Sysdig's AI ransomware report puts Loris Degioanni's runtime bet to the test

JADEPUFFER was human-directed, but Sysdig says an AI agent handled reconnaissance, credential hunting, encryption and the ransom note.

By ยท Published

Why it matters

JADEPUFFER turns agentic security from a vendor pitch into an operating problem: attackers can use AI to compress the middle of an intrusion, forcing defenders to prove they can respond at the same pace.

AI agent performing ransomware attack (Hand-drawn editorial illustration in the spirit of a New Yorker cover)

Loris Degioanni's Sysdig has documented JADEPUFFER, a ransomware-style database extortion operation that Sysdig says used an AI agent to execute much of the intrusion chain, giving the cloud-security founder's runtime thesis a sharper and less theoretical adversary.

Sysdig published the underlying technical report on July 1, and Forbes amplified the finding on July 10 as evidence that cheaper agentic models are changing ransomware economics. The careful reading is narrower and more useful: JADEPUFFER does not prove that autonomous AI attackers are choosing targets on their own. It shows that a human-directed operation can hand off expensive keyboard work to an agent.

That distinction is central to the story. TechCrunch reported that Sysdig's Michael Clark clarified that a human still chose the victim, provisioned infrastructure and supplied some credentials. Sysdig also could not identify the specific model running the agent and had no visibility into the system prompt or configuration. Those gaps matter because they limit what defenders can infer from this case.

The reason this report lands squarely in Degioanni's lane is his history. Sysdig says Degioanni founded Sysdig in 2013 to give developers and defenders system-call-level visibility into cloud and container environments. Before that, he co-created Wireshark, built the open-source sysdig troubleshooting tool, and created Falco, the open-source container runtime security project. His career has been organized around one premise: when infrastructure gets abstracted away, defenders need a deeper view of what is actually running.

JADEPUFFER is a live test of that premise. RuntimeWire reported on July 4 that Sysdig's report sharpened Degioanni's runtime argument: attackers can chain familiar cloud flaws without a human operator walking every step. The latest wave of coverage broadens the point from one incident to a market question. If AI agents can perform the slow middle of an intrusion, security vendors built around dashboard review and ticket queues are defending at the wrong tempo.

What Sysdig says JADEPUFFER did

According to Sysdig's July 1 report, JADEPUFFER exploited an exposed Langflow instance using CVE-2025-3248, then used Python-based payloads to move through reconnaissance, credential and secret harvesting, internal discovery, database access and extortion.

The vulnerability itself was already known. The National Vulnerability Database describes CVE-2025-3248 as an unauthenticated code-injection flaw affecting Langflow versions before 1.3.0 that allows arbitrary code execution.

Sysdig says the agent searched the host for API keys, cloud credentials and other secrets. The report says the agent accessed the application's backing database, probed internal services and object storage, and established persistence on the initial host.

The production target, Sysdig says, included a separate internet-facing server running MySQL. TechCrunch reported that the credentials used to access that database were not harvested by the agent itself; someone obtained them separately and supplied them to the operation.

Once in the database, the agent encrypted over 1,300 configuration records and wrote a ransom note that included a Bitcoin address, according to TechCrunch and Sysdig. The operational signature that made Sysdig call this agentic was not the novelty of the techniques. It was the behavior around them. Sysdig says the payloads contained natural-language reasoning, target prioritization and explanatory comments that looked like LLM-generated code. TechCrunch noted the agent fixed a failed login in 31 seconds while narrating its reasoning in code comments.

The business case for AI-assisted extortion

Ransomware already operates like a labor market. Access brokers find footholds. Operators triage networks. Specialists steal credentials, escalate privileges, exfiltrate data, encrypt systems and negotiate payment. AI agents compress some of that work into software that can be run cheaply, repeatedly and with less specialized human labor.

That does not eliminate human bottlenecks. JADEPUFFER still required target selection, infrastructure and at least some externally supplied credentials. It also left a noisy trail, including self-narrating payloads and code comments that helped Sysdig reconstruct the attack. Those artifacts may be a temporary defender advantage. Future operators can ask models to produce less verbose payloads, strip comments and randomize execution patterns.

For founders building security products, the case is a warning about where value shifts. The attacker does not need a new exploit if the agent can combine known flaws, exposed services, default credentials and cloud secrets faster than a human team can investigate alerts. Langflow became the front door because AI application servers often sit near provider keys, cloud credentials and internal services. The more teams deploy agent frameworks quickly, the more those frameworks become high-value ingress points.

Sysdig is using that same argument on the product side. On May 6, Sysdig announced Headless Cloud Security, a version of its cloud-native application protection platform designed to run inside AI coding agents rather than only through a dashboard. The product pitch tracks the JADEPUFFER lesson: if attackers are delegating execution to agents, defenders will try to delegate investigation, prioritization and response to agents as well. In that announcement, Degioanni argued that teams need measurable security outcomes rather than another dashboard.

Sysdig's timing is not accidental

Sysdig is making the JADEPUFFER disclosure during a leadership reset and a crowded cloud-security cycle. Sysdig named Hatem Naguib as CEO on June 16, saying the former Barracuda CEO joined after leading security and infrastructure businesses through earlier platform shifts. Degioanni remains founder, CTO and part of Sysdig's Office of the CEO.

Sysdig's last verified financing in the available public record remains its December 15, 2021 Series G: $350 million led by Permira's growth fund at a $2.5 billion valuation, bringing total funding to $744 million. That round included Guggenheim Investments, Accel, Bain Capital Ventures, DFJ Growth, Glynn Capital, Goldman Sachs, Insight Partners, Next47, Premji Invest & Associates and Third Point Ventures. No newer verified funding round was found in the reviewed sources.

The market around Sysdig has moved since that raise. Cloud security buyers are being sold agentless graphs, runtime sensors, AI investigation tools and code-to-cloud posture management by companies including Wiz, Orca Security, Palo Alto Networks, CrowdStrike, Aqua Security and Upwind. Sysdig's counter-position is to argue that runtime truth matters more as machines write and execute more of the operational work on both sides of the intrusion.

JADEPUFFER gives Sysdig a timely proof point, though it should be treated as one incident, not a settled category. The victim is undisclosed. The ransom amount is undisclosed. The model is unidentified. The prompt and configuration are unknown. Sysdig says it captured what it assesses to be the first documented case of agentic ransomware, and the public evidence supports the narrower claim that an AI agent automated meaningful parts of a real extortion chain.

That narrower claim is enough. Attackers do not need full autonomy to improve their margins. They need tools that turn one skilled operator into several semi-skilled campaigns, or that let a less capable operator perform the mid-stage work of a better one. JADEPUFFER shows that the labor substitution phase of AI-enabled cybercrime has begun, and it puts pressure on every cloud-security founder selling speed to define exactly which seconds their product can save.

Reader comments

Conversation for this story loads after sign-in.