Session Description
[Please refer to this link for detailed technical documentation, architecture diagrams: [https://keen-harmonica-78a.notion.site/Breach-on-Autopilot-Technical-Deep-Dive-352d19e62e02802f99b8d72376af1bc8?source=copy_link]

General Information
- Title: Breach on Autopilot: From AI-Planned Kill-Chains to Automated Atomic Execution
- Category: Artificial Intelligence (AI) Hacking / Enterprise Security
- Keywords: Autonomous Red Teaming, LLM Reasoning, MITRE ATT&CK, Atomic Red Team, Air-gapped Security, Offensive AI
- Project Documentation: [Breach on Autopilot: Technical Deep Dive](https://www.notion.so/Breach-on-Autopilot-Technical-Deep-Dive-352d19e62e02802f99b8d72376af1bc8?pvs=21) (click)
- Moving Beyond the AI Buzzword: Building an Autonomous Offensive Pipeline
Modern attackers execute coordinated, multi-stage kill-chains, yet many offensive tools remain fragmented. This session introduces an in-house automated offensive framework that bridges the gap between asset intelligence (Blue Hunter) and autonomous execution (Red Hunter).
We will demonstrate a unified "Blue-to-Red" workflow where AI doesn't just generate text, but acts as a strategic operative. We introduce the AI Dependency Logic, a tiered model allowing users to scale from manual validation to full autonomy. In "High Autonomy" mode, the framework performs Auto-Resolution—analyzing execution failures to self-correct payloads—and Intelligent Pathfinding to navigate restricted environments via automated credential injection and alternative maneuvers.

Key Technical Highlights:
- Strategic Pivot: A seamless interface to transition from Blue Hunter’s adversary mapping and CVE prioritization to Red Hunter’s tactical execution.
- Stealth Agent Generation: AI-driven defense evasion that dynamically applies obfuscation and anti-analysis measures based on the target's EDR posture.
- Air-Gapped Resilience: A fully offline architecture utilizing local LLMs and serialized MITRE ATT&CK/Atomic Red Team caches for high-security environments.
- Tactical Analytics: Transforming raw execution logs into a localized MITRE ATT&CK Coverage Matrix to identify explicit detection gaps.
Join us to see how AI moves beyond the buzzwords into a self-healing, reproducible offensive pipeline that helps IT teams reclaim their time and focus on strategic defense.


Speakers Introduction
Jooho Yeo (Researcher, PIOLINK) & Yeonju Baek (Developer & Researcher, PIOLINK)
We are a team from PIOLINK, a cybersecurity company based in South Korea.
First, let me introduce Jooho Yeo. Jooho is a researcher specializing in AI-driven Attack Surface Management. He is the mastermind behind Blue Hunter, where he focuses on transforming raw OSINT data into strategic attack narratives using LLMs. He’s the one who teaches our AI how to 'think' like a strategist.
And I am Yeonju Baek. I am a developer and researcher focused on offensive automation. My role is leading the development of Red Hunter, the execution engine of this framework. My work is about operationalizing the MITRE ATT&CK framework and Atomic Red Team payloads into seamless pipelines that work even in the most restricted, air-gapped environments.
Together, we’ve built a bridge between AI-generated intelligence and real-world offensive execution.

---

PART 1: Blue Hunter – AI Strategic Reasoning

Meet Blue Hunter, our AI-driven strategic brain. It ingests OSINT data—DNS, certificates, tech-stacks—and processes it through a Chain-of-Thought prompting strategy. Instead of just listing vulnerabilities, it reasons: 'If this service is EOL and this port is open, what is the probability of a successful lateral movement?' It generates an actual 'Operation Log' that describes a full, environment-specific narrative.

This narrative isn't just text. Our engine algorithmically maps these identified weaknesses to specific MITRE ATT&CK TIDs. It bridges the gap between high-level AI intent and low-level system commands. This ensures that every move the AI plans is grounded in proven threat actor tradecraft.

---

PART 2: Red Hunter – Automated Execution

Once the plan is ready, Red Hunter takes over. It’s an automated execution engine that supports both agentless and agent-based operations. It features a Dynamic Parser that takes Atomic Red Team YAMLs and injects target-specific parameters like IPs and credentials. It doesn't just run a script; it orchestrates an operation.

Execution in complex networks requires persistence. Red Hunter uses an RPC bridge to Metasploit, allowing us to handle session upgrades and post-exploitation modules programmatically. We’re moving away from manual console typing to a fully automated session handling loop.

---

PART 3: Engineering for Isolation

Here is the core technical challenge: How do you do this in a zero-trust, air-gapped environment? We built a localized intelligence system. We serialized the entire MITRE tree and Atomic repositories into a local cache. No GitHub, no cloud APIs. The AI searches a pre-computed vector database stored right on the local disk.

---

PART 4: Impact & Metrics

To bridge the gap with the Blue Team, we generate a Coverage Matrix. This visualizes exactly which TIDs passed, failed, or were partially blocked. It highlights the 'Detection Gaps' in the target's environment. We’re not just providing a list of bugs; we’re providing a roadmap for better defense.

In conclusion, Blue Hunter plans, and Red Hunter executes. By automating the OODA loop, we reduced manual data integration from hours to minutes. Our next step is a fully self-evolving framework. Security is no longer a battle of tools; it’s a battle of data-driven strategy.