PoC Zealot: Autonomous AI Executes End-to-End GCP Cloud Attack
Unit 42’s Zealot project demonstrates how multi-agent AI systems can autonomously chain SSRF, credential theft, and BigQuery exfiltration within misconfigured…
On April 23, 2026, Palo Alto Networks Unit 42 released the results of "Zealot," a multi-agent proof-of-concept (PoC) that autonomously executed an end-to-end offensive chain against a Google Cloud Platform (GCP) sandbox. The system did not discover zero-day vulnerabilities or create new attack surfaces; instead, it concatenated IAM misconfigurations and known security flaws at machine speed. The demonstration proves that autonomous AI threats in the cloud have moved from theoretical constructs to demonstrable practice.
The real threat lies not in the discovery of new vulnerabilities, but in the velocity at which artificial agents can amplify pre-existing human errors. For security teams, this shifts the focus from reactive patching to rigorous identity configuration management before these flaws can be orchestrated by systems that do not sleep, do not suffer from distraction, and leave no emotional footprint.
- Zealot utilizes a hierarchical supervisor-agent architecture built on LangGraph, featuring a central supervisor and three specialist agents to orchestrate autonomous attacks.
- The demonstrated attack chain included SSRF, credential theft from the GCP metadata service, service account impersonation, and BigQuery data exfiltration.
- The architecture is LLM-agnostic: no specific model is required, significantly widening the potential for reproducibility.
- Purely decentralized multi-agent systems proved unstable, resulting in redundant or conflicting actions; the supervisor model resolved these limitations through real-time re-prioritization.
How the Zealot Architecture Works: A Supervisor Orchestrating Specialists
The technical core of Zealot is a hierarchical organization implemented in LangGraph, an orchestration framework for state graphs. At the top, a central supervisor manages the shared state of the operation and delegates dynamic instructions to three specialist agents. This structure breaks from purely decentralized multi-agent models, where each node operates toward its own objectives without higher-level coordination.
Unit 42 researchers tested both approaches. They found that autonomous decentralized systems generated behaviors that were difficult to contain: actions were repeated without progress, agents conflicted by attempting contradictory operations, and attack state coherence was lost. In contrast, the central supervisor allowed for real-time priority reassignment based on new information gathered during the reconnaissance phase.
The "Infrastructure Agent"—the only specialist detailed in the available report—is responsible for mapping cloud resources and identifying exploitable misconfigurations. While the specific functions of the other two agents were not fully detailed in the findings, Unit 42 emphasized that the architecture remains LLM-agnostic, meaning various models can be employed for each node.
The Demonstrated Attack Chain: From SSRF to BigQuery Exfiltration
The empirical demonstration followed a classic advanced cloud attack sequence, executed entirely without human intervention between phases. The entry point was Server-Side Request Forgery (SSRF), a well-established vulnerability that allows a server to make requests to internal or external endpoints controlled by an attacker. Zealot exploited this to reach the Google Cloud Platform metadata service.
From there, the system extracted exposed credentials from the metadata service—a mechanism known for years but still recurring in unhardened configurations. With valid credentials, the agent proceeded to impersonate a service account, gaining sufficient IAM privileges to query target resources. The final phase involved the exfiltration of data from BigQuery, Google Cloud’s data warehouse analytics service.
Each step utilized documented techniques and long-standing mitigations. The novelty is not the chain itself, but its autonomous execution and the speed of concatenation. A skilled human attacker would require minutes or hours to verify conditions, adapt to unexpected responses, and correct course. Zealot demonstrated that this decision-making process can be compressed into machine cycles without degrading tactical precision.
"The findings from this PoC reveal that although AI does not necessarily create new attack surfaces, it serves as a force multiplier, rapidly accelerating the exploitation of well-known, existing misconfigurations." — Unit 42 (Palo Alto Networks)
Why Purely Decentralized Systems Failed
The choice of a supervisor-agent model was empirical rather than theoretical. Unit 42 researchers directly compared the two architectures and documented the limitations of the decentralized approach. When multiple autonomous agents operate without hierarchical coordination, they compete for common resources, repeat reconnaissance already performed by other nodes, and make contradictory decisions that nullify previous progress.
The supervisor introduces an architectural constraint that some adversarial AI researchers might consider limiting: it centralizes control and introduces a single point of failure. However, in the context of cloud offensives, this trade-off provided operational reliability. The supervisor maintains a global state of the operation, evaluates intelligence from specialists, and reorders priorities without requiring manual reconfiguration.
This result has implications beyond automated red teaming. If the supervisor-agent model proves superior for complex, multi-stage operations, it is likely that multi-agent defensive systems will adopt similar hierarchies for incident response, creating a form of architectural convergence between attack and defense.
Mitigation and Defensive Priorities
The Zealot report does not call for panic over untraceable new vulnerabilities; instead, it demands a prioritized reallocation of defensive resources. Four urgent actions emerge:
Systematic Auditing of IAM Misconfigurations: The Zealot chain relies on exposed credentials and privilege escalation via service accounts. Periodic reviews of IAM bindings, credential rotation, and the minimization of metadata service permissions must move from scheduled activities to continuous processes, with alerts for any baseline deviations.
Behavioral Monitoring of Valid Credentials: Because AI operates using legitimate credentials, detection can no longer rely solely on flagging anomalous geographic or time-based logins. Organizations must profile the typical behavior of every service account and generate alerts for BigQuery query patterns, API call frequencies, or sequences of actions that deviate from the established profile.
Metadata Service Restriction and Network Segmentation: Access to the metadata service from unauthorized positions must be blocked at the network level, not just the application level. Implementing Workload Identity or alternatives that do not expose credentials directly in the metadata endpoint reduces the surface area available for chained SSRF attacks.
Red Teaming with AI Agents: Red team programs should integrate testing with agentic systems to verify resilience against attacks that do not follow predictable human playbooks. This does not replace human operators but complements coverage regarding speed, persistence, and tactical variation.
The Shift: From Tool to Autonomous Operator
Zealot is part of a broader wave of experimentation testing the boundary between assisted tools and independent operators. The qualitative difference is that a traditional tool executes given commands; an agentic system formulates sub-goals, evaluates intermediate results, and adapts its strategy. Unit 42 has shown that this leap is already technically achievable in standard cloud environments using known techniques.
The declaration of LLM-agnosticism carries an important corollary: the barrier to entry is not the possession of an expensive proprietary model, but the ability to orchestrate agentic architectures using any available endpoint. This potentially democratizes the reproducibility of the PoC, increasing the pressure on defenders who can no longer rely on the scarcity of advanced tools as an implicit mitigation factor.
Some blind spots remain. The available data does not allow for a full reconstruction of all specialist functions, nor does it evaluate whether Zealot has been reproduced on AWS, Azure, or other providers. Quantitative metrics regarding success rates, execution latency, or computational costs per completed chain are also missing. These limitations do not diminish the validity of the demonstration, but they indicate where future research must be extended.
FAQ
Is Zealot an active threat in the public cloud?
No. It is a proof of concept executed in a controlled sandbox by Unit 42 to demonstrate technical capabilities, not a malware strain or an attack observed in the wild.
Does the LLM-agnostic architecture mean it works with any model?
The authors state that any model can be selected for each agent, but they do not specify which models were actually tested or if performance and reliability are equivalent across different models.
Why does the GCP metadata service remain an entry point after years of warnings?
Because its exposure depends on application and network configurations that are often overlooked in dynamic or legacy environments. Zealot proves that this hardening gap is not academic—it is automatically exploitable.