This study addresses the emerging security threats posed by Highly Autonomous Cyber-Capable Agents (HACCAs)—intelligent systems capable of conducting cyber operations with minimal human intervention. It establishes the first conceptual framework for HACCAs, defining their multi-stage autonomous capabilities across the full cyber attack lifecycle. Through threat modeling, attack lifecycle analysis, and strategic security assessment, the research systematically identifies five core tactics and two categories of tail risks associated with HACCAs, clarifying their operational boundaries and projected development timeline. The work further elucidates the disruptive implications of HACCAs for national cyber competition, the proliferation of cybercrime, and loss-of-control scenarios. Finally, it proposes seven forward-looking policy recommendations encompassing situational awareness, proactive defense, and coordinated governance to guide governmental and industry responses.

This report introduces the concept of "Highly Autonomous Cyber-Capable Agents" (HACCAs), AI systems capable of autonomously conducting multi-stage cyber campaigns at a level comparable to today's top criminal hacking groups or state-affiliated threat actors, and analyzes the security implications of their emergence. The report: (1) Defines what HACCAs are and forecasts when they might arrive, establishing a clear framework for an autonomous cyber agent that can operate across the full attack lifecycle without meaningful human direction; (2) Identifies five core operational tactics, detailing how HACCAs could sustain themselves in the wild, from autonomous infrastructure setup and credential harvesting to detection evasion and adaptive shutdown avoidance; (3) Analyzes the strategic implications, including how HACCAs could intensify interstate cyber competition, lower the barrier to entry for sophisticated operations, and proliferate advanced offensive capabilities to criminal groups and less-resourced state actors; (4) Flags two tail risks that deserve serious attention: the potential for autonomous cyber operations to trigger inadvertent cyber-nuclear escalation, and the possibility of sustained loss of control over rogue HACCA deployments; (5) Proposes seven policy recommendations across three goals: understanding the emerging threat, defending against HACCAs, and ensuring their responsible development and deployment.