AISI: Frontier AI Models Found Critical Cloud Vulnerabilities for Under £150
The UK AI Security Institute used frontier models to audit its own research platform and found a five-step attack chain that had previously escaped standard tools — all for under £150 in token costs.
This article was generated using artificial intelligence from primary sources.
The UK AI Security Institute (AISI) has published a detailed case study in which its own engineering team used frontier AI models to conduct a security audit of its research platform. The results are highly illustrative: the models found critical cloud vulnerabilities that had previously escaped standard tools, and the most serious attack chain was discovered for under £150 in model token costs.
Three Approaches of Varying Depth and Noise
The team tested three methodologies, each with a different ratio of autonomy to human oversight.
Static source code analysis was the least demanding in terms of human engagement: a coding agent was granted access to a private repository with a security reviewer role and independently analyzed the code. This approach generated the most alerts labeled as “high” or “critical,” but also the most noise. Many of the reported issues proved to be less severe or non-exploitable, and filtering the results required extensive engineering effort.
Automated agentic probing was based on an autonomous agent built within the Inspect evaluation framework. The agent started from a researcher-level access point and attempted to independently identify exploitable paths. This approach produced more concrete and actionable results than static analysis.
Human-in-the-loop red-teaming combined security researcher expertise with coding agent capabilities: the researcher interactively guided the agent, manually approving each step. This approach resulted in the clearest and most directly actionable findings.
Five-Step Attack Chain That Nobody Had Seen
The key finding of the project was a previously undiscovered attack chain consisting of five independent steps. The chain allowed an ordinary user to access other researchers’ data on the platform without any interaction with the victim. Engineers described the attack path as “understandable but non-intuitive” — precisely the kind of vulnerability that escapes routine reviews because no single step appears critical in isolation.
In addition to the five-step chain, vulnerabilities in access control, privilege escalation paths, and weaknesses in software supply chain security were also discovered.
All tested frontier models found at least one exploitable vulnerability. The most capable models successfully chained multiple discovered weaknesses, enabling lateral movement and access to unauthorized data.
Why the Detection Gap Is the Key Takeaway
A particularly concerning aspect of the project relates to the detection of the agent activity itself. When the autonomous agent was conducting probing, the standard commercial alerting system missed that activity entirely — it generated no alerts on the unusual behavior.
Advanced monitoring that combined agentless cloud scanning and host-level sensors correctly identified aggressive behavior: credential-grab attempts and unexpected network traffic. The gap between these two detection approaches shows that organizations relying solely on standard commercial alerts will be unaware when an AI agent is conducting reconnaissance inside their infrastructure.
The Economics of AI Security Audits
The cost dimension of the project is worth special attention. The primary attack chain cost under £150 in model tokens. Total project costs — including all three approaches and all tested models — remained under £1,000.
Comparison with the cost of engaging specialized security researchers for an equivalent audit suggests that AI-assisted red-teaming represents an economically accessible tool even for organizations with limited security budgets.
AISI emphasizes that all approaches had their own strengths and weaknesses and that a combination of methodologies provides the most complete picture. Static analysis is good for broad coverage, while agentic and human-in-the-loop approaches produce a smaller but more reliable set of immediately actionable findings.
This case study comes at a moment when the industry is actively debating the dual nature of frontier AI models in the context of cybersecurity: the same models that can find vulnerabilities can also exploit them, making an understanding of their capabilities critical for defensive teams.
Frequently Asked Questions
- How much did it cost to discover the five-step attack chain?
- The primary five-step attack chain was discovered for under £150 in model token costs. Total project costs across all approaches were under £1,000.
- Which approach produced the most actionable results?
- Agentic probing and human-in-the-loop red-teaming produced the most concrete and actionable results. Static analysis generated the most alerts but required extensive human filtering.
- Did standard commercial alerting detect the autonomous agent activity?
- No. Standard commercial alerting missed the autonomous agent activity entirely. Only advanced cloud monitoring with agentless scanning and host-level sensors correctly identified the aggressive behavior.