The reconnaissance phase of an intrusion used to be a slow, manual grind. Two or three operators would spend a week mapping an organisation’s externally exposed surface, harvesting employee names from LinkedIn, identifying tech-stack signals from job ads, and matching CVEs to detected products. In 2026, that work is being automated by attackers in the same way defenders are automating SOC triage, with locally-hosted LLM agents wired into off-the-shelf scanners.
This is a practitioner-level look at what those pipelines actually do, why they’re cheap to build, and what defenders can still see when an AI agent is doing the looking instead of a human.
What the agent stack looks like
The setup is unromantic. A local quantised model (Llama 3 70B, Mistral, Qwen, running on a single GPU box) gets wired into LangChain or AutoGen, given access to a small toolbelt of standard recon utilities (subdomain enumeration, certificate transparency lookups, BuiltWith and Wappalyzer-style fingerprinting, GitHub dorking, LinkedIn scraping), and pointed at a target organisation.
The agent reasons about the result of each tool call, decides what to look for next, and produces a structured report. What used to be a week of tedious correlation becomes thirty minutes of compute. The output is roughly the quality of an okay junior penetration tester. That’s enough.
What the AI is actually good at
The agents are surprisingly strong at three specific tasks. First, joining unstructured intel, given a list of employees from LinkedIn, a list of email patterns from breached datasets, and a job ad mentioning “Okta administrator,” the model produces a credible target list in seconds. Second, generating phishing pretexts that match the company’s actual jargon, scraped from their blog and case studies. Third, prioritising which exposed asset is the softest entry point, by reasoning about the tech stack and known CVE history.
What they’re still bad at is actually exploiting things. Code generation for novel exploits is unreliable. Fingerprinting the difference between a vulnerable and a patched version remains noisy. The agents do the recon and the social engineering. Humans (or scripts the human wrote) still drive the exploitation phase.
What defenders see now that they didn’t before
The defender-side signal looks different from a human-driven recon campaign. Three things stand out.
Burst patterns. AI-driven recon doesn’t pace itself. A human attacker spreads queries across days to avoid scan detection. An agent fires hundreds of subdomain queries, certificate-transparency lookups, and GitHub searches in minutes. If you can correlate across data sources (your authoritative DNS resolver logs, CT-log monitoring, your internal CSP report endpoints), the burst is visible.
Tool-shaped traffic. Many of the open-source recon tools the agents use (Subfinder, Amass, GoBuster, ffuf) have distinctive request signatures, user agents, header ordering, query patterns. They were noisy before; agents make them noisier. WAF rules that flag known recon-tool fingerprints catch a meaningful share of the AI-agent traffic for free.
Pretext-mismatch in phishing. The phishing emails are better than they were two years ago, but the email-authentication fundamentals (SPF, DKIM, DMARC) catch the impersonation layer regardless of how good the body copy is. Internal training that focuses on “did the email come from a properly authenticated sender” instead of “was the wording suspicious” is more effective in 2026, not less.
Three controls that still pay rent
Attack-surface management is the obvious one. If the agent can find a forgotten dev subdomain in five minutes, you should be finding it weekly. Continuous external attack-surface tools (the open-source ones plus the commercial layer) are no longer optional.
GitHub secret scanning is the second. AI agents are excellent at dorking, querying GitHub for specific patterns (“our-domain.com” + “api_key”) at scale. If you don’t have org-wide secret scanning enabled and a process for revoking found secrets in under twenty-four hours, the agent finds them faster than you do.
The third is unglamorous: reduce the number of public job ads that name specific products. Attackers love a job ad that says “must have CrowdStrike, Okta, and Workday experience.” That’s three pieces of free recon data. Generic descriptions cost nothing and yield nothing useful to an agent.
The defender’s own AI pipeline
The good news, if you can call it that, is the same agent stack works in reverse. Defenders can run the same recon pipeline against their own organisation, on a weekly cadence, and feed the output into ticketing. Most of the asset-exposure issues we’ve found in the last six months would have surfaced in the agent’s first run. Whether your security programme uses an AI agent or not, the attackers do, so the gap between what they see and what you see should be measured in days, not quarters.
