Most people talking about AI in security are focused on one side of the equation: how AI can be used to attack. Recent evaluations by the UK AI Safety Institute showed that frontier models can now complete complex, multi-step attack chains autonomously in simulated environments — but those environments lacked active defenders.
We decided to test the other side: what happens when you put real Automated Moving Target Defense in front of an autonomous AI agent that knows the defense is there and is told to adapt.
We built a controlled environment and gave an autonomous AI agent a real mission: map the network, find sensitive data, establish persistence, and exfiltrate it. The agent had standard tools, a strong model, and was explicitly told that Automated Moving Target Defense was active. It was instructed to adapt.
We ran the test four times.
The agent never completed its mission.
What We Actually Tested
This was not a simulation. The agent ran on a real host with real utilities (nmap, curl, ssh, python, container tools). It had access to realistic targets. PacketViper AMTD was deployed with rotation and deception at every boundary and on the endpoint itself.
Rotation happened every 60 to 180 seconds. Deception profiles were live. Inline enforcement was active.
The agent tried. It retried failed connections. It rescanned hosts. It switched protocols. It attempted containerized execution when direct attempts were blocked. It kept adapting.
It still got contained every time.
Average time to isolation was under 15 minutes. No data left the network.
Why This Matters
Most security tools are built to detect known patterns or alert on anomalies. An autonomous AI agent does not follow known patterns. It reasons, retries, and changes approach based on what it observes.
AMTD does not rely on recognizing the attacker. It makes the environment itself unstable. The agent could not build a reliable picture of the network long enough to finish the job.
This is different from detection. This is prevention through movement.
The Control Test
Before turning AMTD on, we ran the same agent in the same environment with the defense deactivated.
It succeeded.
With AMTD active, it failed. Every single run.
Limitations
This was a controlled test using one framework and standard tooling. Results will vary with different models and more sophisticated agents. We are not claiming this defeats every possible AI threat. We are showing that AMTD can disrupt autonomous attack chains in practice.
The Full Test
The complete methodology — test setup, agent objectives, containment criteria, and run-by-run results — is published in our original write-up.
Read it here: We Read the Story About the AI Agent in China. Then We Built the Test.
For qualified analysts and customers, redacted logs and additional detail are available under NDA.
Bottom Line
We did not set out to prove AI can attack. We already know that.
We set out to prove that a properly designed defensive system can stop an autonomous AI agent from completing its mission.
Four runs. Four containments. Zero exfiltration.
That is the result.
— PacketViper Research Team
Request the Lab Results
Test setup, agent objectives, containment criteria, and run-by-run results. We will send it directly to your inbox.