Last week, cloud security firm Sysdig announced JadePuffer as the first documented case of agentic ransomware: an AI agent that handled technical execution of a real-world cyberattack from initial access through encryption and ransom delivery. Follow-up reporting from TechCrunch and CyberScoop reveals a more nuanced picture. A human was involved in the operation’s strategic decisions, even as the AI handled the technical work.

What the Human Still Did

Sysdig’s Michael Clark, senior director of threat research, told CyberScoop that “a human still set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim.” The credentials used to break into the target’s MySQL database were not harvested by the agent itself. Someone obtained them through a prior compromise and supplied them to the operation.

Clark told TechCrunch that none of this contradicts Sysdig’s original finding. The technical execution was real. The distinction is between “agentic ransomware” (an agent handling intrusion steps autonomously) and “fully autonomous cybercrime” (an agent selecting victims and running operations with no human involvement). JadePuffer is the former, not the latter.

What the Agent Actually Did

The attack’s technical details remain significant. The agent exploited a known Langflow vulnerability (CVE-2025-3248) to gain initial access, then moved to a production MySQL server and exploited another flaw for admin access. It encrypted over 1,300 configuration records, wrote its own ransom note, and left a Bitcoin payment address.

When the agent encountered a failed login, it diagnosed the error, switched from subprocess calls to direct library imports, and redeployed a corrected payload in 31 seconds, according to CyberScoop. It narrated its reasoning in natural-language code comments throughout.

The agent ran more than 600 distinct payloads in rapid succession. As Clark told CyberScoop, “the model closed loops that used to require a skilled human.”

The Model Question

An initial detail about “multiple models” in the attack has been clarified. Clark told TechCrunch that the API keys for OpenAI, Anthropic, DeepSeek, and Gemini found during the attack were stolen loot, not evidence of which model powered the agent. “They are indicative of what the attacker considered worth taking, but they do not tell us which model was making the decisions,” he said.

Sysdig was not able to identify the specific model driving JadePuffer and has no visibility into its system prompt or configuration. Microsoft researcher Geoff McDonald theorized on LinkedIn that an open-weight model with safety training removed was more likely than a frontier model, based on his own red-teaming experience.

The Capability Ceiling

McDonald’s warning that ransomware campaigns are now “bounded primarily by attacker budget rather than human effort” does not fully square with the JadePuffer details. If a human must still choose each victim, provision infrastructure, and supply credentials, those manual steps create bottlenecks that limit how many simultaneous campaigns one operator can run.

The operational advantage is real but bounded. Agentic ransomware compresses the technical execution phase from hours to minutes and eliminates the need for specialized intrusion skills. It does not yet eliminate the human in the loop for target selection and infrastructure setup.

Clark told CyberScoop that while Sysdig has not seen the operation hit other victims, “given how cheap this agentic ransomware operation is to run, I would expect this will not be the last.”