SoK: On the Offensive Potential of AI

This website is the complementary online tool to our paper "SoK: On the offensive potential of AI." It includes a list of academic papers (technical and non-technical) and InfoSec briefings (from BlackHat and DefCon), scrutinized based on the offensive AI checklist we developed in our paper. The checklist is a lifelong classification of the key-factors of technologies related to offensive AI, allowing us to objectively examine and compare existing and novel use-cases of offensive AI according to a clearly defined set of criteria. Further details will be provided after the paper has been published.

Below, we provide three lists: (i) for the technical papers, (ii) for the non-technical papers, and (iii) for the InfoSec briefings. The key difference between technical and non-technical papers is that technical papers must demonstrate a practical implementation of the AI model. For the Specific Offensive AI (OAI) use case we highlight papers/briefings mapped to MITRE ATT&CK in green, and papers/briefings mapped to categories unrelated to MITRE ATT&CK in blue.

If you want to add a paper, please feel free to submit it here.

Academic Papers (technical)
Paper Year OAI Use Case Target/Impact Cost/Benefit
Specific OAI Use Case Purpose Def.? Pot. Abuse? Targ. Real/Toy System Social Aspect Benefit Cost Baseline Comp.? Code
Antonelli 2024 Initial Access def - - system toy 0 yes, quant. yes, qual. yes, quant. -
AlMajali 2023 Autonomous Agents def - system toy 0 no no no -
Chen 2023 Autonomous Agents def - - syst. toy 0 yes, quant. yes, quant. yes, qual. x
Chowdhary 2023 Initial Access def - - system real 0 no no no -
Gallus 2023 Initial Access assist. - - system toy 1 no no no prompts shared
Ghanem 2023 Autonomous Agents def - - system toy 0 yes, qual. yes, qual. no -
Happe 2023 Autonomous Agents assist. - syst. toy 0 no no no x
Iqbal 2023 Autonomous Agents assist. - - syst. toy 4 yes, qual. no no prompts shared
Karinshak 2023 Attack on Society atk - - hum. - 20 yes, qual. no yes, qual. prompts shared
Ozturk 2023 Discovery assist. - - syst. toy 1 yes, quant. no yes, quant. prompts shared
Pa Pa 2023 Resource Development assist. - syst. real 3 yes, qual. yes, quant. no prompts shared
Zennaro 2023 Autonomous Agents def - syst. toy 3 yes, qual. no no x
Auricchio 2022 Initial Access def - - syst. toy 0 yes, quant. yes, qual. yes, quant. -
Biesner 2022 Credential Access atk - - syst. toy 1 yes, quant. no yes, quant. x
Cody 2022 Exfiltration def - - syst. toy 0 no no no -
Confido 2022 Autonomous Agents def - - syst. toy 4 yes, quant. yes, quant. yes, qual. -
Gangupantulu 2022 Autonomous Agents def - - syst. toy 1 yes, qual. no no -
Hu 2022 Defense Evasion atk - syst. toy 0 no no no -
Jagamogan 2022 Initial Access def - - syst. toy 0 yes, quant. no yes, quant. x
Karanatsiou 2022 Privacy Attack atk - - hum. - 59 no no no -
Lee 2022 Initial Access atk - - syst. real 0 yes, clear no yes, quant. x
Li 2022 Autonomous Agents (ICS) def - - syst. toy 0 no no no -
Lin 2022 Defense Evasion atk - syst. toy 0 yes, quant. no yes, quant. -
Nhu 2022 Autonomous Agents def - - syst. toy 0 no no no -
Pagnotta 2022 Credential Access atk - - syst. toy 0 yes, quant. no no -
Tran 2022 Autonomous Agents def - - syst. toy 0 yes, quant. no no -
Yao 2022 Autonomous Agents def - - syst. toy 0 no no no -
Caturano 2021 Initial Access assist. - - syst. toy 0 no no yes, quant. -
Erdodi 2021 Initial Access def - syst. toy 0 no no no x
Gangupantulu 2021 Discovery def - - syst. toy 1 no no no -
Khan 2021 Initial Access atk - - both real 4 yes, qual. yes, qual. no -
Kujanpää 2021 Privilege Escalation atk - syst. toy 0 yes, qual. no no -
Lee 2021 Credential Access atk - - syst. toy 0 yes, quant. no yes, quant. -
Maeda 2021 Privilege Escalation def - syst. toy 0 yes, qual. no yes, qual. -
Neal 2021 Process Control* def - - syst. toy 0 no no no -
Sharevski 2021 Attack on Society atk - - hum. - 15 yes, qual. yes, qual. no -
Standen 2021 Privilege Escalation def - - syst. toy 0 no no no -
Toemmel 2021 Persistence atk - - both toy 0 no no no -
Tran 2021 Autonomous Agents def - - syst. toy 0 yes, quant. no no -
Al-Hababi 2020 Reconnaissance atk - - syst. toy 11 no no no -
Bhattacharya 2020 Autonomous Agents (ICS) def - - syst. toy 0 yes, qual. yes, qual. no -
Chowdhary 2020 Autonomous Agents def - - syst. toy 0 yes, qual. yes, qual. yes, qual. x
Halimi 2020 Privacy Attack atk - - hum. - 36 yes, quant. no no -
Hu 2020 Autonomous Agents def - - syst. toy 0 no no no -
Lee 2020 Credential Access atk - - syst. toy 2 yes, qual. no no -
Lee 2020 Credential Access atk - - syst. toy 2 yes, quant. no yes, quant. -
Liu 2020 Initial Access def - - syst. real 0 yes, clear yes, quant. yes, quant. x
Pearce 2020 Defense Evasion atk - syst. toy 0 yes, qual. no no x
Sharevski 2020 Attack on Society atk - both toy 13 no no no -
Shu 2020 Defense Evasion atk - syst. toy 1 yes, qual. no no -
Song 2020 Defense Evasion atk - syst. real 0 yes, quant. no no x
Valea 2020 Autonomous Agents def - - syst. toy 0 yes, qual. yes, qual. no -
Yu 2020 Discovery atk - syst. real 0 yes, qual. yes, qual. yes, quant. -
Basu 2019 Initial Access atk - both real 8 no no yes, quant. -
Cecconello 2019 Reconnaissance atk - both real 5 yes, qual. yes, qual. no -
Chung 2019 Evasaion* atk - syst. toy 0 yes, qual. yes, qual. no -
Das 2019 Reconnaissance atk - - syst. real 0 yes, quant. no yes, quant. x
Ghanem 2019 Autonomous Agents def - - syst. toy 0 yes, qual. yes, qual. no -
Tshimula 2019 Privacy Attack atk - - hum. - 24 no no no -
Yu 2019 Initial Access atk - - syst. real 0 no yes, qual. no -
Zhang 2019 Credential Access* atk - syst. real 0 no no no -
Anand 2018 Credential Access atk - syst. toy 1 yes, qual. no yes, quant. -
Bahnsen 2018 Defense Evasion atk - syst. toy 0 yes, quant. no yes, quant. x
Kronjee 2018 Initial Access atk - syst. real 0 yes, quant. yes, qual. yes, qual. x
Rigaki 2018 Defense Evasion atk - syst. real 0 yes, qual. no no -
Zhou 2018 Privacy Attack atk - - hum. - 29 yes, quant. no yes, quant. x
Yao 2017 Attack on Society atk - both toy 24 yes, quant. yes, qual. yes, quant. -
Anderson 2016 C2 atk - syst. toy 0 no no no x
Ceccato 2016 Initial Access def - - syst. real 0 yes, qual. yes, qual. yes, quant. -
Grieco 2016 Discovery def - - syst. real 0 no no yes, quant. x
Freitas 2015 Attack on Society atk - - both real 230 yes, quant. no no -
Bursztein 2014 Initial Access atk - syst. real 0 no yes, qual. yes, quant. -
Malhotra 2012 Privacy Attack atk - - hum. - 53 no no no -
Sumner 2012 Privacy Attack atk - - hum. - 55 no no no -
Adali 2012 Privacy Attack atk - - hum. - 39 no no no -
Goldbeck 2011 Privacy Attack atk - - hum. - 35 no no no -
Yamaguchi 2011 Discovery def - syst. real 0 no no no -
Bursztein 2009 Initial Access atk - syst. real 0 yes, quant. no no -
Golle 2008 Initial Access atk - syst. real 0 no no no -
Academic Papers (non-technical)
Paper Year OAI Use Case Target/Impact Cost/Benefit
Specific OAI Use Case Purpose Def.? Pot. Abuse? Targ. Real/Toy System Social Aspect Benefit Cost Baseline Comp.? Code
Dall’Agnol 2023 Attack in (Cyber) Warfare atk - both - 0 no, no mention no, no mention no, no mention -
Pashentsev 2023 Attack on Society atk - both - 161 yes, qual. no no -
Rickli 2023 Attacks in (Cyber) Warfare atk - - syst. toy 0 no no no -
De Angelis 2023 Attack on Society atk - hum. - 7 yes, qual. yes, qual. no -
Illiashenko 2023 Attack on Society atk - hum. - 2 yes, qual. no no -
McIlroy-Young 2022 Attack on Society atk - hum. - 17 yes, qual. yes, qual. no -
Kasim 2022 Autonomous Agents atk - both toy 0 yes, quant. yes, quant. yes, quant. -
Hao 2022 Autonomous Agents def - - both toy 1 no no no -
Dall'Agnol 2021 Attacks in (Cyber) Warfare atk - both toy 0 no no no -
Nica 2020 Attacks in (Cyber) Warfare atk - - both toy 18 yes, qual. yes, qual. no -
Skeba 2020 Privacy Attack atk - hum. - 28 no no no -
Easttom 2019 Attacks in (Cyber) Warfare atk - - both toy 0 no no no -
Burton 2019 Attacks in (Cyber) Warfare atk - - both toy 15 yes, qual. yes, qual. no -
Burton 2019 Attacks in (Cyber) Warfare atk - - syst. toy 0 yes, qual. no no -
Giaretta 2019 Initial Access atk - - hum. - 4 no no no -
Maus 2015 Attack on Society atk - syst. toy 64 yes, qual. no no -
Guarino 2013 Attacks in (Cyber) Warfare atk - - both toy 0 yes, qual. yes, qual. no -
InfoSec Briefings (from DefCon and BlackHat)
Paper Year OAI Use Case Target/Impact Cost/Benefit
Specific OAI Use Case Purpose Def.? Pot. Abuse? Targ. Real/Toy System Social Aspect Benefit Cost Baseline Comp.? Code
Scheiner 2023 Attack on Society atk - human - 7 yes, qual. yes, qual. yes, qual. -
Canham 2023 Attack on Society atk - hum. - 11 yes, qual. yes, qual. yes, qual. -
Heiding 2023 Initial Access atk - both real 0 yes, quant. yes, qual. yes, quant. -
Herbert-Voss 2023 Initial Access assist. - - syst. real 2 yes, qual. yes, qual. yes, qual. -
Waligóra 2023 Reconnaissance atk - - syst. real 0 yes, qual. yes, clear no -
Gibson 2023 Attack on Society atk - hum. - 4 yes, qual. yes, qual. no -
Zror 2023 Reconnaissance atk - - hum. - 7 yes, qual. yes, qual. yes, qual. -
Xing 2022 Initial Access atk - both toy 2 yes, quant. no yes, quant. x
Chi 2022 Initial Access def - syst. real 0 yes, qual. no yes, qual. -
Lim 2021 Initial Access atk - both real 8 yes, quant. yes, qual. yes, quant. -
Lohn 2021 Attack on Society atk - hum. - 3 yes, quant. yes, quant. no -
Tully 2020 Attack on Society atk - both real 20 yes, qual. yes, qual. no -
Basu 2020 Initial Access atk - - hum. - 2 no no no x
Sharma 2020 Discovery def - - syst. real 2 yes, qual. no no -
Takaesu 2019 Autonomous Agents def - syst. real 0 no no no x
Botwicz 2019 Reconnaissance def - syst. real 0 no no no x
Bursztein 2019 Reconnaissance atk - - syst. real 0 yes, qual. yes, qual. no x
Ding 2019 Initial Access def - - syst. real 0 yes, qual. no no -
Price 2019 Attack on Society atk - both real 1 no no no x
Bahnsen 2018 Defense Evasion atk - syst. toy 1 yes, quant. no yes, quant. x
Greenstadt 2018 Privacy Attack atk - - hum. - 0 yes, quant. no no -
Kirat 2018 Defense Evasion atk - both real 2 yes, quant. no no -
Perin 2018 Reconnaissance atk - - syst. real 0 yes, quant. no yes, qual. -
Gomez 2018 Privacy Attack atk - - hum. - 4 no no no x
Anderson 2017 Defense Evasion atk - syst. toy 0 yes, quant. yes, quant. no x
Lain 2017 Reconnaissance atk - both real 0 yes, qual. yes, qual. no x
Morris 2017 Initial Access atk - - syst. real 22 no no no -
Tully 2017 Attack on Society atk - both real 69 yes, qual. yes, qual. no -
Singh 2017 Reconnaissance atk - both real 13 no no no -
Polakis 2016 Initial Access atk - syst. real 0 yes, clear yes, clear yes, quant. -
Argyros 2016 Initial Access def - - syst. real 0 no no no x
Seymour 2016 Initial Access atk - both real 22 yes, quant. yes, quant. yes, quant. -
Wolff 2016 Exfiltration atk - - syst. real 0 no no no -
Bursztein 2014 Attack on Society atk - - both real 0 yes, qual. no no x
Fu 2014 Privacy Attack atk - both real 0 yes, qual. no no -
Vanned 2013 Resource Development atk - - syst. real 0 yes, clear yes, quant. yes, quant. x
Espinhara 2013 Reconnaissance atk - - both real 41 no no no x
Clarke 2008 Attack on Society atk - - hum. - 0 yes, quant. no no -

If you spot any mistakes, or missing papers, feel free to contact us (anonymous for now, but we will add credentials after having published the paper), or just go ahead and submit an entry!

Do you want to add a new paper? Please go ahead and submit a new entry!

The submitted entry will be sent to us via mail. We will review the entry and add it to the tables, if it is related of offensive AI. Please note that this may take up to two weeks.























(a) No, no mention
(b) Yes, qualitative: Just a discussion
(c) Yes, quantitative (e.g., based on accuracy/precision)
(d) Yes, clear mention of monetary benefit or time/resources saved according to some metrics that go beyond sheer accuracy/precision
(a) No, no mention
(b) Yes, qualitative: Just a discussion
(c) Yes, quantitative
(d) Yes, clear mention of the required $$ to launch the attack
(a) No, no mention
(b) Yes, qualitative: Just a discussion
(c) Yes, quantitative