A June 2026 RAND study finds AI agents can now autonomously solve offensive security exercises once reserved for trained operators, and the think tank says the field's offense only risk benchmarks are now obsolete.
A RAND Corporation study published June 25 finds that AI coding agents can now autonomously solve the offensive-cybersecurity exercises that, a year ago, required trained human operators. In an April 2026 experiment, an agent running Anthropic's Claude Code cleared every challenge the researchers set. Total API cost: under $20. Total time: under an hour. No human operator in the loop.
The exercises in question are capture-the-flag (CTF) challenges, a long-standing format in offensive-security training and competition where participants break into simulated systems to retrieve hidden strings. Solving harder tiers has traditionally demanded the patient, multi-step reasoning that only practiced offensive-security operators were thought to bring to the table. RAND's new report is the clearest published measurement yet of how quickly that barrier has collapsed, and the think tank is now arguing that the risk benchmarks underpinning modern cyber defense were built for a world that no longer exists.
The shift from 2025 to 2026 is the heart of the finding. A year ago, RAND's first study tested humans working with chatbot-style AI assistants and found the lift was statistically insignificant: participants generally struggled even with AI in the loop, and almost none succeeded on the harder challenge tiers. The new study does not retest those human-plus-chatbot pairings against the same challenges. It retests what an autonomous agent can do. The difference, in RAND's framing, is between a tool that advises a human and a tool that executes, and that distinction is doing most of the work in their conclusion that the offense side of the field has crossed a threshold.
Help Net Security's coverage of the report cites Claude and Codex-style agent systems as the practical reference point for the category. Practitioner-side reporting from Include Security has been tracking a similar arc through CTF competitions in 2026, with agents posting competitive scores on challenges that were designed for trained humans.
RAND's argument about defense is the part that travels beyond the benchmark. The think tank's position is that risk-assessment frameworks built around periodic, offense-only evaluations are now inadequate, because they assume the attacker is a skilled operator and the test moment is stable. Both assumptions are wrong, in RAND's reading: the attacker can now be a non-expert with a chatbot, and the relevant capability is moving faster than any annual benchmark can track. The report calls for continuous, defender-in-the-loop measurement, with test environments that include active defenders rather than static targets.
That is also where the legitimate criticism lives. RAND's number is one benchmark suite, run by one research team, against one model family at one point in time. The harder CTF tiers in the 2025 study were already difficult for human-plus-chatbot pairings, which means the absolute ceiling of what an agent can do in a constrained exercise is not the same question as what a real attacker can do against a defended enterprise. RAND's own writeup notes that defender uplift, the question of whether AI agents also make blue teams meaningfully better, is not measured here. The takeaway is asymmetry: the offense side of the ledger just got cheaper, while the defense side of the ledger is still being measured the old way.
What to watch next is whether the next round of agent models widens the gap further, and whether the policy conversation moves from whether to regulate offensive AI tools to how to certify the defender side. RAND's data point is the easiest one to falsify and the hardest one to wave away: one study, one benchmark suite, one model family, and every challenge solved.