An agentic threat actor (ATA) is an operator whose attack capability is executed by an AI agent. The human sets an objective. The agent handles reconnaissance, target selection, and execution on its own.
Sysdig attached the label this week to JADEPUFFER, agentic ransomware built for automated database extortion. The term is a week old and already repeating across trade press, with no definitional page ranking for it.
| Dimension | Traditional threat actor | Agentic threat actor |
|---|---|---|
| Who runs the intrusion | Human at a console | AI agent, once told the goal |
| Tooling | Pre-built scripts a person launches and steers | Model generates and adapts its actions mid-run |
| Speed and scale | Capped by human working hours | Capped by available compute |
| Intent visibility | Inferred from artifacts after the fact | Narrated by the model itself, live |
That last row is the strange part. Infosecurity Magazine reported researchers describing the first agentic ransomware of its kind, and the model didn't hide its reasoning. It narrated its own intent the entire way, logging what it was doing and why as it extorted the database.
Traditional actors script and automate too. Automation runs a plan a person wrote. An ATA writes the plan while the attack is happening, which is why the same intrusion can pivot faster than a defender can read the alert queue, and why post-incident forensics now has a running commentary to read instead of a pile of mute artifacts.
A defender used to reconstruct intent from what the malware touched. With JADEPUFFER, the intent is in the transcript.
The label matters for classification more than for defense right now. If "agentic threat actor" sticks, threat-intel teams get a bucket for adversaries whose behavior can't be attributed to a named human crew or a fixed toolkit, because the toolkit is a prompt and a model checkpoint. Sysdig got the naming rights by publishing first. Whether the industry keeps "ATA" or a rival vendor coins something cleaner is the open question.
Watch the next agentic-ransomware disclosure, expected within weeks given the July cadence: if it also reaches for "agentic threat actor" instead of a fresh coinage, the term has stuck.
The Signal is the public edge of a private practice. Sherpa points the same intelligence engine at one owner's business — competitors, suppliers, regulators, watched daily, graded and sourced. Work with a Sherpa →
