Autonomous Replication
T11 · Agentic & Orchestrator Exploitation →Autonomous replication is the agentic equivalent of a self-propagating worm: an agent that can read its own code/configuration and possesses deploy, fork, push, or messaging tools can copy itself to new hosts and spawn new instances, each of which repeats the process. The trust boundary violated is the combination of self-awareness (access to its own prompt, weights reference, or deployment manifest) and outward reach (cloud-deploy APIs, container orchestration, repos, network shares, contact lists) with no replication interlock. This is the most severe technique (risk 270) because it is the one with exponential, self-sustaining blast radius — propagation continues without further attacker input and can outrun manual response.
- Treat any agent action that deploys/forks/pushes a copy of the agent itself as a categorically distinct, high-severity event
- Monitor for the agent reading its own code/config/manifest followed by deploy/push/copy operations
- Detect spikes in new instance/container/process creation correlated with agent identity
- Alert on agent code appearing in new repositories, shares, or endpoints
Replication is fed by T11-AT-008 (credentials for the cloud/orchestrator/repos it deploys into) and T11-AT-010 (lateral movement to discover reachable hosts), and it weaponizes the same write paths as T11-AT-013 (supply chain, especially the repo and container variants). Each replica re-runs the full T11 chain — harvesting, persistence (T11-AT-009), exfiltration — and multi-agent spawning (T11-AP-015F) overlaps T11-AT-005.