom scripts or malware to attack their targets

Draft phishing campaign or social engineering materials (minus the normal typos and poor grammar)

Vibe hacking isn't just a dangerous lab experiment. It has broken out and is in the wild. An August 2025 threat intelligence report disclosed a cybercriminal operation – tracked as GTG-2002 – that involved the use of a publicly available LLM to plan and execute cyberattacks against "17 distinct organizations in [less than a month] across government, healthcare, emergency services, and religious institutions." The threat actor used an LLM for all phases of the attack, from reconnaissance to exploitation, lateral movement and data exfiltration. The AI was used "to make both tactical and strategic decisions – determining how best to penetrate networks, which data to exfiltrate, and how to craft psychologically targeted extortion demands."

Armor up: Fortifying against vibe hacking

There is no one-size-fits-all approach to cybersecurity, and every organization should build a program that addresses its unique risk, regulatory and technical environments. Vibe hacking does not necessarily create new cyber risks, but it does increase the speed at which these risks might be identified and exploited. Here are some suggestions to consider as you work to fortify against vibe hacking:

Use AI to fight AI. Vibe hackers have a speed advantage, particularly when automating the process for identifying vulnerabilities in multiple systems. But these same AI tools can also be used by the good guys to find and remediate vulnerabilities first. For example, an AI-powered pen test system for ethical hackers has consistently been at the top of several leaderboards published by a well-known bug bounty and ethical hacking service provider. As always, before leveraging and deploying your own AI security tools, do not forget to coordinate with the appropriate legal and compliance personnel in your organization. New AI tools may implicate your AI governance processes and may also trigger the need for an updated privacy impact assessment for your organization.

Update your cybersecurity risk assessments to consider and quantify AI attack risks. This process can also help foster collaboration between key stakeholders on IT, legal and compliance teams as they jointly develop risk assessment frameworks and response protocols for AI-related incidents.

Continue to train and educate your workforce on AI-generated attack methods. Your people are your first line of defense, but thanks to vibe hacking, phishing and social engineering campaigns are now more difficult to spot. Give your workforce more opportunities to practice spotting deep fakes, AI-generated phishing emails and social engineering attempts to increase their confidence (and your trust) in their ability to protect your organization.

Practice cyber hygiene basics. While these may not prevent vibe hackers from attempting an attack, these controls go a long way toward limiting the impact of the undead breaking through the perimeter defenses. These include: Confirm that you have appropriate identity and access management in place and enhance as needed. Consider implementing or enhancing defense-in-depth and zero-trust principles. Use encryption, network segmentation and data retention principles appropriate for your organization and its risk tolerance. Subscribe to threat intelligence feeds and participate in industry information-sharing initiatives.

While these may not prevent vibe hackers from attempting an attack, these controls go a long way toward limiting the impact of the undead breaking through the perimeter defenses. These include:

Be aware: Signature-based defenses may be less effective

Great zombie movies often highlight weaknesses or failures of traditional defenses against the hordes of the undead. Vibe hacking is no different. (Okay, it's a little different than following the instructions in Shaun of the Dead to "remove the head or destroy the brain," but you get the point.)

A traditional cyber defense tactic involves identifying malware signatures – the technological fingerprints of a specific file or script – and using that signature to find and block the use of that file or script in a particular environment. Vibe hacking potentially circumvents the effectiveness of this tactic.

If you have ever asked an LLM a question or to write something, you know that it never returns the same answer or content. Instead, due to the creative nature of the AI model, there are variations in the output, even when the same prompt or question is used. The same is true with vibe hacking.

If a threat actor uses an LLM to generate a script for identifying vulnerabilities in a particular environment or a file that it will use to conduct the attack, the threat actor can get a slightly modified version of that output just by asking the exact same prompt again. These variations in the output mean the files or scripts do not have identical signatures. This in turn makes it harder to identify and block attacks by the same threat actor. As always, work with your internal or external security teams to discuss how you can adapt to face this challenge.

