A previous OHIIHO post made the case that offensive AI agents are detectable. Several readers asked the same follow-up: detection is not deterrence - so what about vibe-hacking (AI-driven offense), cyberwar, spying ops?
Short version: you can’t deter a machine. A machine doesn’t fear retaliation. It doesn’t weigh consequences. It runs until it stops.
Classical cyber deterrence - attribution plus punishment - was already fragile. Against autonomous agents, the chain snaps a second time.
And yet.
You can deter the operator behind the machine. And the price just changed nature.
Intention used to be the last protected asset
Until recently, an offensive operator’s best-protected asset was intention. Payloads leak. Infrastructure gets burned. TTPs get documented. But intention - the mission, the target list, the objectives, the phase plan - somehow stayed inside the operator’s head, or inside classified paperwork. Most of the time.
AI changed that.
Intention now lives in a prompt. And a prompt is retrievable. (Read twice.)
The previous OHIIHO wargame post already demonstrated this: crafted content in HIIH high-interaction honeypots extracted substantial portions of attacker system prompts from several production models. Not (only) through exotic exploitation. Not through 0days. Through content the agent read as trusted context, and reasoned against.
Same mechanism as indirect prompt injection - running in reverse, as a counter-intelligence primitive.
The forehead problem
So: spying with offensive AI?
An operator launching an AI agent against a well-equipped defender is, in effect, sending a spy into a country that can read thoughts. The spy carries the mission orders written on its forehead.
Call it deterrence by cognitive compromise.
Not deterrence by punishment. Not deterrence by denial alone. Deterrence by the credible risk that intention itself - the mission brief, the operator identity, the strategic context - becomes readable by the target before execution completes.
What this forces on the offensive side
Architectural hardening that eats the economics of the agent.
- Strict output scrubbing.
- Compartmented prompts stripped of strategic context.
- Self-hosted models - goodbye, cheap API commodity.
- Single-mission agents, burned on contact.
The operational footprint starts to look like a SCIF - Sensitive Compartmented Information Facility - translated into machine tradecraft. The cost of an offensive campaign rises. The speed advantage narrows. And one bad day puts the playbook in someone else’s hands.
OHIIHO will not be writing the hardening playbook for offensive operators. That’s not this side of the line.
Two consequences for doctrine
One. Nations that can’t afford symmetric offensive cyber capability now have a credible deterrent that doesn’t require one. No arsenal needed to make an adversary think twice. What is needed is instruments that turn their agents into a liability. A denial-of-sanctuary doctrine, accessible to small and mid-sized states.
Two. The classical cyber line - attribution plus retaliation - isn’t replaced. It’s supplemented. Each era inherits the instruments of the previous one, sharpened and re-pointed.
MAD was the nuclear grammar.
Attribution was the cyber grammar.
Cognitive compromise is the AI grammar.
Same front. New adversary. Same kind of instruments. Sharpened.
Observation. Deception. Counter-intelligence.
Still the line.
For governments and legitimate institutional actors on the defender side, OHIIHO’s door is open. Some of those conversations started this week in Singapore, on the sidelines of Black Hat Asia.