Andres Andreu, CISSP, ISSAP, QTE

How Security Chaos Engineering Disrupts Adversaries in Real Time

In an age where cyber attackers have become more intelligent, agile, persistent, sophisticated, and empowered by Artificial Intelligence (AI), defenders must go beyond traditional detection and prevention. The traditional models of protective security are fast becoming diminished in their effectiveness and power. In the face of pursuing a proactive model one approach has emerged, security chaos engineering. It offers a proactive strategy that doesn’t just lead to hardened systems but can also actively disrupt and deceive attackers during their nefarious operations. How security chaos engineering disrupts adversaries in real time.

By intentionally injecting controlled failures or disinformation into production-like environments, defenders can observe attacker behavior, test the resilience of security controls, and frustrate adversarial campaigns in real time.

Two of the most important frameworks shaping modern cyber defense are MITRE ATT&CK (https://attack.mitre.org/) and MITRE Engage (https://engage.mitre.org/). Together, they provide defenders with a common language for understanding adversary tactics and a practical roadmap for implementing active defense strategies. This can transform intelligence about attacker behavior into actionable, measurable security outcomes. The convergence of these frameworks with security chaos engineering adds some valuable structure when building actionable and measurable programs.

What is MITRE ATT&CK?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is an open, globally adopted framework developed by MITRE (https://www.mitre.org/) to systematically catalog and describe the observable tactics and techniques used by cyber adversaries. The ATT&CK matrix provides a detailed map of real-world attacker behaviors throughout the lifecycle of an intrusion, empowering defenders to identify, detect, and mitigate threats more effectively. By aligning security controls, threat hunting, and incident response to ATT&CK’s structured taxonomy, organizations can close defensive gaps, benchmark their capabilities, and respond proactively to the latest adversary tactics.

What is MITRE Engage?

MITRE Engage is a next-generation knowledge base and planning framework focused on adversary engagement, deception, and active defense. Building upon concepts from MITRE Shield, Engage provides structured guidance, practical playbooks, and real-world examples to help defenders go beyond detection. These data points enable defenders to actively disrupt, mislead, and study adversaries. Engage empowers security teams to plan, implement, and measure deception operations using proven techniques such as decoys, disinformation, and dynamic environmental changes. This bridges the gap between understanding attacker Techniques, Tactics, and Procedures (TTPs) and taking deliberate actions to shape, slow, or frustrate adversary campaigns.

What is Security Chaos Engineering?

Security chaos engineering is the disciplined practice of simulating security failures and adversarial conditions in running production environments to uncover vulnerabilities and test resilience before adversaries can. Its value lies in the fact that it is truly the closest thing to a real incident. Table Top Exercises (TTXs) and penetration tests always have constraints and/or rules of engagement which distance them from real world attacker scenarios where there are no constraints. Security chaos engineering extends the principles of chaos engineering, popularized by Netflix (https://netflixtechblog.com/chaos-engineering-upgraded-878d341f15fa) to the security domain.

Instead of waiting for real attacks to reveal flaws, defenders can use automation to introduce “security chaos experiments” (e.g. shutting down servers from active pools, disabling detection rules, injecting fake credentials, modifying DNS behavior) to understand how systems and teams respond under pressure.

The Real-World Value of this Convergence

When paired with security chaos engineering, the combined use of ATT&CK and Engage opens up a new level of proactive, resilient cyber defense strategy. ATT&CK gives defenders a comprehensive map of real-world adversary behaviors, empowering teams to identify detection gaps and simulate realistic attacker TTPs during chaos engineering experiments. MITRE Engage extends this by transforming that threat intelligence into actionable deception and active defense practices, in essence providing structured playbooks for engaging, disrupting, and misdirecting adversaries. By leveraging both frameworks within a security chaos engineering program, organizations not only validate their detection and response capabilities under real attack conditions, but also test and mature their ability to deceive, delay, and study adversaries in production-like environments. This fusion shifts defenders from reactive posture to one of continuous learning and adaptive control, turning every attack simulation into an opportunity for operational hardening and adversary engagement.

Here are some security chaos engineering techniques to consider as this becomes part of a proactive cybersecurity strategy:

Temporal Deception – Manipulating Time to Confuse Adversaries

Temporal deception involves distorting how adversaries perceive time in a system (e.g. injecting false timestamps, delaying responses, or introducing inconsistent event sequences). By disrupting an attacker’s perception of time, defenders can introduce doubt and delay operations.

Example: Temporal Deception through Delayed Credential Validation in Deception Environments

Consider a deception-rich enterprise network, temporal deception can be implemented by intentionally delaying credential validation responses on honeypot systems. For instance, when an attacker attempts to use harvested credentials to authenticate against a decoy Active Directory (AD) service or an exposed RDP server designed as a trap, the system introduces variable delays in login response times, irrespective of the result (e.g. success, failure). These delays mimic either overloaded systems or network congestion, disrupting an attacker’s internal timing model of the environment. This is particularly effective when attackers use automated tooling that depends on timing signals (e.g. Kerberos brute-forcing or timing-based account validation). It can also randomly slow down automated processes that an attacker hopes completes within some time frame.

By altering expected response intervals, defenders can inject doubt about the reliability of activities such as reconnaissance and credential validity. Furthermore, the delayed responses provide defenders with crucial dwell time for detection and the tracking of lateral movement. This subtle manipulation of time not only frustrates attackers but also forces them to second-guess whether their tools are functioning correctly or if they’ve stumbled into a monitored and/or deceptive environment.

As an example of some of the ATT&CK TTPs and Engage mappings that can be used when modeling this example of temporal deception, the following support the desired defensive disruption:

MITRE ATT&CK Mapping

T1110 – Brute Force – many brute force tools rely on timing-based validation. By introducing delays, defenders interfere with the attacker’s success rate and timing models.
T1556 – Modify Authentication Process – typically this is seen as an adversary tactic. But defenders can also leverage this by modifying authentication behavior in decoy environments to manipulate attacker perception.
T1078 – Valid Accounts – delaying responses to login attempts involving potentially compromised credentials can delay attacker progression and reveal account usage patterns.

MITRE Engage Mapping

Elicit > Reassure > Artifact Diversity – deploying decoy credentials or artifacts to create a convincing and varied environment for the adversary. Temporal manipulation of login attempts involving decoy credentials helps track adversary interactions and delay their movement.
Elicit > Reassure > Burn-In – introducing friction, delays, or noise to slow down or frustrate automated attacker activities.
Affect > Disrupt > Software Manipulation – modifying system or application software to alter attacker experience, disrupt automation, or degrade malicious tooling. Introducing time delays and inconsistent system responses create false environmental cues, leading attackers to make incorrect decisions. Also introducing artificial latency into authentication routines or system responses slows down the attack lifecycle and adds noise to attacker automation.
Affect > Disrupt | Direct > Network Manipulation – changing or interfering with network traffic, services, or routing to disrupt attacker operations. Also influencing or steering attacker decision-making and movement in the environment.
Affect > Disrupt > Isolation – segregating attacker interactions or dynamically altering access to increase confusion and contain threats.
Expose > Detect > Lures | Network Analysis – observing, logging, and analyzing adversary actions for intelligence and response purposes.
Expose > Collect > API Monitoring | Network Monitoring | System Activity Monitoring – extended interaction windows (due to delayed responses) give defenders more opportunity to monitor adversary behavior within the decoy environment.

Honey Timing and Time-Based Traps

Time-bound honeypots such as fake cron jobs, scheduled updates, or bogus backup routines can serve as deceptive traps. Interaction with these elements reveals unauthorized probing or access attempts. The very existence of these traps implies that any entity interacting with them (excluding the creators of course) needs to be treated as hostile and investigated.

Example: Deceptive Backup Scripts as Time-Based Traps in Cloud Environments

Defenders can deploy a bogus scheduled backup script named “nightly-db-backup.sh” on a decoy cloud instance. The script can be set to appear as if it ran daily at 04:00 using a convincingly sounding cron job (e.g. /etc/cron.d/backup_job). The script can contain clear-text references to fake database credentials, S3 storage paths, and mock sensitive data exports. This can be used as a timing-based honeypot, existing to attract unauthorized access attempts during off-hours when legitimate activity is minimal.

Any attempt to execute this script triggers hidden canary tokens that act as an alerting system. This can trigger things like an HTTP request where the receiving entity (e.g. web server processing the request) has been configured to log and alert on any relevant interaction. This can of course capture timestamps showing interactions with the script outside of the bogus scheduled execution window. The defenders can then not only detect the unauthorized access but also track subsequent movements due to some of the meta-data captured.

This approach demonstrates how time-based decoy elements, especially those aligned with off-hour routines, can effectively expose stealthy adversaries who are mimicking typical system administrator behavior.

As an example of some of the ATT&CK TTPs and Engage mappings that can be used when modeling this example of time based decoys, the following support the desired defensive disruption:

MITRE ATT&CK Mapping

T1059 – Command and Scripting Interpreter – the attacker manually executes some script using bash or another shell interpreter.
T1083 – File and Directory Discovery – the attacker browses system files and cron directories to identify valuable scripts.
T1070.004 – Indicator Removal: File Deletion – often attackers attempt to clean up after interacting with trap files.
T1562.001 – Impair Defenses: Disable or Modify Tools – attempting to disable cron monitoring or logging after detection is common.

MITRE Engage Mapping

Elicit > Reassure > Artifact Diversity – deploying decoy credentials or artifacts to create a convincing and varied environment for the adversary.
Affect > Disrupt > Software Manipulation – modifying system or application software to alter attacker experience, disrupt automation, or degrade malicious tooling.
Affect > Disrupt > Isolation – segregating attacker interactions or dynamically altering access to increase confusion and contain threats.
Expose > Detect > Lures – observing, logging, and analyzing adversary actions for intelligence and response purposes.

Randomized Friction

Randomized friction aims at increasing an attacker’s work factor, in turn increasing the operational cost for the adversary. Introducing unpredictability in system responses (e.g. intermittent latency, randomized errors, inconsistent firewall behavior) forces attackers to adapt continually, degrading their efficiency and increasing the likelihood of detection.

Example: Randomized Edge Behavior in Cloud Perimeter Defense

Imagine a blue/red team exercise within a large cloud-native enterprise. The security team deploys randomized friction techniques on a network segment believed to be under passive recon by red team actors. The strategy can include intermittent firewall rule randomization. Some of these rules make it so that attempts to reach specific HTTP based resources are met with occasional timeouts, 403 errors, misdirected HTTP redirects, or to simply give an actual response.

When the red team conducts external reconnaissance and tries to enumerate target resources, they experience inconsistent results. One of their obvious objectives is to remain undetected. Some ports appeared filtered one moment and opened the next. API responses switch between errors, basic authentication challenges, or other missing element challenges (e.g. HTTP request header missing). This forces red team actors to waste time revalidating findings, rewriting tooling, and second-guessing whether their scans were flawed or if detection had occurred.

Crucially, during this period, defenders are capturing every probe and fingerprint attempt. The friction-induced inefficiencies increase attack dwell time and volume of telemetry, making detection and attribution easier. Eventually, frustrated by the lack of consistent telemetry, the red team escalates their approach. This kills their attempts at stealthiness and triggers active detection systems.

This experiment successfully degrades attacker efficiency, increases their operational cost, and expands the defenders’ opportunity window for early detection and response, all without disrupting legitimate internal operations. While it does take effort on the defending side to set all of this up, the outcome would be well worth it.

As an example of some of the ATT&CK TTPs and Engage mappings that can be used when modeling this example of randomized friction, the following support the desired defensive disruption:

MITRE ATT&CK Mapping

T1595 – Active Scanning – adversaries conducting external enumeration are directly impacted by inconsistent firewall responses.
T1046 – Network Service Discovery – random port behavior disrupts service mapping efforts by the attacker.
T1583.006 – Acquire Infrastructure: Web Services – attackers using disposable cloud infrastructure for scanning may burn more resources due to retries and inefficiencies.

MITRE Engage Mapping

Elicit > Reassure > Artifact Diversity – deploying decoy credentials or artifacts to create a convincing and varied environment for the adversary.
Elicit > Reassure > Burn-In – introducing friction, delays, or noise to slow down or frustrate automated attacker activities.
Affect > Disrupt > Software Manipulation – modifying system or application software to alter attacker experience, disrupt automation, or degrade malicious tooling.
Affect > Disrupt > Network Manipulation – changing or interfering with network traffic, services, or routing to disrupt attacker operations.
Affect > Disrupt > Isolation – segregating attacker interactions or dynamically altering access to increase confusion and contain threats.
Expose > Detect > Network Analysis – observing, logging, and analyzing adversary actions for intelligence and response purposes.

Ambiguity Engineering

Ambiguity engineering aims to obscure the adversary’s mental model. It is the deliberate obfuscation of system state, architecture, and behavior. When attackers cannot build accurate models of the target environments, their actions become riskier and more error-prone. Tactics include using ephemeral resources, shifting IP addresses, inconsistent responses, and mimicking failure states.

Example: Ephemeral Infrastructure and Shifting Network States in Zero Trust Architectures

A SaaS provider operating in a zero trust environment can implement ambiguity engineering as part of its cloud perimeter defense strategy. In this setup, let’s consider a containerized ecosystem that leverages Kubernetes-based orchestration. This platform can utilize elements such as ephemeral IPs and DNS mappings, rotating them at certain intervals. These container hosted backend services would be accessible only via authenticated service mesh gateways, but appear (to external entities) to intermittently exist, fail, or timeout, depending on timing and access credentials.

Consider the external entity experience against a target such as this. These attackers would be looking for initial access followed by lateral movement and service enumeration inside this target environment. What they would encounter are API endpoints that resolve one moment and vanish the next. Port scans would deliver inconsistent results across multiple iterations. Even successful service calls can return varying error codes depending on timing and the identity of the caller. When this entity tries to correlate observed system behaviors into a coherent attack path, they would continually hit dead ends.

This environment was not broken, it was intentionally engineered for ambiguity. The ephemeral nature of resources, combined with intentional mimicry of common failure states, would prevent attackers from forming a reliable mental model of system behavior. Frustrated and misled, their attack chain will slow, errors will increase, and their risk of their detection will rise. Meanwhile, defenders can capture behavioral fingerprints from the failed attempts and gather critical telemetry for informed future threat hunting and active protection.

As an example of some of the ATT&CK TTPs and Engage mappings that can be used when modeling this example of ambiguity engineering, the following support the desired defensive disruption:

MITRE ATT&CK Mapping

T1046 – Network Service Discovery – scanning results are rendered unreliable by ephemeral network surfaces and dynamic service allocation.
T1590 – Gather Victim Network Information – environmental ambiguity disrupts adversary reconnaissance and target mapping.
T1001.003 – Data Obfuscation: Protocol or Service Impersonation – false failure states and protocol behavior can mimic broken or legacy services, confusing attackers.

MITRE Engage Mapping

Elicit > Reassure > Artifact Diversity – deploying decoy credentials or artifacts to create a convincing and varied environment for the adversary.
Elicit > Reassure > Burn-In – introducing friction, delays, or noise to slow down or frustrate automated attacker activities.
Affect > Disrupt > Software Manipulation – modifying system or application software to alter attacker experience, disrupt automation, or degrade malicious tooling.
Affect > Disrupt > Network Manipulation – changing or interfering with network traffic, services, or routing to disrupt attacker operations.
Affect > Disrupt > Isolation – segregating attacker interactions or dynamically altering access to increase confusion and contain threats.
Expose > Detect > Network Analysis – observing, logging, and analyzing adversary actions for intelligence and response purposes.
Affect > Direct > Network Manipulation – changing or interfering with network traffic, services, or routing to disrupt attacker operations.

Disinformation Campaigns and False Flag Operations

Just as nation-states use disinformation to mislead public opinion, defenders can plant false narratives within ecosystems. Examples include fake internal threat intel feeds, decoy sensitive documents, or impersonated attacker TTPs designed to confuse attribution.

False flag operations are where an environment mimics behaviors of known APTs. The goal is to get one attack group to think another group is at play within a given target environment. This can redirect adversaries’ assumptions and deceive real actors at an operational stage.

Example: False Flag TTP Implantation to Disrupt Attribution

Consider a long-term red vs. blue engagement inside a critical infrastructure simulation network. The blue team defenders implement a false flag operation by deliberately injecting decoy threat actor behavior into their environment. This can include elements such as:

Simulated PowerShell command sequences that mimic APT29 (https://attack.mitre.org/groups/G0016/) based on known MITRE ATT&CK chains.
Fake threat intel logs placed in internal ticketing systems referring to OilRig or APT34 (https://attack.mitre.org/groups/G0049/) activity.
Decoy documents labeled as “internal SOC escalation notes” with embedded references to Cobalt Strike Beacon callbacks allegedly originating from Eastern European IPs.

All of these artifacts can be placed in decoy systems, honeypots, and threat emulation zones designed to be probed or breached. The red team, tasked with emulating an external APT, stumble upon these elements during lateral movement and begin adjusting their operations based on the perceived threat context. They will incorrectly assume that a separate advanced threat actor is and/or was already in the environment.

This seeded disinformation can slow the red team’s operations, divert their recon priorities, and lead them to take defensive measures that burn time and resources (e.g. avoiding fake IOC indicators and misattributed persistence mechanisms). On the defense side, telemetry confirmed which indicators were accessed and how attackers reacted to the disinformation. This can become very predictive regarding what a real attack group would do. Ultimately, the defenders can control the narrative within an engagement of this sort by manipulating perception.

As an example of some of the ATT&CK TTPs and Engage mappings that can be used when modeling this example of disinformation, the following support the desired defensive disruption:

MITRE ATT&CK Mapping

T1005 – Data from Local System – adversaries collect misleading internal documents and logs during lateral movement.
T1204.002 – User Execution: Malicious File – decoy files mimicking malware behavior or containing false IOCs can trigger adversary toolchains or analysis pipelines.
T1070.001 – Indicator Removal: Clear Windows Event Logs – adversaries may attempt to clean up logs that include misleading breadcrumbs, thereby reinforcing the deception.

MITRE Engage Mapping

Elicit > Reassure > Artifact Diversity – deploying decoy credentials or artifacts to create a convincing and varied environment for the adversary.
Elicit > Reassure > Burn-In – introducing friction, delays, or noise to slow down or frustrate automated attacker activities.
Affect > Disrupt > Software Manipulation – modifying system or application software to alter attacker experience, disrupt automation, or degrade malicious tooling.
Affect > Disrupt > Network Manipulation – changing or interfering with network traffic, services, or routing to disrupt attacker operations.
Affect > Disrupt > Isolation – segregating attacker interactions or dynamically altering access to increase confusion and contain threats.
Affect > Direct > Network Manipulation – changing or interfering with network traffic, services, or routing to disrupt attacker operations.
Expose > Detect > Network Analysis – observing, logging, and analyzing adversary actions for intelligence and response purposes.

Real-World Examples of Security Chaos Engineering

One of the most compelling real-world examples of this chaos based approach comes from UnitedHealth Group (UHG). As one of the largest healthcare enterprises in the United States, UHG faced the dual challenge of maintaining critical infrastructure uptime while ensuring robust cyber defense. Rather than relying solely on traditional security audits or simulations, UHG pioneered the use of chaos engineering for security.

UHG

UHGs security team developed an internal tool called ChaoSlingr (no longer maintained, located at https://github.com/Optum/ChaoSlingr). This was a platform designed to inject security-relevant failure scenarios into production environments. It included features like degrading DNS resolution, introducing latency across east-west traffic zones, and simulating misconfigurations. The goal wasn’t just to test resilience; it was to validate that security operations (e.g. logging, alerting, response) mechanisms would still function under duress. In effect, UHG weaponized unpredictability, making the environment hostile not just to operational errors, but to adversaries who depend on stability and visibility.

DataDog

This philosophy is gaining traction. Forward thinking vendors like Datadog have begun formalizing Security Chaos Engineering practices and providing frameworks that organizations can adopt regardless of scale. In its blog “Chaos Engineering for Security”, Datadog (https://www.datadoghq.com/blog/chaos-engineering-for-security/) outlines practical attack-simulation experiments defenders can run to proactively assess resilience. These include:

Simulating authentication service degradation to observe how cascading failures are handled in authentication and/or Single Sign-On (SSO) systems.
Injecting packet loss to measure how network inconsistencies are handled.
Disrupting DNS resolution.
Testing how incident response tooling behaves under conditions of network instability.

By combining production-grade telemetry with intentional fault injection, teams gain insights that traditional red teaming and pen testing can’t always surface. This is accentuated when considering systemic blind spots and cascading failure effects.

What ties UHG’s pioneering work and Datadog’s vendor-backed framework together is a shift in mindset. The shift is from static defense to adaptive resilience. Instead of assuming everything will go right, security teams embrace the idea that failure is inevitable. As such, they engineer their defenses to be antifragile. But more importantly, they objectively and fearlessly test those defenses and adjust when original designs were simply not good enough.

Security chaos engineering isn’t about breaking things recklessly. It’s about learning before the adversary forces you to. For defenders seeking an edge, unpredictability might just be the most reliable ally.

From Fragility to Adversary Friction

Security chaos engineering has matured from a resilience validation tool to a method of influencing and disrupting adversary operations. By incorporating techniques such as temporal deception, ambiguity engineering, and the use of disinformation, defenders can force attackers into a reactive posture. Moreover, defenders can delay offensive objectives targeted at them and increase their attackers’ cost of operations. This strategic use of chaos allows defenders not just to protect an ecosystem but to shape adversary behavior itself. This is how security chaos engineering disrupts adversaries in real time.

Decentralized Agentic AI: Understanding Agent Communication and Security

Decentralized Agentic AI: understanding agent communication. In the agentic space of Artificial Intelligence (AI) much recent development has taken place with folks building agents. The value of well built and/or purpose built agents can be immense. These are generally autonomous stand-alone pieces of software that can perform a multitude of functions. This is powerful stuff. It is even more power when one considers decentralized Agentic AI: understanding agent communication and security.

An Application Security (AppSec) parallel I consider when looking at some of these is the use of a single dedicated HTTP client that performs specific attacks, for instance the Slowloris attack.

For those who don’t know, the slowloris attack is a type of Denial of Service (DoS) attack that targets web servers by sending incomplete HTTP requests. Each connection is kept alive by periodically sending small bits of data. In doing so this attack keeps many connections open and holds them open as long as possible, exhausting resources on that web server because it has allocated resources to the connection and waits for the request to complete.. This is a powerful attack, one that is a good fit for a stand-alone agent.

But, consider the exponential power of having a fleet of agents simultaneously performing a Slowloris attack. The point of resource exhaustion on the target can be achieved in a much quicker timeline. This pushes the agentic model into a decentralized one that will need to allow for communication across all of the agents in a fleet. This collaborative approach can facilitate advanced capabilities like dynamically reacting to protective changes with the target. The focal point here is how agents communicate effectively and securely to coordinate actions and share knowledge. This is what will allow a fleet of agents to adapt dynamically to changes in a given environment.

How AI Agents Communicate

AI agents in decentralized systems typically employ Peer-to-Peer (P2P) communication methods. Common techniques include:

Swarm intelligence communication – inspired by biological systems (e.g. ants or bees), agents communicate through indirect methods like pheromone trails (ants lay down pheromones and other ants follow these trails) or shared states stored in distributed ledgers. This enables dynamic self-organization and emergent behavior.
Direct message passing – agents exchange messages directly through established communication channels. Messages may contain commands, data updates, or task statuses.
Broadcasting and multicasting – agents disseminate information broadly or to selected groups. Broadcasting is useful for global updates, while multicasting targets a subset of agents based on network segments, roles or geographic proximity.
Publish/Subscribe (Pub/Sub) – agents publish messages to specific topics, and interested agents subscribe to receive updates relevant to their interests or roles. This allows strategic and efficient filtering and targeted communication.

Communication Protocols and Standards

Generally speaking, to make disparate agents understand each other they have to speak the same language. To standardize and optimize communications, decentralized AI agents often leverage:

Agent Communication Language (ACL) – formal languages, such as the Foundation for Intelligent Physical Agents (FIPA) ACL, standardize message formats and by doing so enhance interoperability. These types of ACLs enable agents to exchange messages beyond simple data transfers. FIPA ACL specifications can be found here: http://www.fipa.org/repository/aclreps.php3, and a great introduction can be found here: https://smythos.com/developers/agent-development/fipa-agent-communication-language/
MQTT, AMQP, and ZeroMQ – these lightweight messaging protocols ensure efficient, scalable communication with minimal overhead.
Blockchain and Distributed Ledgers – distributed ledgers provide immutable, secure shared states enabling trustworthy decentralized consensus among agents.

Security in Agent-to-Agent Communication

Security in these decentralized models remains paramount. This is especially so when agents operate autonomously but communicate in order to impact functionality and/or direction.

Risks and Threats

Spoofing attacks – malicious entities mimic legitimate agents to disseminate false information or impact functionality in some unintended manner.
Man-in-the-Middle (MitM) attacks – intermediaries intercept and alter communications between agents. Countermeasures include the use of Mutual Transport Layer Security (mTLS), possibly combined with Perfect Forward Secrecy (PFS) for ephemeral key exchanges.
Sybil attacks – attackers create numerous fake entities to skew consensus across environments where that matters. This is particularly dangerous in systems relying on peer validation or swarm consensus. A notable real-world example is the Sybil attack on the Tor network, where malicious nodes impersonated numerous relays to deanonymize users (https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/winter). In decentralized AI, such attacks can lead to disinformation propagation, consensus manipulation, and compromised decision-making. Countermeasures include identity verification via Proof-of-Work or Proof-of-Stake systems and trust scoring mechanisms.

Securing Communication with Swarm Algorithms

Swarm algorithms pose unique challenges from a security perspective. This area is a great opportunity to showcase how security can add business value. Ensuring a safe functional ecosystem for decentralized agents is a prime example of security enabling a business. Key security practices include:

Cryptographic techniques – encryption, digital signatures, and secure key exchanges authenticate agents and protect message integrity.
Consensus protocols – secure consensus algorithms (e.g. Byzantine Fault Tolerance, Proof-of-Stake, federated consensus) ensure resilient collective decision-making despite anomalous activity.
Redundancy and verification – agents verify received information through redundant checks and majority voting to mitigate disinformation and potential manipulation.
Reputation systems – trust mechanisms identify and isolate malicious agents through reputation scoring.

Swarm Technology in Action: Examples

Ant Colony Optimization (ACO) – in ACO, artificial agents mimic the foraging behavior of ants by laying down and following digital pheromone trails. These trails help agents converge on optimal paths towards solutions. Security can be enhanced by requiring digital signatures on the nodes that make up some path. This would ensure they originate from trusted agents. An example application is in network routing. Here secure ACO has been applied to dynamically reroute packets in response to network congestion or attacks (http://www.giannidicaro.com/antnet.html).
Particle Swarm Optimization (PSO) – inspired by flocking birds and schools of fish, PSO agents adjust their positions based on personal experience and the experiences of their neighbors. In secure PSO implementations, neighborhood communication is authenticated using Public-Key Infrastructure (PKI). In this model only trusted participants exchange data. PSO has also been successfully applied to Intrusion Detection Systems (IDS). In this context, multiple agents collaboratively optimize detection thresholds based on machine learning models. For instance, PSO can be used to tune neural networks in Wireless Sensor Network IDS ecosystems, demonstrating enhanced detection performance through agent cooperation (https://www.ijisae.org/index.php/IJISAE/article/view/4726).

Defensive Applications of Agentic AI

While a lot of focus is placed on offensive potential, decentralized agentic AI can also be a formidable defensive asset. Fleets of AI agents can be deployed to monitor networks, analyze anomalies, and collaboratively identify and isolate threats in real-time. Notable potential applications include:

Autonomous threat detection agents that monitor logs and traffic for indicators of compromise.
Adaptive honeypots that dynamically evolve their behavior based on attacker interaction.
Distributed patching agents that respond to zero-day threats by propagating fixes in as close to real time as possible.
Coordinated deception agents that generate synthetic attack surfaces to mislead adversaries.

Governance and Control of Autonomous Agents

Decentralized agents must be properly governed to prevent unintended behavior. Governance strategies include policy-based decision engines, audit trails for agent activity, and restricted operational boundaries to limit risk and/or damage. Explainable AI (XAI) principles (https://www.ibm.com/think/topics/explainable-ai) and observability frameworks also play a role in ensuring transparency and trust in autonomous actions.

Future Outlook

For cybersecurity leadership, the relevance of decentralized agentic AI lies in its potential to both defend and attack at scale. Just as attackers can weaponize fleets of autonomous agents for coordinated campaigns or reconnaissance, defenders can deploy agent networks for threat hunting, deception, and adaptive response. Understanding this paradigm is critical to preparing for the next evolution of machine-driven cyber warfare.

Decentralized agentic AI will increasingly integrate with mainstream platforms such as Kubernetes, edge computing infrastructure, and IoT ecosystems. The rise of regulatory scrutiny over autonomous systems will necessitate controls around agent explainability and ethical behavior. Large Language Models (LLMs) may also emerge as meta-agents that orchestrate fleets of smaller specialized agents, blending cognitive reasoning with tactical execution.

Conclusion

Decentralized agentic AI represents an ocean of opportunity via scalable, autonomous system design. Effective and secure communication between agents is foundational to their accuracy, robustness, adaptability, and resilience. By adopting strong cryptographic techniques, reputation mechanisms, and resilient consensus algorithms, these ecosystems can achieve secure, efficient collaboration, unlocking the full potential of decentralized AI. Decentralized Agentic AI: Understanding Agent Communication.

Why Decentralized Agentic AI is the Future of Cyber Warfare

Agentic Artificial Intelligence (AI) (What Is Agentic AI?) is becoming a powerful force in cybersecurity and modern warfare. These AI systems consist of autonomous agents with minimal human oversight. They perceive, decide, and act independently to achieve specific goals. Both defenders and attackers now wield unprecedented digital power. These agents can write code, hunt threats, and execute complex operations. One analyst called agentic AI a “huge force multiplier” for cybersecurity teams (Agentic AI is both boon and bane for security pros). At the same time, attackers can use it to craft phishing lures and create advanced malware. This dual-use nature makes agentic AI a double-edged sword in cybersecurity. That’s why decentralized agentic AI is the future of cyber warfare.

In the military domain, the consequences are even more severe. Cheap AI-powered drone swarms could threaten advanced weapons and shift the global balance of power. Decentralized, autonomous agents are transforming cyber and kinetic warfare. This emerging ecosystem evolves faster than we can control it. Experts predict attackers will exploit vulnerabilities in half the time it takes today.

What is Agentic AI?

Agentic AI refers to AI systems that can act as independent agents, pursuing goals through sequences of actions in a given environment. Traditional AI stops after output. These systems often consist of multiple specialized agents working together. Each agent might handle a subtask (e.g. monitoring logs, scanning for vulnerabilities, or controlling a drone). Together they orchestrate complex workflows to achieve an overall objective. In other words, agentic AI extends generative or analytical AI models by giving them a type of freedom. This latitude enables the capacity to make decisions and take actions without constant human prompts.

A key feature is that agentic AI can maintain long-term goals and react to real-time conditions. An agent might continuously monitor a web application’s state. It reasons about potential threats in real time. The agent can take actions like updating a Web Application Firewall (WAF) dynamically. Agents use reinforcement learning and planning algorithms to choose optimal responses. They often integrate Large Language Models (LLMs) for perception and reasoning. Other Machine Learning (ML) models may also support their decision-making. Agents are not static systems. They are designed to learn from experience and adapt over time. Agentic AI takes things further by coordinating groups of agents through custom integrations. This gives the agents greater contextual awareness and the ability to act in concert.

Varying agentic architectures exist. The design of the architecture must be tailored to the problem being solved. Some are hierarchical with a “conductor” agent overseeing multiple subordinate agents. This vertical design can be effective for linear workflows, but it introduces a single point of control that could become a bottleneck. Other architectures are more horizontal, with agents working as peers in a distributed fashion. In such a decentralized design, there is no single leader. Disparate agents collaborate or even compete, sharing information and dividing tasks among themselves. This latter approach is often slower to converge on a solution than a tightly managed hierarchy. But, it introduces major advantages in its ability to scale as well as its level of resilience and adaptability.

Decentralized Agents and Swarm Intelligence

Decentralization makes agentic AI very powerful because it removes the reliance on any central coordinator. Moreover, it enables swarm intelligence. Swarm intelligence draws inspiration from ant colonies and bee hives. It drives how simple agents follow rules and interact with each other (Military Drone Swarm Intelligence Explained). In a decentralized AI system, each agent makes decisions based on the combination of its own observations and signals from its peers. In this mode of operation there is no waiting for commands from a top-down, central controller. Each individual agent is not capable of anything earth shattering. But numerous agents working in unison can solve problems no single agent could handle alone.

Swarm AI

Swarm AI has been introduced into the cybersecurity space to leverage the swarm concept. It involves deploying autonomous agents across an ecosystem in a mesh formation, where each agent (or node) can process data and share relevant insights peer-to-peer (What is Swarm AI and How Can It Advance Cybersecurity?). A key benefit to this technology is the real-time collective learning and response. If one agent detects a threat, it can immediately broadcast that to its peers. This allows the entire swarm to adapt in almost real-time. This stands in contrast to traditional centralized systems that might suffer lag or single points of failure in communication.

Some of the advantages of decentralized swarms include:

No single point of failure – agents can act individually or collectively with no central server. This makes for a robust system. If one node fails, others quickly adjust and continue operations. The notion of self-healing becomes real and there is resilience to attacks or failure within swarms.
Scalability and coverage – a swarm can expand past the boundaries of traditional networks, with each agent handling local data. This scales naturally, with a swarm being able to dynamically add more agents to increase coverage and/or processing power.
Real-Time responsiveness – each agent reacts to local conditions relative to encountering them, without needing approval from a central brain. For example, a device-level agent can quarantine a malware outbreak on a single host, while simultaneously informing others to be on the alert.
Adaptability and learning – decentralized agents share observations to collectively refine their larger strategies. The swarm as a whole can continuously adapt and learn by distributing new knowledge to all swarm members. If one agent discovers a novel attack vector, all agents can update their detection models in concert.
Privacy and trust – by processing data locally agents can limit what gets shared with swarm peers. This decentralized approach can protect sensitive data better than centralizing all raw data. Developers use blockchain-based communication to let agents trust each other’s signals without revealing private data. A project called Naoris Protocol, for instance, employs a blockchain-backed swarm of cybersecurity agents to share threat intelligence across organizations securely in a decentralized mesh.

Cyber attacks often start from many points and spread across systems, like in botnets or Distributed Denial of Service (DDoS) attacks. Deploying a distributed defense matches this structure and makes strategic sense. Compounding the effectiveness factor, the lack of a central command makes a decentralized system harder to predict or defeat. Adversaries cannot simply “cut the head off the snake” as there is no head at all. This was illustrated in a U.S. Department of Defense (DoD) test where a swarm of 103 Perdix micro-drones was launched from fighter jets. The drones organized themselves via a swarm pattern, reforming their flight trajectories on the fly without any single drone leading (Meet the future weapon of mass destruction, the drone swarm). In essence, this is a parallel to a decentralized swarm that contributes to a collective intelligence that can outperform a monolithic AI agent on complex, enterprise level problems.

Defensive Applications of Decentralized Agentic AI

Decentralized agentic AI offers powerful new defensive capabilities in cybersecurity. Security teams can deploy swarms of intelligent agents to act as always-on, adaptive sensors operating at varying parts of a network. These autonomous defenders can monitor systems continuously, do so at different levels (e.g. endpoints, network, industrial devices, etc), detect threats faster than humans, and even coordinate automated responses across an enterprise. All of that can take place without requiring human direction.

Intrusion Detection

One interesting use case is real-time intrusion detection. But this model of operation can also include responses. Instead of a single security solution inspecting traffic, imagine a fleet of lightweight AI agents on every endpoint and subnet, all collaborating in close to real time. Each agent analyzes local events (e.g. network packets, login attempts, file changes, etc) and shares alerts or anomalies with the entire swarm. This makes possible a distributed Intrusion Detection System (IDS) where suspicious activity is detected and acted upon in seconds.

Swarm-based IDS agents can identify abnormal conditions and propagate relevant data to peers, who then collectively can decide on responses and/or countermeasures. For example, if one agent detects a brute force attack against an Application Programming Interface (API) header that grants access via a key. Peer agents could automatically adjust their Web Application Firewall (WAF) rules across disparate cloud hosting providers. All of that can take place faster than the traditional log shipping to a SIEM and subsequent analysis that typically is necessary.

Threat Hunting

Another area of interest is autonomous threat hunting. Agentic AI “hunters” can proactively sweep through logs, user behavior, and system telemetry 24/7 in search of hidden indicators or signals. These agents can also use ML to find patterns humans might miss across large volumes of data. Because they operate in parallel across the environment, they can cover a huge range of hypotheses quickly. If one agent uncovers a signal (e.g. unusual privilege escalation), it can enlist others to follow in pursuit and cover much ground in divide and conquer style.

This type of adaptive hunting has the potential to catch advanced threats that evade signature-based tools (Agentic AI: How It Works and 7 Real-World Use Cases). It also reduces fatigue on human analysts by filtering out false positives and handling routine tasks. In fact, autonomous agent platforms are surfacing that automate alert triage and Security Operations Center (SOC) routines that were once manual. This frees up human analysts to focus on confirmed alerts and/or incidents (Agentic AI and the Cyber Arms Race).

Incident Response

Crucially, decentralized defense agents can also coordinate active responses to incidents. These are more akin to real time countermeasures than the traditional incident response world of playbooks and system recovery. As an example, North Atlantic Treaty Organization (NATO) researchers have outlined an architecture for Autonomous Intelligent Cyber Defense Agents (AICA) (https://ccdcoe.org/uploads/2018/11/Towards_NATO_AICA.pdf). These would essentially be cyber hunter-killer agents deployed in military networks.

According to a NATO report, friendly cyber agents will work in swarms to detect cyber-attacks, devise countermeasures, and adapt their response. The vision is that these defensive swarms would stealthily patrol networks, find and fight nefarious activity in real-time without waiting for human instructions. NATO experts argue that only collective intelligence from swarms of agents would be effective against a sophisticated, coordinated cyberattack, especially in a military setting. Notably, the NATO study warns that “without active autonomous agents, a NATO C4ISR network will not survive an encounter with a determined, technically sophisticated enemy”.

Beyond theory, there is evidence of defensive agentic AI in practice:

Copilot agents – there have been demonstrations where agents autonomously talk to disparate security products (e.g. SIEM, endpoint, identity systems) to identify vulnerabilities and compromised assets in an enterprise environment (https://www.microsoft.com/en-us/security/blog/2025/03/24/microsoft-unveils-microsoft-security-copilot-agents-and-new-protections-for-ai/). Essentially, each agent is specialized (one might watch identity systems, another cloud configs, etc.) and the Copilot orchestrates their findings. This is an example of multiple agents coordinating to improve a defensive posture.
Autonomous penetration testing – running red team agents is a defensive tactic to find weaknesses before real adversaries do. Agentic AI can simulate realistic multi-stage attacks against an organization’s own systems continuously. Unlike human-led pen-tests that happen periodically, autonomous agents can hammer away at defenses continuously. By employing such agentic “attack” bots in a controlled way, defenders can expose weaknesses and harden their systems faster. This is decentralization at another level, instead of one small team of human red-teamers, one can have hundreds of relentless AI agents probing environments in parallel.
Security orchestration – Agentic AI is also improving how SOCs function internally. Agents can automate the handling of incidents and related steps (e.g. opening tickets, documenting steps, sending communications, etc). For instance, one agent detects a malware outbreak and isolates impacted hosts, then signals another agent to gather forensic data or notify admins. This kind of automation at scale means incidents get contained and resolved with minimal human delay.

Ultimately, decentralized agentic AI gives defenders the possibility of speed, scale, and adaptability that traditional tools simply cannot match. By distributing intelligent agents throughout networks and systems, living, intelligent, cooperative defensive mechanisms are possible. These mechanisms come with the promise of observability and action everywhere at once. Early results are promising, but defenders must also prepare for the flip side as attackers have access to the same technology.

Offensive Implications: Decentralized AI as a Threat

Unfortunately, the power of decentralized agentic AI makes it a double-edged sword. The same capabilities that benefit defenders can be harnessed by malicious actors to create more sophisticated and possibly even resilient cyber attacks. To an extent this is the beginning of the era where AI-driven threats operate in a decentralized, swarm-like manner and they will overwhelm traditional defense mechanisms.

Malware

One area of concern is that of swarm malware. This is essentially a network of AI-powered malicious agents that collaborate like a team of attackers, without a central command server (Swarm Malware: How AI-Powered Attacks Are Redefining Cyber Warfare). Traditional botnets usually rely on a Command-and-Control (C2) server and follow pre-programmed instructions. In contrast, a swarm malware attack involves adaptable independent malware instances that communicate peer-to-peer, make intelligent decisions (e.g. reinforcement learning), can act in polymorphic form, and even self-modify to evade detection.

For example, one infiltrated agent might quietly map out a network’s topology and hunt for points of ingress; if it finds something of interest, it can signal the rest of the swarm which then converge to exploit that target. All the while another subset of bots work to disable security logging. All of this can happen very rapidly. We have already encountered this level of sophistication with some Advanced Persistent Threat (APT) cases; this simply exaggerates the threat due to the distributed nature, possible speed of attack, and the necessary level of coordination.

Some of the features of AI-driven swarm attacks that make them especially interesting are:

Peer-to-Peer coordination – swarm bots communicate over decentralized channels like encrypted P2P networks, blockchain transactions, or anonymous networks (e.g. Tor). This means there is no single C2 server for defenders to find and take down; the instructions are coming from within the swarm itself. For example, agents can publish and read commands on a blockchain, which is very hard to block. If defenders find and remove some agents, the remaining ones detect the change and reroute communications. They might switch to DNS or SSH tunneling to adapt and maintain swarm cohesion.
Autonomous decision making – each malicious agent can generally mimic thinking for itself using AI algorithms. Reinforcement learning allows the malware to improve across multiple iterations, learning what techniques work or don’t work against a specific set of targets. The agents don’t need to wait for instructions; they can be coded to evolve their attack strategies in real-time. They might even go polymorphic, mutating their payloads on the fly to avoid antivirus detection. This autonomy makes them unpredictable and pattern matching becomes of less utility in these scenarios. A swarm can also exhibit emergent attack behaviors that its creators may not have explicitly programmed.
Specialization and multi-vector attacks – just as defenders can use specialized agents, attackers can assign roles to different AI agents in a swarm. For example, an agent can be programmed to perform reconnaissance, another one can be focused on exploit execution, there can be evasion focused agents to cover tracks, and there can be mutation agents to ensure a pattern is never exposed. Working together, these agents can create a problematic scenario for defenders. This can become overwhelming for most environments in their current state. It’s the digital equivalent of a wolf pack hunting prey, some distract the sentries, others go in for the kill.

Evasion

Realistically, decentralized malicious swarms are hard to detect and contain. Traditional security tools that look for centralized C2 traffic or known malware signatures struggle against a shape-shifting, adaptively communicating swarm. Law enforcement finds it difficult to shut down infrastructure when the “infrastructure” is a non-static hive of agents coordinating over standard protocols. Instead of noisy obvious attacks, AI agents enable stealthy penetration of a specific target. For instance, an agentic malware could infiltrate an enterprise. Then it can patiently analyze the internal network to find the most valuable data or the keys to escalate privileges. Cooperating AI agents can now do in hours what once took skilled hackers weeks of manual effort. These agents don’t take sick days or face personal issues, enabling nonstop operations.

There is already an uptick in AI-enhanced cyber attacks. Real breaches are basically getting assistance from AI. For example, the 2022 Activision breach was enabled by a series of convincing AI-generated phishing texts that tricked an employee. These stand to become more problematic over time. Imagine phishing emails not just written by AI, but orchestrated by an agent that monitors social media in real time. Autonomous agents with access to public APIs can learn patterns and strategically schedule communications when the target checks email.

Cyber Arms Race

Strategically, nation-state APTs are also eyeing agentic AI to enhance their campaigns. Given this, the “cyber arms race” is a very real concern. If one nation develops powerful cyber agent capabilities, others will follow suit. In some cases the technology even gets shared. The race is accelerating the co-development of attack and defense in cyberspace. Attack agents get better, so defensive agents retrain to adapt, prompting attackers to create even more advanced techniques, and so on. However, this dynamic could also break the entry barrier and the nation-state notion starts to play a lesser role. Ultimately, this means that launching successful decentralized attacks becomes possible by many more groups than what is current state.

Currently, the most devastating cyber weapons (e.g. Stuxnet) are within reach of only a few well-resourced actors. This is due to the expertise and effort required to use them. Agentic AI might democratize the necessary skillset. Moderately capable AI attack agents will soon spread widely, allowing smaller groups or less advanced nations to cause greater impact. Autonomous agents could perform the laborious steps of a kill-chain (e.g. reconnaissance, vulnerability discovery, etc) far faster and at scale. This lets even a small team mount sophisticated attacks.

Asymmetric Cyber Warfare

Asymmetric cyber warfare is fast becoming part of reality. This is where large powers not only have to fend off other nation-states, but also highly capable cyber swarms launched by hacktivists, terrorist groups, or cybercrime groups. Just as nuclear technology eventually spread beyond the initial superpowers (with profound geopolitical effects), agentic AI tech will not stay confined to the “good guys.” This software will spread, and its development will be decentralized globally. This could possibly compress the timeline of nefarious agentic AI proliferation, meaning defensive measures will likely lag behind the threat.

Unpredictability

A big worry is the unpredictability and speed of AI-driven attacks. The worry is the real possibility of accidental escalation. Autonomous cyber operations happen at machine speed. If a swarm of AI agents targets critical infrastructure, the target might struggle to attribute the source of the attack. This potentially causes confusion or misdirected retaliation. In military scenarios, there’s concern that an AI may take an action that crosses a threshold without explicit human checks and balances, simply because the AI deems such action optimal. This lack of transparency and control is a new kind of risk, an AI-ignited flash conflict. Clearly, the offensive implications of decentralized agentic AI demand that we invest just as heavily in countermeasures and kill switches as we do in the agentic technology itself.

Agentic AI in Military Operations

The influence of agentic AI extends beyond the realm of cybersecurity. It is poised to impact military operations as well. Decentralized AI agents are becoming critical in both the digital domain (espionage, cyber attacks, cyber defense) and the physical domain (autonomous drones, robotic swarms, battlefield management).

Military Kinetic Operations

Emotionally, the most enticing application of agentic AI is in autonomous drone swarms and robotic systems on the battlefield. Militaries worldwide are developing swarms of unmanned systems (aerial drones, ground robots, naval drones). These swarms can perform missions collaboratively with minimal direct human control. Decentralized AI is the brains behind these swarms, enabling them to adapt to battlefield conditions, make split-second decisions, and coordinate maneuvers in cohesive form.

Defense contractor Thales recently demonstrated a system called COHESION for drone swarms with high autonomy (Thales demonstrates its capacity to deploy drone swarms with unparalleled levels of autonomy using AI). In tests, swarms of drones were able to carry out missions even under conditions where Global Positioning System (GPS) and other communications were jammed. This success was only possible because the drones could perceive their local environment, share information amongst each other, and collaboratively adjust tactics without needing continuous human commands. The drones identified targets, analyzed enemy movements, and reprioritized their objectives on the fly. In doing so they effectively accelerated the military Observe, Orient, Decide, Act (OODA) loop for faster decision-making in combat situations.

Importantly, these swarm systems aim to reduce the cognitive load on human operators. Theoretically, one operator can supervise an entire swarm rather than manually flying a single drone. This force multiplication means militaries can deploy dozens or hundreds of assets with the manpower that typically control one asset.

The strategic implications of drone swarms are enormous. Advanced militaries have invested in expensive platforms (e.g. aircraft carriers, stealth jets, etc). These investments assume they won’t face swarms of inexpensive kamikaze drones capable of overwhelming the defenses they have acquired. That assumption is no longer safe. Insurgent groups, hactivist groups, and mid-tier nations can afford low cost drones that can have explosives attached to them. With AI swarm technology, these typically underwhelming forces could coordinate an attack where dozens of drones simultaneously dive onto a warship or a tank battalion, overwhelming its defense systems.

In April 2025, a U.S. CENTCOM commander stated that drones are among the top threats faced by forces, and swarms are an even bigger concern than individual UAVs (https://cuashub.com/en/content/centcom-colonel-discusses-the-challenge-of-adapting-to-the-drone-threat/). Imagine, a swarm of drones that cost $1,000 USD could potentially destroy a warship that cost $1 BN USD. To respond, entities such as the U.S. DoD are not only seeking anti-swarm defenses (like directed-energy weapons), but also building swarms of their own. As of 2020, the DoD had multiple programs and contracts explicitly focused on AI-coordinated drone swarms, recognizing that whoever masters swarming gains a tactical edge.

Military Logistics

Beyond battlefield drone operations, multi-agent AI is improving military logistics and planning. Agentic AI can effectively coordinate supply convoys, allocate tasks to autonomous robotic vehicles, and manage battlefield communications dynamically. This last point is important because agents could have visibility into areas where humans may not. In strategic planning, the U.S. DofD is exploring agentic AI to support war-gaming and operational planning. The implications are grand as agents can synthesize vast amounts of intelligence and generate unbiased decisions much faster than human staff alone (AI’s New Frontier in War Planning: How AI Agents Can Revolutionize Military Decision-Making).

An agentic AI could become a powerful advisor, analyzing geopolitical data, battlefield intel, and logistics in parallel to propose optimal strategies. By integrating such AI into command centers, commanders might get decision options in minutes that would take weeks via manual planning. This speeds up the command decision cycle, crucial in fast-moving conflicts. Agentic AI can become the next big thing in maintaining or gaining decision superiority, this is the ability to observe, decide, and act faster than the adversary.

Agentic AI and decentralization are driving a new era of warfare. This is one where swarms of autonomous agents, whether in cyberspace or the physical world, confront and engage each other. Warfighters may increasingly find themselves orchestrating AI teammates while countering enemy AI. This new era comes with many challenges around trust, rules of engagement, and control, but militaries cannot ignore these technologies now.

Challenges and Safeguards

While the potential of decentralized agentic AI is immense, it does come with significant challenges, risks, and ethical considerations:

Reliability and control – by design, agentic AI reduces direct human control. This autonomy means agents might make mistakes or take unexpected actions. For example, a defensive agent could mistakenly shut down a critical server thinking it contains malware. In essence this creates a self-inflicted denial of service. In military use, the stakes are higher – what if a drone swarm interprets a civilian convoy as hostile due to faulty signals? Ensuring robust guardrails is essential. Industry recommendations include having configurable thresholds where an AI must pause and get human approval if an action crosses a certain threshold.
Accountability and ethics – when an autonomous agent causes damage, who is responsible? This is a dicey issue. Legal and ethical frameworks lag behind in the area. We currently treat software as tools under human responsibility, but truly autonomous agents blur that line a bit. In military scenarios, deploying lethal autonomous agents raises obvious ethical questions. International discussions have begun around potential treaties or at least guidelines for lethal autonomous weapons, often focusing on keeping meaningful human control. Meanwhile, organizations using agentic AI for security must implement governance policies that can be enforced.
Security of the agents themselves – ironically, the AI agents we deploy for defense could become targets of attack. This is seen in parallel today where products that are supposed to protect an environment get broken into themselves. Adversaries will try to trick or subvert defensive AI agents. Multi-agent systems also introduce new elements of an attack surface. If agents communicate peer-to-peer, could an attacker inject a rogue agent into the swarm to feed false information or disrupt coordination? Researchers have noted the possibility of poisoning attacks on cooperative multi-agent systems, where manipulating one agent’s behavior can degrade the performance of the whole team (One4All: Manipulate one agent to poison the cooperative multi-agent reinforcement learning). Strong inter-agent authentication, consensus protocols for decisions, and systemic isolation (so one compromised node doesn’t doom the rest) are active areas of research to ensure trust in decentralized AI networks.
Data privacy and abuse – decentralized agents often need broad access to data (e.g. endpoint data, log files, etc) to be effective. Without proper controls, this raises privacy concerns. Imagine an agent that scans employee communications to detect insider threats; it could inadvertently violate privacy laws or company policies if not carefully configured. Agents need to be coded such that on-device processing means data stays local and only alerts leave the source. The abuse potential of agentic AI is high. There is a responsibility for researchers and vendors to ensure that advances in agentic AI come with corresponding improvements in security and access control.

Despite these challenges, the trajectory is clear. Decentralized agentic AI will play an ever-growing role in cybersecurity and military theaters. To harness its benefits while managing risks, collaboration between AI researchers, cybersecurity experts, and policymakers is vital. Efforts like the Cloud Security Alliance (CSA) guidelines on agentic AI threat modeling (Agentic AI Threat Modeling Framework: MAESTRO) are steps in the right direction. Organizations adopting agentic AI should start with small steps, supervised deployments (e.g. agents that make recommendations, not final actions). This way it is possible to introduce incremental controls that should lead to trust and understanding of the behavior. We cannot afford to make the traditional cybersecurity mistake of it being an afterthought to some deployment. Over time, as confidence and safety mechanisms improve, we can transition more decision authority to these agents.

Conclusion

Decentralized agentic AI represents a major advancement for both cybersecurity and military operations. By empowering networks of autonomous agents to act in concert, we gain systems that are faster, more scalable, and more resilient than traditional centralized approaches. In cyber defense, this means security that can operate at machine speed across an entire organization, swarming to address threats the moment they arise. In warfare, it means smaller, smarter forces wielding swarms of potentially lethal drones or algorithms that can outmaneuver larger traditional forces. The offensive implications are equally powerful. Well-coordinated AI agents can mount sophisticated attacks that challenge even the best defenses, forcing a rethinking of how we position and secure critical assets.

Ultimately, agentic AI is a classic red / blue dichotomy. It will be a force for both offense and defense. As cybersecurity professionals, our task is to stay ahead of the curve as best as possible. Innovations in defensive agentic AI may make this possible. Attackers are innovating on the offense, and we must put proper and equally powerful safeguards in place. Decentralization is a force multiplier, hard stop. It makes AI systems more powerful by leveraging the strength of many. But, it also requires giving up some direct control. With robust design, continuous oversight, and a commitment to ethical use, we can embrace decentralized agentic AI to create more secure and resilient systems. The age of autonomous agents is exciting and here, decentralized agentic AI is the future of cyber warfare. How we navigate its opportunities and risks will define the security landscape of the coming decades.