
The information displayed in the AIM should not be reported as representing the official views of the OECD or of its member countries.
T3MP3ST, an open-source tool, uses AI agents like Claude Code to autonomously perform penetration testing and hacking tasks. Its ability to exploit vulnerabilities without expert supervision poses significant cybersecurity risks, including potential unauthorized access and data breaches, though no actual harm has been reported yet.[AI generated]
Why's our monitor labelling this an incident or hazard?
The event involves an AI system (T3MP3ST using Claude Code and other AI models) designed to automate hacking activities, which is a clear AI system involvement. The tool's use is to perform penetration testing phases autonomously, which is a use of AI. While the article does not report any realized harm or incidents caused by this tool, the nature of the tool and its capabilities plausibly could lead to AI incidents such as unauthorized hacking, data breaches, or cyberattacks. Therefore, this event fits the definition of an AI Hazard, as it describes a credible risk of future harm stemming from the AI system's use. It is not an AI Incident because no actual harm has been reported yet. It is not Complementary Information because the article is not about responses or updates to prior incidents but about the tool's release and capabilities. It is not Beneficial Use because the tool itself can be used for offensive purposes and the article does not describe it solely as a countermeasure preventing external harm. Hence, the correct classification is AI Hazard.[AI generated]