Living off the AI: The Next Evolution of Attacker Tradecraft

Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP.

For years, defenders have battled “living off the land” attacks—where adversaries progress using the tools already present on compromised systems (PowerShell, WMI, and the like). Then came “living off the cloud,” as threat actors hid in plain sight behind ubiquitous cloud services for malware delivery and data exfiltration. We’re now entering the next phase: living off the AI.

Organizations are rapidly adopting AI assistants, agents, and the emerging Model Context Protocol (MCP) ecosystem to stay competitive. Attackers have noticed. Let’s look at how different MCPs and AI agents can be targeted and how, in practice, enterprise AI becomes part of the attacker’s playbook. (MCP is an open source framework for LLMs and AI agents to securely connect with ...