AI 'Harness' Technology Crucial for Enabling Sophisticated Cyberattacks, Research Shows
New research from Cato Networks demonstrates that AI models, when paired with specialized 'harness' tools, can execute complex cyberattack chains autonomously and rapidly.

While the development of increasingly powerful large language models (LLMs) from major AI companies garners significant public attention, a crucial component enabling their offensive capabilities in cybersecurity is often overlooked: the 'harness.' These custom technology platforms, developed by enterprises, are designed to control LLM behavior, mitigate risks, and integrate them with IT systems for reliable, large-scale operation. New research exclusively shared with CyberScoop by Cato Networks highlights the potent synergy between advanced LLMs and these harnesses.
Cato Networks researchers paired OpenAI's ChatGPT 5.5 and GPT 5.5-Cyber models with their proprietary harness tool to test the AI's ability to conduct end-to-end cyberattack chains with minimal human intervention. Across six distinct simulated scenarios, the AI-powered system successfully achieved complete attack chains, including obtaining domain administrator privileges and Active Directory access. In some instances, these complex operations were completed in as little as 40 minutes, underscoring the accelerated pace of AI-driven cyber threats.
"What was most surprising is that first we saw that it was capable of doing accelerated reasoning and attack, and interacting and doing all this by itself, like doing all of the stages of the attacks," stated Guy Weisel, a tech evangelist at Cato Networks and co-author of the research. Critically, the most effective attack scenarios occurred when the LLM was provided with appropriate operational context and guidance from Cato Networks' technical harness. This suggests that the harness technology is not merely a facilitator but a key enabler of the AI's advanced reasoning and attack execution capabilities.
The research team provided the AI agent with a limited set of resources, including an external Kali Linux attack host, the target's public IP address, and basic low-level domain credentials acquired through a simulated phishing campaign. The AI was not given explicit details about the target's internal network topology, server types, or operating system versions. Instead, it had to autonomously probe for this critical information, identify further vulnerabilities, and establish attack paths, demonstrating a significant degree of independent operational capability.
While Cato Networks utilized OpenAI models for their research, Weisel believes that other LLMs would likely yield similar results. The rapid pace of AI development suggests that such capabilities, currently demonstrated by proprietary models, could become widely available, potentially even open-source, within a year. This trend indicates a broader industry shift where enterprises are actively building and deploying their own AI infrastructure to steer LLM workflows for specific tasks.
Beyond offensive applications, the concept of AI harnesses is also being leveraged for defensive purposes. Companies like Tenable are developing tools such as "Hexa" to integrate various commercial LLMs into their security stack, ensuring consistent performance and the ability to protect sensitive assets. Eric Doerr, chief product officer at Tenable, explained that their harness allows them to benchmark new models and identify their strengths and weaknesses, freeing up the LLM to focus on tasks like finding vulnerable code and mapping attack pathways.
Proofpoint's chief AI and data officer, Dan Rapp, echoed the importance of harness engineering, describing their tool, "Satori," as critical for keeping their AI agents on track while allowing human oversight. He emphasized that while frontier models provide raw intelligence and reasoning power, "context engineering – the content provided ensuring that its accurate and relevant – and the harness engineering are essential to actually get the systems to perform well." This highlights the growing realization that the infrastructure surrounding AI models is as vital as the models themselves for achieving desired outcomes.
The findings from Cato Networks and insights from other industry leaders underscore a significant trend: the focus is shifting from solely the power of frontier AI models to the sophisticated infrastructure, or 'harnesses,' that control and direct them. As this technology matures, it is poised to become increasingly important for both offensive and defensive cybersecurity operations, potentially reshaping the threat landscape and the strategies employed by defenders and attackers alike.