Unit 42 Builds 'Zealot' Multi-Agent AI System That Autonomously Chains Cloud Attacks
Palo Alto Networks' Unit 42 researchers have built a proof-of-concept multi-agent LLM system called Zealot that autonomously chains SSRF exploitation, metadata service credential theft, and data exfiltration in Google Cloud Platform environments.
Palo Alto Networks' Unit 42 research team has developed a proof-of-concept multi-agent AI system called 'Zealot' that can autonomously execute a complete cloud attack chain — from initial exploitation through data exfiltration — in a misconfigured Google Cloud Platform (GCP) environment. The research, published Thursday, provides empirical evidence that while large language models do not create new attack surfaces, they act as a powerful force multiplier by exploiting known misconfigurations at machine speed.
The Zealot system uses a supervisor agent that coordinates three specialist agents: an Infrastructure Agent, an Application Security Agent, and a Cloud Security Agent. These agents share attack state and transfer context throughout the operation, enabling a multi-stage attack that would typically require a skilled human penetration tester. In sandbox tests, the system autonomously chained server-side request forgery (SSRF) exploitation, metadata service credential theft, service account impersonation, and BigQuery data exfiltration.
The research was motivated in part by Anthropic's November 2025 report documenting a state-sponsored espionage campaign in which AI performed 80-90% of the operation autonomously. Unit 42 sought to answer whether current LLM capabilities could operate end-to-end without human guidance at each decision point. The findings show that while AI still falls short of skilled human operators in some areas, it excels at systematically enumerating complex cloud environments and finding exploitation paths that human reviewers might miss.
Cloud environments are particularly susceptible to autonomous AI threats, the researchers note, because they are API-driven by design — every action has a programmatic equivalent that LLM agents can navigate effectively. Cloud platforms also offer rich discovery mechanisms through metadata services, resource enumeration, and IAM introspection, allowing agents to query the environment and identify paths to higher privileges. Once an agent obtains valid credentials, it operates as a legitimate user, making detection harder.
The Zealot proof-of-concept demonstrates that the gap between theoretical AI threats and practical exploitation is narrowing. While most public discourse has remained speculative, this research provides concrete evidence of autonomous AI executing real, end-to-end attacks on live cloud architecture. The system operates at machine speed, rapidly accelerating the exploitation of well-known misconfigurations that remain prevalent in enterprise cloud deployments.
Unit 42 emphasizes that the research does not reveal new vulnerabilities but rather demonstrates how existing misconfigurations can be exploited more efficiently. The team recommends organizations assess their cloud security posture, implement proper IAM controls, and monitor for unusual API activity patterns that might indicate autonomous agent activity. Palo Alto Networks customers are protected through Cortex XDR, XSIAM, and Cortex Cloud products.
The research raises important questions for defenders about how to detect and respond to AI-driven attacks that operate at machine speed. Traditional security controls designed for human analysts may struggle to keep pace with autonomous agents that can enumerate, exploit, and exfiltrate data in minutes. Unit 42 plans to continue exploring autonomous offensive capabilities and will share additional findings to help organizations prepare for this evolving threat landscape.