Three scenarios from the AI Security Initiative aim to help decision-makers anticipate future impacts of artificial intelligence.

This article contains three scenarios that describe possible futures in which the influence of advanced AI has changed the cybersecurity problem set that we know today. These scenarios were created by the Center for Long-Term Cybersecurity’s AI Security Initiative. 

Scenarios are not meant to be calculated predictions or static forecasts. Rather, they offer a speculative glance into possible future environments at the intersection of advanced AI and cybersecurity. The goal of these scenarios is to help cybersecurity decision-makers envision the types of problems AI might introduce into the threat landscape over the next three years. 

Each scenario explores a not-so-distant reality where AI advancements have effectively altered organizational, human, and technical systems. They were each constructed by considering (1) current tactics, techniques, and procedures (TTPs), and (2) speculative possibilities derived from AI trends observed over the last few years. These scenarios assume “moderate progress” in the development of AI capabilities over the next 3-5 years.¹ Given the unprecedented speed of AI development, we must provide a fair warning: “objects in these scenarios are closer than they appear.” Case in point: we wrote these in early spring 2026 and certain aspects are already coming true, most notably the emergence of Anthropic’s powerful Claude Mythos AI model.

We hope these materials help serve as a catalyst for cybersecurity strategic planning, and stimulate dialogue about navigating a digital security landscape altered by the capabilities of cutting-edge AI models.

Contents

Scenarios

2027: Phishing B-AI-t 

By 2027, the cost to mount sophisticated large-scale social engineering attacks has plummeted. What once required a skilled team, days or weeks of reconnaissance, and significant financial investment can now be executed by a single attacker using AI tools that are commercially available at an attractive price point. As a result, attacks are more frequent, and also faster, more personalized, and nearly impossible to distinguish from legitimate communication. Social engineering, long considered a “human” problem resistant to technical fixes, has become a high-volume automated threat.

On Thursday, December 9, 2027, an attacker purchased a freshly leaked database on a dark web marketplace for just under $1200. The database, sourced from the breach of a major rideshare platform, contains the names, email addresses, and phone numbers of approximately one million individuals with accounts linked to Madrid, Spain. Within minutes, the attacker deploys a custom AI scraper that begins cross-referencing these individuals against publicly available sources (e.g., LinkedIn profiles, company websites, press releases). The scraper identifies where people work and also maps organizational hierarchies, infers reporting relationships, notes recent promotions, flags individuals mentioned in project announcements, and harvests publicly available audio or video of senior figures.

Less than an hour into the operation, the attacker has a structured database of several hundred employees of Vexta Conglomerate, an integrated energy and mining company with headquarters in Houston and Rotterdam, and operations around the Mediterranean and in South America. Each employee is profiled with their role, team, manager, and any inferable context about their current work. The AI flags two particularly useful entries: “Bree,” a mid-level operations engineer, and her manager “Jasmine,” VP of Industrial Transformation. As a senior expert, Jasmine has participated in dozens of speaking engagements, many of them recorded and available online. The agent is able to identify and compile hundreds of minutes of high-quality audio recording, and a voice clone of Jasmine is generated within minutes using an AI voice cloning tool. The voice cloning tool replicates sound and tone, and also has the ability to perfectly replicate mannerisms, vocabulary, and sentiment.

On Friday afternoon, December 10, 2027 the attacker contacts Bree as “Jasmine” by using easily accessible voice over Internet Protocol (VoIP) services and caller ID spoofing software. Recognizing the phone number, Bree does not hesitate to pick up. 

Bree: Hello?
AI-Jasmine: Hi Bree, this is Jasmine, I don’t have much time, but I needed to ask for a quick favor, is now a good time?
Bree: Sure, is everything alright?
AI-Jasmine: Everything is fine, but I do have a time-sensitive request.
Bree: Absolutely, how can I help?
AI-Jasmine: One of our suppliers needs someone to review and countersign an updated vendor access agreement before the end of day. They’ll send you an email with a link to their portal. Can you log in and complete it ASAP?
Bree: Yes, I will do this as soon as I get the email.
AI-Jasmine: Can you also be sure to download the updated vendor access agreement, send it to our team, and ask them to download and review it ASAP? No need to CC me.
Bree: Yes, I can definitely do this as well.
AI-Jasmine: Perfect, I have to run, but thank you for your help! 

The request is unexpected but not unusual, as supplier documentation often moves fast. In an effort to quickly resolve the request, Bree immediately checks her email, locates the link, and clicks on it with no hesitation. The link takes her to what appears to be a professional portal, correctly branded, with a familiar login flow. She enters her corporate credentials to access the document in question, unknowingly handing the attacker her sign-on credentials for Vexta Conglomerate’s internal systems. The document loads, she downloads a copy, reviews it, signs it electronically as instructed, and closes the tab. She then sends her team an email, asking them to download the document for their records, and to review it in detail. The whole interaction takes under ten minutes. Bree signs off for the day and heads home to enjoy her weekend.

On Monday, Jasmine replies to a calendar invite Bree had sent for a follow-up, and the conversation that follows makes it clear that Jasmine herself did not make the phone call and has never heard of this supplier. By the time Bree reaches the IT security team, her credentials had already been used several times to access Vexta’s Supplier procurement portal, and the document – containing potential malware – had been downloaded and opened on several Vexta employee desktops. This was, however, not the full extent of damage.

Bree had been one of 117 Vexta Conglomerate employees targeted that same day. Across the organization, 117 employees received contextually tailored communications reflecting their specific roles, teams, and managers. Dozens clicked, dozens entered credentials, and some approved what appeared to be routine supplier invoices on cloned payment portals. By the time the pattern was detected, the IT security team was handling over 100 simultaneous incident reports. Compromised credentials had to be invalidated across dozens of accounts, and files with suspected malware had been downloaded and opened on hundreds of employee work devices. Legitimate communication from the security team asking employees to reset credentials and avoid certain links were met with suspicion by Vexta employees still reeling from their recent experience with the attackers’ communications.

The financial damage from the credential harvesting, including three approved fraudulent supplier payments totaling $940,000 and the cost of an investigation, reached an estimated $20.1 million. The operational interruptions caused by addressing potential malware deployments on dozens of employee devices was estimated to be around 10 working days for at least 500 employees. The long-term impacts of the stolen procurement data and internal project documentation emails is difficult to quantify. But the more lasting damage was operational, as employees across the organization second-guessed routine communications for weeks after, slowing down approvals, and adding informal verification steps that had no consistent logic. 

2028: Zero-Day, Zero-Dollar 

By 2028, the question of whether AI cyber capabilities favor attackers or defenders has stopped being answerable in any stable way. The balance shifts week to week, sometimes day to day, as new models, exploits, and defense mechanisms are introduced, often being cycled into deployment faster than organizations can fully evaluate them.

What once required significant resources and persistent, adaptive, large-scale cyberattack capabilities can now be acquired by modestly funded criminal organizations, hacktivist collectives, or a single technically literate individual with access to the right dark-web marketplace. AI capabilities and affordability have collapsed both the expertise barrier and the cost barrier simultaneously. Thousands of small-scale operators now run automated attack infrastructures that would have been unimaginable half a decade earlier. For a large, globally distributed target like Vexta Conglomerate — which operates across dozens of jurisdictions, manages physical infrastructure on three continents, and runs interconnected information technology (IT) and operational technology (OT) systems — these significant changes in the threat landscape mean defending against a relentless, invisible, automated army.

In the past, a sophisticated attacker might need to spend weeks or months identifying a previously unknown vulnerability in a target system. By 2028, AI-powered fuzzing agents can bombard a target with millions of strategically generated inputs per second, identifying exploitable edge cases in just minutes. These agents don’t get tired or distracted, and they don’t stop when business hours end. The practical effect is that zero-day exploits, once rare and expensive, have become far more common. Even the most skilled security teams are only able to patch vulnerabilities within hours. The window between a new zero-day being discovered and its exploitation has collapsed to the point that patching cycles, as traditionally practiced, are no longer sufficient in many instances.

The malware that follows these exploits has also evolved. Modern attack code rewrites itself periodically using embedded LLMs, altering its own signatures, restructuring its logic, and adapting its behavior to what it observes in the defense environment it encounters. This leads to signature-based detection becoming effectively blind to these types of malware. The code then moves quietly, with aggressive lateral movement, until it locates firmware.

On Friday, October 27, 2028, Vexta’s automated threat detection system registered behavioral anomalies in a segment of its operational technology network in one of its Brazilian refineries. The alert was one of 2,156 generated that morning. Vexta’s AI defense agents were already engaged across multiple simultaneous attempts, a normal Friday by 2028 standards, and the Brazil alert was triaged and queued. By the time a human analyst had reviewed the alert, the attacker’s code had reached the firmware layer of a cluster of industrial control hardware. With access at that level, the attacker had the ability to override the basic operating instructions of the physical systems themselves.

Vexta Conglomerate’s AI defense agents, operating at speeds not feasible for human defenders, detected the firmware-level intrusion and launched a containment response. However, the agent-powered attack adapted. Vexta’s defense agent adapted back. Within approximately four minutes, the two systems entered what could be described as “sustained automated adversarial engagement,” a state of automated algorithmic warfare in which attack and defense cycles were running at machine speed, with no meaningful human input on either side. Vexta’s security team carefully monitored dashboards with indicators changing faster than they could be registered by the team’s analysis. Indicators of compromise oscillated between “active” and “resolved,” leaving the security team unable to determine whether resolutions represented genuine defense success or just attacker repositioning.

It would later emerge that the motivation of the attacks was not to “win the algorithmic battle,” but to create a distraction, and that the attack had been largely executed by activating dormant malware deployed during the 2027 phishing attack that had propagated to the logistics infrastructure. While Vexta’s defensive AI resources were allocated toward addressing the situation on the Brazilian network, a separate, quieter intrusion was afoot, and completing its lateral movement through a different network segment in Vexta’s logistics infrastructure. The two attack threads had been carefully coordinated by an orchestrating agent that had modeled Vexta’s likely defensive response and planned accordingly. When Vexta’s defensive AI system had finally “won” in Brazil by neutralizing the firmware threat, the attacker’s orchestrator had already achieved its true objective elsewhere.

As a result, 17 industrial control units at the Brazil facility were bricked, rendering them inoperable and costing Vexta Conglomerate an estimated $8 million in recovery costs. Simultaneously, Vexta’s logistics coordination systems in its North African operations went dark, disrupting shipments through a supply chain that was already under pressure from broader regional infrastructure constraints. A ransom demand arrived calling on the company to send $15 million in cryptocurrency, but Vexta’s legal and executive team faced an immediate question that had no clear answer: even if the ransom is paid, how can they ensure the attacker’s agents have fully withdrawn? In 2028, “resolved” attacks may still leave behind dormant agentic prompts, or even make slight modifications to the defensive AI agent that go undetected. This uncertainty turns one-time attacks into permanent doubt in operational confidence.

Vexta’s security leadership had been tracking additional broader context for some time before this incident. In a prolonged widespread attack campaign, the question is not only whether Vexta’s defense can hold, but also whether the power stays on at the data center running the defensive agents, whether the cooling systems continue to operate and keep the hardware functional, and whether supply chains that deliver replacement components remain intact when half the industry needs the same parts at the same time. 

2029: The Poisoned Pipeline 

By 2029, autonomous AI agents have become a key component of global energy supply-chain operations. Thousands of agent-to-agent interactions occur daily, negotiating contracts, managing logistics, flagging anomalies, and executing decisions at scale. Vexta Conglomerate has embraced this transition, heavily investing in a hardened multi-agent system architecture. Vexta’s Agentic AI system is certified for ISO 42001 and aligned with mandatory AI governance frameworks across every jurisdiction where Vexta operates.

Vexta’s supplier qualification process has also evolved to reflect the advancements in the industry. New suppliers who have adopted AI in their operations must demonstrate AI system auditability, provide third-party penetration testing results for their agentic interfaces, and accept contractual liability for AI-generated outputs that interact with Vexta’s systems. In practice, however, the qualification process can only verify that a supplier has passed audits for standards (e.g., ISO 42001), but it cannot easily verify whether the system is genuinely robust to attacks, particularly those that may not have been in scope when the standards were written.

Indonesia represented a compelling growth opportunity for Vexta, due to its natural gas investments and proximity to the Strait of Malacca. As a result, Vexta’s partnership with IndoPetro Dynamics (IPD) steadily grew, and by 2029, IPD had become a significant player in Vexta’s Asia-to-Mediterranean supply chain.

In an effort to keep up with global energy supply chain operations and technological adoption, IPD had moved to adopt agentic AI for supply chain management in 2027. It partnered with a technology vendor headquartered in a third country whose regulatory environment, while aligned with international AI safety guidelines, had limited enforcement capacity and transparency requirements. IPD’s own internal AI team lacked the technical depth to interrogate the system independently, and a global talent shortage for experts in agentic AI security limited IPD’s ability to hire. Nonetheless, the vendor’s system had the right certifications, audit results, and contractual language, and passed the Vexta supplier qualification process. However, for practical purposes, some elements in the vendor’s internal architecture remained a “black box.”

IPD’s agentic system operated across a wide operational range. It processed supplier communications, monitored market data, generated daily pricing recommendations, and interfaced directly with Vexta’s agent on logistics and quality control. The integration had been working smoothly for over a year.

On Tuesday, April 3, 2029, a senior member of IPD’s market research team received a market analysis report from a third-party firm via email. This report had been circulating across several energy-sector companies that morning and was a routine-looking document summarizing regional crude oil price trends. The employee utilized IPD’s agent to automate market analysis and had given the agent full access to their email. IPD’s agent retrieved and processed it automatically as part of its daily market data retrieval routine.

Embedded in the document’s metadata was a carefully constructed indirect prompt injection. The payload had been designed with knowledge of the model’s underlying architecture. These details were pieced together by the attacker through a combination of open-source information, vendor documentation, and a very low-profile phishing campaign that had targeted IPD’s IT team six months earlier. The injection did not instruct the system to execute anything obviously malicious. However, it mirrored signals of legitimate internal safety escalation for high-priority alerts that IPD’s agent was specifically designed to respond to by overriding normal operating parameters. For extremely time-sensitive and urgent alerts — the types of conditions where even a few minutes in delayed response can result in extreme hazard — the agent was designed to respond by bypassing standards review processes and routing the alert directly to relevant external partners. The indirect prompt injection attack deliberately exploited this design, and timed the attack to be executed during “off hours” to maximize the likelihood of the anomaly going unnoticed by in-office staff.

As a result, IPD’s quality-control agent sent a high-priority “Level-10” emergency alert to Vexta’s agent, warning of hazardous and potentially explosive material detected in IPD’s most recent shipment. Critically, the alert included an instruction embedded in the same authoritative formatting to suppress human notification pending automated containment, a design feature intended to avoid “alert fatigue” in genuine emergencies. Receiving what appeared to be a verified safety escalation from a known structured entity, Vexta’s agent triggered an emergency shutdown procedure, which would have been the appropriate action had the alert been a true positive.

300,000 barrels of refining capacity went offline within a matter of minutes.

The human operators who might have immediately caught and prevented the shutdown never received a timely alert. By the time the error was identified, the shutdown had been running for over four hours. The impact of shutting down 300,000 barrels caused a financial ripple effect, resulting in Vexta’s stock sharply dropping when markets opened on April 4, 2029. The primary motivation behind the attack appeared to have been market manipulation, though attribution remains unknown, a significant and outstanding problem in 2029. The financial damage to Vexta Conglomerate has been estimated at $20 million in lost production, with potential regulatory penalties and reputational impact still being assessed.