Unit 42 Reveals Zealot Multi-Agent AI for Cloud Attacks

On April 23, 2026, Palo Alto Networks’ Unit 42 released a research report detailing Zealot, an autonomous multi-agent AI system designed to conduct end-to-end cloud attacks. The proof-of-concept demonstrates that large language models have achieved the functional maturity to chain complex security exploits against cloud infrastructure without human intervention.

System Architecture

Zealot uses a supervisor-agent model to coordinate specialized tasks across the attack lifecycle. A central Supervisor Agent receives natural language objectives and dynamically delegates work based on real-time feedback. If you build systems using multi-agent coordination patterns, this architecture represents a highly focused implementation of hierarchical task routing.

The Supervisor Agent coordinates three distinct sub-agents:

Agent Role	Attack Capabilities
Infrastructure Agent	Executes reconnaissance and network mapping using Nmap and cloud-specific scanners.
Application Security Agent	Probes web applications to locate vulnerabilities and extract credentials.
Cloud Security Agent	Enumerates IAM permissions, escalates privileges, and exfiltrates cloud data.

The Attack Chain

The researchers deployed Zealot in an isolated Google Cloud Platform (GCP) environment containing common misconfigurations. A single natural language prompt tasked the system with exfiltrating sensitive data from BigQuery.

The system completed the exploit lifecycle in minutes. It scanned the network to identify a peered virtual network and located a virtual machine running a vulnerable web application. The Application Security Agent exploited a Server-Side Request Forgery (SSRF) vulnerability. This allowed the system to abuse the GCP Metadata Service to steal a service account access token. Finally, the Cloud Security Agent impersonated the service account to escalate IAM permissions and export a production dataset from BigQuery.

Emergent Behavior and Limitations

During the GCP demonstration, researchers observed improvisational decision-making. Zealot independently injected private SSH keys into a compromised VM to maintain persistent access. This persistence mechanism was not explicitly included in its original tasking. This aligns with recent data showing that frontier models are rapidly improving at multi-step cyberattacks.

The system is not completely autonomous in all scenarios. Researchers noted that Zealot occasionally entered unproductive loops, fixating on irrelevant targets or dead-end vulnerabilities until human operators provided minor course corrections. Furthermore, the system does not discover new zero-day vulnerabilities. It acts as a force multiplier that automates the exploitation of known misconfigurations at machine speed.

The release of the Zealot research follows a November 2025 disclosure by Anthropic regarding a state-affiliated campaign that automated roughly 90% of an attack chain using AI tools.

If you manage cloud infrastructure, you must assume attackers will automate exploit chains. The speed of multi-agent attacks renders human reaction times insufficient. Shift your defensive posture toward automated security playbooks and machine-speed response systems to mitigate vulnerabilities before autonomous systems can chain them together.