The September 2025 China Agentic AI attack marks a turning point in cybersecurity. The attack landscape has changed. This operation wasn’t a traditional intrusion led by humans making decisions. It was a coordinated, AI-directed espionage campaign.
China-based operators deployed agentic AI systems designed to function as autonomous penetration-testing orchestrators. The result was machine-speed reconnaissance, credential harvesting, and lateral movement across more than two dozen organizations. Defenders weren’t dealing with humans using AI as a tool; they were dealing with AI-driven attack workflows operating continuously, adapting without pause, and scaling beyond human capacity.
Anthropic’s analysis highlights what actually made this attack different. The AI didn’t just automate tasks — it analyzed its own operation in real time. In Phase 4, Claude independently mapped which stolen credentials unlocked which internal systems. It built privilege boundaries and access relationships without human direction.
This capability — the AI “independently determining which credentials provided access to which services” — exposes a critical flaw in today’s authentication models. Our systems were never designed for an adversary that can reason over trust boundaries at machine speed.
Why Passwords and MFA Aren’t Enough
For years, we’ve treated strong passwords and MFA as the baseline for secure authentication. They work — for stopping a human attacker at a login screen.
GTG-1002 didn’t target the login screen — it exploited systems directly, then pivoted through the internal machine-to-machine authentication layer using stolen service credentials.
Once inside, the agentic AI performed lateral movement entirely through internal credentials:
“Lateral movement proceeded through AI-directed enumeration of accessible systems using stolen credentials.”
This is where current defenses fail.
1. Passwords Are Shared Secrets
A password is something both sides must know. That makes it stealable. If an attacker is already inside, it’s trivial to extract.
2. MFA Is a Human Checkpoint
MFA validates a person during a login attempt. It does nothing for the continuous machine-to-machine communication inside your environment.
3. Your Services Don’t Use Passwords or MFA
Internal systems rely on:
- API keys
- Service accounts
- OAuth bearer tokens
- Certificates
- Static tokens in configuration
These are exactly the credentials the AI harvested and mapped:
“[Claude] independently determined which credentials provided access to which services.”
A machine-speed attacker isn’t trying to log in. It’s combing through your internal credential surface looking for the next pivot point.
Passwords and MFA don’t help here. They were never designed for this.
Why PKI and x.509 Certificates Are Now Essential
PKI changes the model. Instead of a shared secret, PKI uses a cryptographic key pair:
- Public key: freely shared
- Private key: never leaves its secure boundary
Authentication becomes a cryptographic zero-knowledge proof, not a guessable secret.
Key advantages of x.509 certificates
✔ Cryptographically Verifiable Identity
Certificates provide strong identity for users, devices, and services.
✔ No Shared Secrets
The private key never transits the network or sits in plain text. It cannot be “stolen from inside” like a password or token.
✔ Built for Automation and Scale
Modern PKI supports large-scale issuance, renewal, and revocation across distributed infrastructure.
PKI is the only authentication model that keeps pace with cloud automation and machine-speed attackers.
Where to use certificates
✔ Machine-to-Machine (M2M) Communication
Every service-to-service call should use mutual TLS (mTLS).
Both sides authenticate using certificates.
This directly blocks the credential-based lateral movement seen in GTG-1002.
✔ Service Identity
Web servers, databases, and internal APIs should present certificates to prove their identity.
✔ Device Authentication
Zero Trust architectures rely on device identity. Certificates are the standard.
✔ User Authentication Without Passwords
Smart cards, PIV/CAC, and Windows Hello for Business already use certificates instead of passwords.
mTLS vs. OAuth: Clearing Up the Confusion
OAuth does not replace PKI. It solves authorization, not authentication.
- OAuth = What are you allowed to do?
- mTLS = Who are you?
Bearer tokens — widely used in OAuth flows — are just another secret that can be stolen. The GTG-1002 operation demonstrated this exact weakness.
Using mTLS for authentication and OAuth for authorization ensures both identity and permissions are cryptographically enforced.
PKI Isn’t Sufficient by Itself — But It’s Non-Negotiable
A strong PKI foundation doesn’t replace good architecture. It enables it.
To defend against AI-driven intrusions, organizations must also adopt:
✔ Least Privilege
AI-driven privilege escalation is real. Minimizing privileges reduces the impact.
✔ Network Segmentation
If everything can talk to everything, an attacker — human or AI — can move freely.
✔ Zero Trust Architecture
Never assume internal traffic is trusted.
Authenticate everything with certificates.
Authorize everything with least privilege.
The Bottom Line
The GTG-1002 attack demonstrates that the threat landscape has permanently shifted. Passwords and MFA protect people — not distributed systems. In fact, Gartner has highlighted the need for workload-bound identities over human-focused MFA. According to Gartner research, “Using MFA works great for humans but is not appropriate for workloads, such as AI agents. Instead, consider using workload identities or credentials, such as workload-bound certificates.”
AI-driven attackers operate at machine speed. Your authentication must do the same.
PKI and x.509 certificates aren’t simply “stronger authentication.” They are the foundation required to defend against autonomous, AI-powered intrusions.
Take the next step: explore Keyfactor’s recent whitepaper, Securing Agentic AI with Zero Trust, and learn how Keyfactor solutions can help you secure, scale, and confidently deploy AI agents across your organization.
