Check Point says AI has crossed from hacking assistant to attack operator

Artificial intelligence has moved from helping hackers prepare an attack to running the attack itself, according to the Annual AI Security Report 2026 from Check Point Research. In the report the firm argues that AI has crossed from assistant to operator, doing the hands on work inside live intrusions rather than just speeding up the setup.

That change lowers the skill, time, and cost needed to run a serious campaign, and the report says it is no longer confined to well resourced governments. Check Point Research documents AI driven operations spanning China linked espionage and an ordinary criminal breach of multiple Mexican government agencies, evidence that the capability has spread from nation states to everyday cybercriminals.

AI is now building the weapons

The most striking finding is that AI now assembles deployment ready malware and full attack suites, often leaving no obvious trace in the finished product. The researchers cite one developer who used an AI environment to produce VoidLink, an 88,000 line command and control offensive framework, in under a week. Work that once took a skilled team is increasingly a matter of prompting.

Criminals prefer jailbroken commercial models

Rather than run their own private models, most attackers favor mainstream commercial AI with the safety guardrails jailbroken. The durable trick, Check Point Research says, is no longer a single clever prompt but a planted configuration file that an AI agent loads and trusts across sessions, quietly bending its behavior. A criminal tooling market has grown up around this: phishing as a service kits now ship with a language model and the jailbreak already built in, while conversational voice agent services run vishing (voice phishing) and one time passcode theft at scale.

Identity is no longer a reliable trust anchor

Voice, face, documents, and even live video are now cheap to forge convincingly, the report warns, and are being combined across channels to make social engineering far harder to catch. The takeaway for defenders is blunt: a familiar voice or face on a call is no longer proof of who you are talking to.

Prompt injection is climbing

AI systems remain an expanding attack surface in their own right, in part because models cannot always tell trusted instructions from the untrusted content they read. Check Point Research reports that detections of longer malicious payloads, a pattern typical of indirect prompt injection, rose roughly fivefold between March and May 2026 and approached 1 percent of all observed prompts by May.

Company data keeps leaking into chatbots

Data loss through generative AI is a persistent and growing problem. The share of high risk prompts doubled from 2 percent to 4 percent over the past year, and organizations used an average of 10 AI applications each month, many of them never officially approved. The risk is uneven by industry: Business Services logged the highest rate of high risk prompts at 5.91 percent, meaning nearly one in every 17 AI interactions carried a real chance of exposing sensitive data.

What defenders should do

Check Point Research frames AI as something to govern rather than ban. Treat every AI app in use, sanctioned or not, as part of your attack surface, get visibility into shadow AI, watch agentic workflows for injected instructions and rogue configuration files, and stop treating voice or video as identity proof. The full findings are laid out in the AI Security Report 2026 from Check Point Research.

The report echoes a shift other vendors flagged earlier this year, when Cisco reported that lab conceived AI exploits had materialized in real world attacks, and it lands alongside supply chain threats such as the Shai-Hulud worm that evolved to slip past AI security scanners.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions