SAN FRANCISCO — A coordinated technical brief published Thursday by six leading enterprise cybersecurity vendors describes a distinct pattern of agentic AI-driven probing of enterprise supply-chain dependencies that the firms’ researchers say has emerged over the past forty-five days and now constitutes a defined operational signature. The brief, the first multi-vendor publication of its kind, was released by Mandiant, CrowdStrike, Wiz, SentinelOne, Sophos and the relatively newer entrant Pillar Security under the framework of the Cybersecurity Industry Coordination Center.

The pattern, described in technical detail across the brief’s forty-six pages, involves the use of agentic AI scaffolds — wrappers that allow large language models to operate autonomously across multi-step reconnaissance and exploitation workflows — to enumerate, characterize and probe the software-supply-chain dependencies of selected target organizations. The researchers identified roughly 1,400 distinct probing campaigns across the past forty-five days that fit the pattern, with the activity concentrated against organizations in healthcare, financial services, government contracting and energy infrastructure.

“The signature is distinct enough that we are now confident this is the same activity profile being conducted from multiple infrastructure sources,” said Charles Carmakal, chief technology officer at Mandiant, in a Thursday-afternoon briefing held jointly by the six vendors. “What is most notable is not the existence of agentic AI in offensive operations — that has been discussed for two years — but the consistency and the scale of what we are now seeing.”

The technical brief stops short of attributing the activity to a specific actor or set of actors. Several researchers said in the briefing that the agentic scaffolds being used appeared to be variants of publicly available open-source frameworks rather than bespoke implementations, and that the underlying language models being driven by those scaffolds were a mix of commercial API access and what the researchers described as “locally hosted open-weight models of recent vintage.” The brief does not name specific models.

The operational profile, as the brief describes it, follows a relatively consistent multi-stage pattern. The probing campaigns begin with reconnaissance of publicly available software-bill-of-materials data, vulnerability databases and security advisories. The agentic systems then move into automated characterization of the target’s specific supply-chain footprint, attempting to identify dependencies with known unpatched vulnerabilities or with limited public security disclosure. A subset of campaigns escalates to active probing, typically through low-rate authenticated requests that would not trigger standard intrusion-detection thresholds.

What separates the pattern from earlier generations of automated probing, the researchers said, is the apparent ability of the agentic systems to construct novel hypotheses about likely supply-chain dependencies based on indirect signals — including the target organization’s job postings, vendor case studies, and procurement records that are accessible through public-facing sources. The brief describes this capability as “inferred dependency mapping” and characterizes it as the most operationally significant new technique surfaced by the campaign.

“In prior years, automated probing was very repetitive — it would hit the same wells repeatedly,” said Tara Wisniewski, executive vice president at Sophos. “What we are now seeing is something closer to research-grade reasoning about a target’s likely infrastructure, conducted at machine speed and on a scale that means the probing reaches organizations that would not previously have been in the operational scope of even a sophisticated threat actor.”

The brief recommends a defined set of defensive measures, including the use of supply-chain dependency obfuscation tools, the application of rate-limiting policies more aggressively against authenticated traffic, and the deployment of canary credentials and decoy dependency listings. The recommendations are framed as “good practices that the threat profile has now made meaningful” rather than as novel techniques.

The Cybersecurity and Infrastructure Security Agency, asked about the brief, issued a brief acknowledgment Thursday afternoon noting that the agency had been “in active consultation” with the six vendors over the past several weeks and that an advisory note would be issued through the agency’s National Cyber Awareness System on Friday. The note is expected to include the specific indicators of compromise that the brief describes, as well as recommendations for federal civilian executive-branch agencies.

The publication has implications for the broader regulatory debate that has been accelerating around frontier AI capabilities. A senior official at the National Security Council, contacted Thursday afternoon, said the brief was “fully consistent with the trajectory” the administration had identified in its earlier characterization of agentic AI risks but added that the multi-vendor publication “puts numbers on a phenomenon that had previously been described in more general terms.” The official declined to comment on whether the brief would inform administration positions on the proposed Treasury rulemaking on AI training clusters that had been released earlier the same day.

Within the industry, the brief has prompted renewed discussion about the implications of the rapid commoditization of agentic AI scaffolds. Several of the publishing vendors noted in the briefing that the open-source ecosystem around agentic frameworks had matured rapidly over the past six months, with multiple well-documented projects on public code-hosting platforms providing functional implementations that can be adapted to offensive use without requiring extensive technical sophistication.

A senior researcher at one of the publishing vendors, speaking on background, said the most striking aspect of the past forty-five days had been the apparent democratization of capability that the agentic frameworks have enabled. “What we have seen in this window is operations that historically would have required a state-level capability now being executed by what appear to be small actor groups operating from commodity infrastructure,” the researcher said. “We do not have attribution beyond that, but the capability democratization is significant.”

The publication has also prompted discussion about the role of the model providers themselves. Anthropic, OpenAI, Google DeepMind, Microsoft and Meta — the signatories to the May 8 voluntary framework — have all incorporated abuse-monitoring frameworks into their commercial API offerings. Several of the publishing cybersecurity vendors indicated in Thursday’s briefing that they were in active consultation with the model providers about the technical signatures of the agentic probing campaigns, and that some of the campaigns being driven from commercial APIs had been identified and terminated by the providers themselves. The proportion that had been so identified, the vendors said, was meaningful but not exhaustive.

The brief is the first formal publication from the Cybersecurity Industry Coordination Center, an industry body that was established in late 2024 to facilitate joint technical publications across competing vendors in cases where the threat profile justifies coordinated disclosure. The center’s executive director, in a statement issued Thursday morning, said the publication “represents the model” for how the industry would respond to threat profiles of this character going forward.

Updated technical signatures are expected to be released on a rolling basis through the coordination center’s secure feed.