Adversarial AI THREAT MATRIX

Risk Assessment ▪ High feasibility due to the concentration of critical AI development in a small number of companies ▪ Very low detectability as attacks can hide in legitimate software updates and model releases ▪ Moderate to high cost but exceptional return on investment for state actors ▪ Extreme scalability — one breach can impact thousands of enterprises and government systems ▪ Severe defensive challenges due to trust placed in major AI providers Threat Assessment ▪ Grants persistent access into the AI supply chain used by critical infrastructure and defense ▪ Enables large-scale data theft from organizations using compromised AI services ▪ Allows subtle long-term model poisoning across thousands of deployed AI systems ▪ Creates strategic backdoors into next-generation autonomous AI agents running with high privileges ▪ Undermines global trust in AI infrastructure and development tools Strategic Integration & Offensive Purpose State actors conduct sophisticated supply chain attacks against the core infrastructure of major AI companies including OpenAI, Google Gemini, Meta, xAI Grok, and Anthropic Claude. Real-World Anchor: In early 2024, Lasso Security's "Galah" report revealed over 1,500 exposed API tokens on Hugging Face belonging to major AI companies (Google, Meta, OpenAI, Microsoft), giving attackers potential full access to private models and datasets. These operations specifically target AI agent software and frameworks, many of which operate with high administrator or root-level privileges. A single successful compromise can distribute backdoors, poisoned models, or trojanized updates to millions of downstream users and organizations worldwide.

Risk Assessment ▪ Moderate feasibility requiring access to manufacturing facilities or firmware update servers ▪ Extremely difficult to detect post-shipment through standard inspection or network monitoring ▪ Low cost per unit when executed at scale across large production runs ▪ Massive scalability, potentially compromising millions of units in a single operation ▪ High defensive challenges in securing globally distributed hardware supply chains and OTA updates Threat Assessment ▪ Creation of planet-scale botnets for persistent disruption, DDoS, and large-scale espionage ▪ Systematic loss of privacy and physical security in high-value government and commercial environments ▪ Normalization of pre-compromised hardware in critical infrastructure and residential zones ▪ Provides a strategic platform for coordinated hybrid warfare and synchronized global attacks Strategic Integration & Offensive Purpose Adversaries execute software supply chain compromise by tampering with manufacturing or firmware updates of AI-enabled smart devices, cameras, and IoT hardware before shipment. Millions of devices ship pre-compromised, forms massive botnets for DDoS, espionage, or silent access to critical networks. Real-World Anchors (2025–2026) ▪ BADBOX 2.0 Botnet Campaign: In 2025, Google filed a major federal lawsuit in New York against 25 Chinese entities tied to the BADBOX 2.0 botnet, which compromised over 10 million Android Open Source Project (AOSP) IoT devices (smart TVs, streaming boxes, projectors, aftermarket vehicle infotainment systems, and digital picture frames). Devices were pre-compromised at manufacture or via malicious apps during setup, creating persistent backdoors and residential proxies. ▪ FBI PSA (June 2025): Explicitly warned of BADBOX 2.0 enabling ad fraud, click fraud, proxy services for criminal networks, and potential lateral movement into home/corporate networks. Many devices were China-manufactured, highlighting supply-chain prepositioning risks. ▪ Partial disruptions in March 2025 by Google/HUMAN Security/Trend Micro/Shadowserver were followed by rapid actor adaptation, demonstrating resilience and global scale across 222 countries.

Risk Assessment ▪ High feasibility for state actors with strong intelligence and supply chain access ▪ Extremely difficult to detect using standard X-ray, visual inspection, or disassembly checks ▪ Low attribution risk through layered shell companies and intermediaries ▪ High scalability across consumer electronics and communication devices ▪ Creates major defensive challenges for supply chain screening Threat Assessment ▪ Enables mass simultaneous remote detonation of thousands of devices ▪ High potential for mass casualties and operational disruption ▪ Strong psychological impact and erosion of trust in commercial electronics ▪ Can be used for both targeted assassinations and large-scale coordinated attacks ▪ Creates persistent fear of “sleeper” explosive devices in everyday electronics Strategic Integration & Offensive Purpose State actors compromise hardware supply chains by physically embedding small quantities of high explosives such as PETN into everyday communication devices like pagers and walkie-talkies. Devices continue to function normally until remotely triggered. Allied Example (2024): In September 2024, Mossad with technical support from Unit 8200 inserted PETN into Gold Apollo AR-924 pagers and IC-V82 walkie-talkies ordered by Hezbollah using shell companies including BAC Consulting in Hungary. The devices passed multiple inspection layers and were detonated remotely, causing thousands of casualties. AI provides supporting capabilities such as logistics analysis for shipping optimization and deepfake technology for operational deception during the supply chain compromise.

Risk Assessment ▪ Trivial feasibility using stock consumer hardware and native software features ▪ Very difficult to detect intent or distinguish from legitimate hobbyist use prior to a strike ▪ Zero additional cost beyond the purchase of the drone platform itself ▪ High scalability for small cells and lone actors due to reduced technical requirements ▪ Significant defensive challenges in C-UAS discrimination and terminal-phase interception Threat Assessment ▪ Enables precise targeting of personnel and vehicles by unskilled or remote operators ▪ Increased lethality of low-cost drone strikes through AI-optimized terminal guidance ▪ Heightened psychological dread and perception of vulnerability in urban and conflict zones ▪ Erodes the effectiveness of traditional physical security perimeters and overhead cover Strategic Integration & Offensive Purpose FTO / VNSA (ISIS-K/ISKP, al-Qaeda, Hamas, Hezbollah, Houthis, CDS, CJNG, CDG, etc.), plus state actors (Russia, CCP/PLA, Iran) use stock DJI drones with built-in SmartFlight features — subject tracking, waypoint navigation, obstacle avoidance, and follow-me modes. The drone’s native AI locks onto targets autonomously; operator releases payload or triggers strike from safety. Real-World Anchors (2025–2026) ▪ Ukraine Theater (2025): Ukrainian forces deployed AI-augmented FPV and fixed-wing drones (including modified commercial platforms with edge AI modules) capable of autonomous target lock and terminal guidance after initial operator handoff. Systems like Bumblebee and Gogol-M demonstrated fully autonomous terminal phase strikes, evading EW jamming by using onboard visual navigation and AI target recognition. Russian forces mirrored this with V2U-style autonomous seekers. ▪ By mid-2025, both sides routinely used AI for “fire-and-forget” kinetic strikes on armor, logistics, and high-value targets, marking the shift from remote-piloted to semi-autonomous lethal operations.

Risk Assessment ▪ High feasibility using native DJI swarm features and subject tracking ▪ Low detectability of small, low-altitude swarms utilizing terrain-masking routes ▪ Highly cost-effective for smuggling high-value contraband and narcotics ▪ Scalable through coordinated launch points and automated mission planning ▪ Hard to counter without kinetic C-UAS or high-end, wide-area electronic warfare Threat Assessment ▪ Enables high-volume, automated delivery of weapons, drugs, or cash across barriers ▪ Provides reliable financial sustainment for criminal and terrorist networks ▪ Systematic failure of physical border barriers and traditional patrol methods ▪ Operational overload of border security and correctional facility response teams Strategic Integration & Offensive Purpose FTO / VNSA (ISIS-K/ISKP, al-Qaeda, Hezbollah, Hamas, Houthis, CDS, CJNG, etc.) use consumer Mavic or Avata drones with native SmartFlight obstacle avoidance and subject tracking. Lightweight laptop fine-tune predicts patrol patterns; swarms fly pre-planned routes, auto-adjust altitude and path to evade sensors, delivering weapons, fentanyl, cash, or contraband. Real-World Anchors (2025–2026) ▪ Mexican Cartel Operations: CJNG and Sinaloa factions scaled coordinated drone swarms for fentanyl/meth smuggling and explosive drops. In 2025, over 120 cartel-orchestrated drone attacks were documented in Mexico, many involving swarm-like tactics or multiple simultaneous drops. CJNG used modified agricultural and commercial quadcopters in Michoacán and Guerrero for explosive payload delivery against rivals, police, and military. ▪ U.S. CBP reported thousands of monthly drone incursions along the Southwest border, including swarm-coordinated surveillance + airdrop missions. October 2025 incidents included explosive-laden drones striking targets in Baja California. Cartels increasingly integrate basic AI for route optimization and collision avoidance in multi-drone operations.

Risk Assessment ▪ High feasibility using industrial agricultural drones and consumer-grade quadcopters ▪ Very low detectability of improvised manufacturing and dual-use cargo ▪ Moderate cost with high reliability for localized strikes and PSYOPS ▪ Scalability for decentralized production of chemical-laden "narco-drones" ▪ Significant defensive gaps in detecting non-metallic or improvised chemical delivery systems Threat Assessment ▪ Emergence of 'narco chemical terrorism' targeting civilian populations and self-defense units ▪ High psychological impact (PSYOPS) intended to drive residents from territory and demoralize law enforcement ▪ Risk of suffocation, systemic poisoning, and long-term health damage (hypoxia, circulatory failure) ▪ Erosion of border security effectiveness through aerosolized payloads crossing international boundaries Strategic Integration & Offensive Purpose Adversaries (primarily CJNG and ISIS affiliates) have operationalized drones for chemical delivery. Real-world anchors include CJNG's documented use of drone-dropped chemical bomblets in Michoacán (specifically Coahuayana and Apatzingán) containing toxic pesticides such as methomyl, carbofuran (Furadan), and aluminum phosphide. These devices use glass or plastic containers rigged with explosives to disperse toxins upon impact. In May 2025, Texas Border Patrol agents recorded a cartel drone generating an unidentified aerosolized cloud via a spraying/misting system near the US-Mexico border. VNSAs leverage the dual-use nature of agricultural platforms like the DJI Agras/T-series to conduct precision dispersal without technical modifications, primarily for area denial and psychological operations.

Risk Assessment ▪ High feasibility using COTS hardware and native subject-tracking features ▪ Low detectability in vast, rugged border terrain utilizing terrain-masking AI ▪ Extremely low operational cost compared to manned smuggling or ISR ▪ Massive scalability with multiple low-cost operators and automated mission sets ▪ Significant defensive challenges in detecting terrain-hugging, subject-tracking drones Threat Assessment ▪ Provides persistent, high-fidelity intelligence on security force movements and routines ▪ High potential for precision hits on mayors, business leaders, and judicial officials across state lines ▪ Psychological pressure and erosion of confidence among border security agents ▪ Strategic bypass of multi-billion dollar physical surveillance and barrier infrastructure Strategic Integration & Offensive Purpose FTO / VNSA (ISIS-K/ISKP, al-Qaeda, Hezbollah, Hamas, Houthis, CDS, CJNG, etc.) deploy stock DJI Mavic, Matrice, and Avata drones along the US-Mexico border and in regional conflict zones. Native SmartFlight AI conducts persistent ISR on security forces, maps patrol routes, and guides smuggling runs. These systems function as "miniature air forces," allowing cartels to coordinate real-time ambushes on law enforcement patrols by relaying live tactical data to ground assault teams. Real-World Anchors (2025–2026) ▪ U.S.-Mexico Border: CBP logged over 34,000 drone flights within 500 meters of the border in FY2025. Cartels (primarily CJNG and Sinaloa) use persistent ISR drones to monitor Border Patrol agents, map patrol patterns, and coordinate ground ambushes or smuggling runs. Drones provide real-time overwatch for human/coyote teams and drug drops. ▪ High-profile cases include El Paso airspace disruptions (Feb 2026) linked to cartel drone activity and multiple documented instances of drones guiding armed incursions or warning smuggling teams of law enforcement positions. This ISR layer has become standard TTP for evading U.S. and Mexican interdiction.

Risk Assessment ▪ High feasibility through easily accessible commercial drone platforms and native AI ▪ Low detectability from ground level during high-altitude or standoff ISR ▪ Minimal additional cost beyond the initial hardware purchase ▪ Scalable for persistent monitoring of multiple high-value targets simultaneously ▪ Significant challenges in maintaining wide-area airspace security against small drones Threat Assessment ▪ Systematic loss of operational security for sensitive military and government sites ▪ Detailed mapping and pattern-of-life analysis for future kinetic strike planning ▪ Compromise of personnel movements and security protocols at highest levels ▪ Provides adversaries with a strategic intelligence advantage during pre-conflict phases Strategic Integration & Offensive Purpose State actors and FTO / VNSA (ISIS-K/ISKP, al-Qaeda, Hezbollah, Hamas, Houthis, CDS, CJNG, etc.) use stock DJI drones (Mavic, Matrice, Agras) for persistent intelligence, surveillance, and reconnaissance over military bases, restricted airspaces, and high-value government targets. Native SmartFlight AI handles autonomous patrol, hover, and target locking while streaming visible and thermal video.

Risk Assessment ▪ Moderate feasibility requiring specific mission planning and targeted coordination ▪ Low detectability until the terminal phase of the attack or collision ▪ Low cost relative to the potential for millions in infrastructure damage ▪ Scalable across regional essential service nodes (power, water, rail) ▪ High defensive challenges in protecting vast, often remote critical infrastructure assets Threat Assessment ▪ Potential for significant kinetic damage to essential power, water, and transport nodes ▪ High disruption to essential civilian services and economic stability ▪ High psychological impact and perception of vulnerability in domestic safe zones ▪ Strategic economic damage through long-term degradation of critical national assets Strategic Integration & Offensive Purpose State actors (CCP/PLA, Russia/GRU), FTO / VNSA (ISIS-K/ISKP, al-Qaeda, Hezbollah, Hamas, Houthis, CDS, CJNG, etc.), and domestic extremists fly commercial or high-capacity DJI drones over power substations, oil refineries, or rail lines. Native AI route planning and obstacle avoidance allow terrain-hugging or tight-space navigation without skilled pilots. Payloads include small explosives or deliberate crashes to damage transformers and other critical nodes. Real-World Anchor: In late 2024, the FBI foiled a plot by a domestic extremist to use an explosive-laden drone to attack the Nashville power grid, specifically targeting electrical substations to cause widespread disruption to the Tennessee Valley Authority (TVA) infrastructure.

Risk Assessment ▪ High feasibility using stock hardware and readily available commercial release mechanisms ▪ Low detectability of small, fast-moving kinetic drones in complex urban environments ▪ Low cost, enabling mass attrition and simultaneous multi-point strikes ▪ Highly scalable for small cells and lone actors with minimal training required ▪ Significant defensive challenges in urban point-defense and rapid-reaction scenarios Threat Assessment ▪ High potential for localized mass casualties in crowded public settings ▪ Extreme lethality against soft targets, VIPs, and unprotected security personnel ▪ Heightened urban panic and erosion of public trust in security measures ▪ Strategic disruption of public events, high-profile gatherings, and government continuity Strategic Integration & Offensive Purpose State actor, FTO / VNSA (ISIS-K/ISKP, al-Qaeda, Hamas, Hezbollah, Houthis, CDS, CJNG, etc.), and domestic extremists attach explosive payloads to stock DJI drones. Native SmartFlight features guide the drone to target; operator releases or crashes the payload on impact. Already documented in Russia-Ukraine war, Israel-Lebanon conflict 2026, and cartel attacks in Mexico.

Risk Assessment ▪ Moderate feasibility requiring technical modifications to FPV platforms and fiber control ▪ Zero RF detectability, rendering traditional spectrum-based jammers completely ineffective ▪ Low cost per unit, allowing for high-volume attrition and saturation of defenses ▪ Scalable for coordinated strikes against high-value armor and EW nodes ▪ Massive defensive challenges as the system is immune to current C-UAS jamming layers Threat Assessment ▪ Enables high-precision strikes on armored vehicles and critical EW assets in contested zones ▪ Total lethality against targets previously protected by electronic shields or jammers ▪ Psychological terror from "silent," unjammable attackers that persist under heavy EW ▪ Strategic neutralization of multi-billion dollar investments in spectrum-focused defense ▪ Transition from indiscriminate attacks to precision strikes against hardened positions Strategic Integration & Offensive Purpose Fiber+AI defeats RF-centric EW layers that dominate current C-UAS (jammers ineffective; no radio signature). Real-World Anchor: In August 2024, Russian forces deployed the "Prince Vandal of Novgorod" fiber-optic drone during the Kursk incursion, successfully striking Ukrainian armor through intense EW zones where RF-based drones were grounded. This TTP has since proliferated to non-state actors; in April 2026, the Azawad Liberation Front (FLA) in Mali used wire-guided drones to defeat military jamming near Aguelhok. VNSAs gain asymmetric edge with minimal expertise: stock FPV + cheap spool + edge AI module = unjammable kamikaze at $800-2,000/unit. These systems provide clear video in environments where RF drones lose signal, enabling precision hits on moving targets.

Risk Assessment ▪ High feasibility utilizing high-capacity commercial platforms like DJI FlyCart ▪ Low detectability through automated night operations and AI-optimized terrain-masking ▪ Low overhead cost per load, enabling high profit margins and scalable volume ▪ Extremely scalable via 'remote crime' models where pilots operate far from launch/recovery sites ▪ Massive challenges in monitoring and intercepting thousands of small-drone border crossings Threat Assessment ▪ Sustained, high-volume flow of deadly narcotics, firearms, and cash to target regions ▪ Robust, low-risk financial sustainment and expansion for organized crime syndicates ▪ Strategic degradation of target population health through autonomous, high-frequency drug delivery ▪ Operational failure and resource exhaustion of traditional border interdiction programs Strategic Integration & Offensive Purpose Cartels (CJNG, CDS, CDG, CDN) heavily leverage DJI Mavic, Avata, and FlyCart platforms for high-volume contraband smuggling across the US-Mexico border and into Mexican prisons. Use of 'foreign experts' (Colombian, Venezuelan mercenaries) has operationalized advanced military tactics, integrating AI for fully autonomous night flights that eliminate pilot capture risk. Drones deliver fentanyl, methamphetamine, cash, and firearms with increasing payload capacity — shifting toward an 'unmanned cargo corridor' model. Real-world data indicates thousands of automated flights monthly, creating a persistent logistics bridge that traditional interdiction cannot physically block.

Risk Assessment ▪ High mobility and concealability using standard commercial shipping containers ▪ Moderate technical complexity with rapidly dropping barriers due to commercial drone technology ▪ Extremely difficult to detect until the moment of launch ▪ Highly scalable from single containers to coordinated multi-container swarms ▪ Major challenge for traditional air defense systems against low-altitude dense swarms Threat Assessment ▪ Enables devastating surprise attacks on airbases, critical infrastructure, ports, and command centers ▪ Effectively bypasses perimeter security and conventional early-warning systems ▪ Creates significant psychological shock and tactical disruption ▪ Allows precision strikes with a very small logistical footprint ▪ Represents a dangerous evolution in asymmetric and hybrid warfare Strategic Integration & Offensive Purpose Adversaries are advancing containerized drone systems that enable surprise swarm attacks launched from standard commercial shipping containers. These systems can be covertly transported by ship, truck, or rail and rapidly deployed with minimal preparation. Allied Example: In June 2025, Mossad executed "Operation Rising Lion," a covert campaign smuggling hundreds of kamikaze drone parts into Iran via trucks and shipping containers. These drones, assembled on the ground, targeted key Iranian air defense and missile sites, with attacks launched from within Iran to gain tactical superiority. Similarly, Ukraine’s SBU executed Operation Spiderweb in 2025, smuggling over 100 quadcopter drones inside modified wooden containers disguised as mobile cabins on flatbed trucks before launching coordinated swarm attacks on strategic Russian airbases. These operations demonstrate how containerized drone systems provide high deniability and enable sudden, high-impact strikes against strategic targets with little to no warning.

Risk Assessment ▪ High feasibility using commercial off-the-shelf drones and open-source AI mapping tools ▪ Very low detectability as mapping can be conducted under civilian or commercial cover ▪ Low to moderate cost with rapidly proliferating commercial drone and AI software ▪ Extremely scalable from small team operations to large-scale theater-level planning ▪ Severe defensive challenges due to dual-use nature of mapping technology Threat Assessment ▪ Dramatically improves accuracy and effectiveness of kinetic strikes and terrorist attacks ▪ Enables precise targeting of critical infrastructure, military bases, and civilian sites ▪ Facilitates narco-governance through persistent surveillance and population control ▪ Lowers the barrier for sophisticated attack planning by non-state actors and terrorists ▪ Creates significant force multiplication for asymmetric and hybrid warfare Strategic Integration & Offensive Purpose Adversaries extensively use drone-collected data and AI-enhanced mapping for ISR, detailed attack planning, and terrorist operations. Hezbollah, Hamas, and Houthis routinely employ commercial and modified drones to generate 3D maps and targeting packages for strikes against Israel and regional targets. Cartels in Mexico (CJNG, CDS) use drones to map smuggling routes, surveil law enforcement, and actively monitor civilian compliance with narco-imposed curfews. These capabilities allow adversaries to conduct high-fidelity reconnaissance and maintain psychological dominance over local populations, essentially operating as miniature autonomous air forces.

Risk Assessment ▪ Extremely high feasibility using commercial parts, 3D printers, and civilian workshops ▪ Very low detectability as facilities blend into residential or light industrial areas ▪ Low cost with rapid iteration cycles compared to traditional factories ▪ Highly scalable through distributed “kitchen” style production networks ▪ Severe defensive challenges due to the proliferation of small, mobile manufacturing sites Threat Assessment ▪ Enables sustained, high-volume production of FPV, kamikaze, and loitering munitions ▪ Dramatically reduces logistical vulnerabilities and supply chain interdiction ▪ Lowers the barrier for non-state actors and terrorists to field sophisticated drone swarms ▪ Evolution from "dropping grenades" to FPV suicide missions and wire-guided attacks ▪ Rapid technical knowledge transfer between global networks (e.g., Houthi/Al-Shabaab technical pipeline) Strategic Integration & Offensive Purpose Adversaries are rapidly adapting the “drone kitchen” model — decentralized, small-scale production workshops often operating in civilian homes, garages, or light industrial spaces. Originally pioneered by Ukrainian units (e.g., "Dnepro-1") for rapid FPV drone assembly, this TTP has been adopted and scaled by Russia, Iran, and global VNSAs. Real-World Anchors: JNIM (Sahel) saw a surge in drone capabilities after former Malian military officers joined in 2024, providing the engineering backbone for localized "kitchen" production. These facilities allow continuous production of explosive-laden drones with minimal infrastructure, making them highly resilient to strikes and sanctions.

Risk Assessment ▪ High feasibility through AI-automated vulnerability discovery and exploit generation ▪ Moderate detectability due to AI-driven payload mutation and obfuscation techniques ▪ Low cost leveraging open-source offensive AI frameworks and fine-tuned models ▪ Massive scalability through autonomous intrusion workflows and automated phishing infrastructure ▪ Significant defensive challenges in keeping pace with AI-accelerated zero-day discovery Threat Assessment ▪ Drastic compression of the Cyber Kill Chain from weeks to minutes ▪ Persistent, difficult-to-detect access to sensitive government and commercial networks ▪ Provides asymmetric cyber advantage to resource-constrained non-state actors ▪ Gradual erosion of current EDR and SIEM effectiveness against polymorphic threats Strategic Integration & Offensive Purpose AI enables acceleration across the Cyber Kill Chain. Recon and Weaponization compress via automated vulnerability discovery and phishing generation. Delivery, Exploitation, and Installation gain speed via prompt injection and model manipulation. C2 and Actions on Objectives benefit from intrusion workflow automation. State actors leverage this for large-scale persistent campaigns. VNSAs, cartels, and hybrid networks achieve asymmetric advantage with reduced resources, creating observable gaps in EDR and SIEM detection layers. Offensive Playbook: Fine-tune local models on leaked vuln datasets for automated exploit chaining on air-gapped systems.

Risk Assessment ▪ High feasibility for state-level actors with access to specialized ICS/SCADA datasets ▪ Low detectability of polymorphic destructive payloads and zero-day PLC exploits ▪ Low cost relative to the massive physical damage potential ▪ Highly scalable across specific critical infrastructure sectors (power, water, oil/gas) ▪ Massive challenges in rapid incident response, containment, and system recovery Threat Assessment ▪ Permanent physical destruction of power grids, water treatment, and transport systems ▪ High potential for life-safety events during synchronized utility failures ▪ Severe strategic impact on national security, military readiness, and civil order ▪ Global economic instability resulting from coordinated failures of critical infrastructure nodes Strategic Integration & Offensive Purpose State actors (primarily CCP/PLA, Russia, Iran, and North Korea) leverage advanced AI systems to autonomously generate and deploy destructive payloads against critical infrastructure. AI models analyze target systems, craft zero-day exploits, generate polymorphic malware, and create custom wipers or destructive logic tailored to specific ICS/SCADA environments. These AI-generated payloads can autonomously adapt to defenses, evade detection, and execute coordinated, high-impact attacks on power grids, water treatment facilities, transportation networks, and financial systems.

Risk Assessment ▪ High feasibility using open-source LLMs fine-tuned on technical and SIGINT archives ▪ Zero detectability of local, air-gapped AI model usage by extremist cells ▪ Effectively zero cost for technical upskilling compared to traditional training ▪ Highly scalable for disparate cells regardless of prior technical background ▪ Extreme challenges for intelligence agencies in breaking decentralized secure links Threat Assessment ▪ Enables near-invulnerable C2 for terrorist, cartel, and criminal networks globally ▪ Neutralization of SIGINT effectiveness against low-level and high-level operators alike ▪ Operational upskilling of low-technical operatives to specialist levels in weeks ▪ Persistent evasion of law enforcement and military tracking across all domains Strategic Integration & Offensive Purpose AI tools lower the expertise barrier for secure communications and technical operations, allowing low-skill operators to establish reliable encrypted C2 links that resist interception and jamming. Real-world anchors include documented FTO emphasis on encrypted communications (Telegram Secret Chats, custom tools) and guidance on secure tech use in jihadist channels, with AI workshops and “tech support” materials circulating to assist in configuration and evasion. VNSAs leverage open-source models for air-gapped, low-barrier proficiency in AES-256 radio programming and related hardware. Cross-domain payoff includes enabling coordinated fiber-optic FPV swarms, DJI/Agras operations, 3D-printed payload deployments, and lone-actor attacks while amplifying overall TTP evasion across kinetic and cyber vectors.

Risk Assessment ▪ High feasibility through code-generating LLMs and automated mutation frameworks ▪ Low detectability due to rapid iteration of malware strains and AI-driven obfuscation ▪ Low cost for high-level criminal syndicates and state-sponsored proxy groups ▪ Extreme scalability for state-proxy operations targeting thousands of organizations ▪ Massive defensive burden on critical service providers and healthcare IT departments Threat Assessment ▪ Severe economic costs, operational paralysis, and potential for large-scale data theft ▪ High potential for "cyber terrorism" outcomes when hospital and emergency systems are targeted ▪ Robust, deniable revenue generation for state-proxy actors and sanctioned regimes ▪ Strategic disruption of Western critical infrastructure and essential public services Strategic Integration & Offensive Purpose Adversaries leverage AI to rapidly develop and deploy ransomware and malware at scale. Russia uses ransomware gangs and proxies as gray zone hybrid warfare tools, conducting ransomware attacks on United States hospitals as cyber terrorism, along with attacks against Ukraine and other NATO countries. China (PLA/CCP) integrates ransomware with long-term espionage against the United States and Taiwan, conducting ransomware attacks on Taiwanese hospitals and critical infrastructure as cyber terrorism. North Korea conducts ransomware operations for revenue generation, including the 2014 Sony Pictures attack. Iran’s IRGC and its proxies deploy ransomware against US companies and allied Middle Eastern countries as part of asymmetric hybrid operations.

Risk Assessment ▪ High feasibility utilizing sophisticated multi-modal LLMs and generative agents ▪ Low detectability of high-fidelity deepfakes and AI-coordinated bot networks ▪ Minimal cost for producing mass-quantity, high-quality persuasive content ▪ Extreme scalability across multiple linguistic and cultural target groups ▪ Significant challenges in real-time fact-checking and debunking at machine speed Threat Assessment ▪ Systematic erosion of public trust, social cohesion, and institutional credibility ▪ Accelerated radicalization and recruitment of vulnerable populations via personalized bots ▪ Undermining of domestic discourse and democratic processes by foreign adversaries ▪ Strategic manipulation of public sentiment and behavior during national crises Strategic Integration & Offensive Purpose AI compresses the adapted Kill Chain into agile influence loops. Recon and Weaponization accelerate via target profiling and behavioral targeting. Delivery and Exploitation occur rapidly via deepfake impersonation and narrative generation. C2 and Actions on Objectives sustain via persistent chatbots and amplification. State and hybrid actors achieve broad-scale effects with minimal logistical footprint. VNSAs and extremists gain accelerated recruitment and persuasion on compressed timelines. Offensive Playbook: Chain offline LLMs with voice cloning for multilingual radicalization bots.

Risk Assessment ▪ High feasibility leveraging automated bot farms and sophisticated generative media pipelines ▪ Low detectability of hyper-personalized narratives designed for specific voter segments ▪ Low cost for state actors compared to traditional clandestine influence operations ▪ Extreme scalability during critical election cycles and post-election uncertainty windows ▪ Massive challenges in real-time platform moderation, debunking, and accurate attribution Threat Assessment ▪ Strategic manipulation of election outcomes and fundamental democratic integrity ▪ High potential for inciting post-election civil unrest, violence, and institutional distrust ▪ Gradual erosion of international and domestic confidence in election security ▪ Long-term destabilization of target nations through persistent societal polarization Strategic Integration & Offensive Purpose AI delivers rapid OODA loops for voter division and post-election chaos. States maintain deniability at scale. AI compresses the adapted Kill Chain into agile influence loops. Recon and Weaponization accelerate via target profiling and behavioral targeting. Delivery and Exploitation occur rapidly via synthetic media and narrative generation. Offensive Playbook: VNSAs/cartels fine-tune offline on election datasets for localized psyops tied to extortion or recruitment.

Risk Assessment ▪ High feasibility utilizing multi-lingual LLMs and high-fidelity deepfake recruitment personas ▪ Low detectability of personalized radicalization efforts in private or encrypted channels ▪ Effectively zero cost for constant, high-quality propaganda and engagement content ▪ Highly scalable for global recruitment across diverse linguistic and cultural groups ▪ Significant challenges in intercepting and countering early-stage digital radicalization Threat Assessment ▪ Ensures a steady stream of new recruits and operatives for terrorist and criminal networks ▪ Rapid expansion of operational and influence reach into previously inaccessible regions ▪ Normalized, mass-scale exposure to extremist ideologies through AI-tailored content ▪ Long-term strategic survival and growth of VNSAs through automated sustainment Strategic Integration & Offensive Purpose AI tools enable generation of propaganda and personalized engagement on platforms such as TikTok, Telegram, Discord, Instagram, and X. Real-world anchors include ISIS-K Voice of Khorasan magazine providing guidance on AI chatbots, and cartel groups such as CJNG using TikTok for recruitment. VNSAs, FTOs, and cartels leverage open-source models for operations. State actors integrate into broader influence activities.

Risk Assessment ▪ High feasibility using low-cost voice cloning tools and automated caller-ID spoofing ▪ Extremely difficult to verify identity and intent in real-time emergency scenarios ▪ Very low operational cost for high-frequency, mass-distributed harassment campaigns ▪ Highly scalable for simultaneous, multi-city waves targeting schools and venues ▪ Massive strain on law enforcement and emergency response resources and personnel Threat Assessment ▪ Dangerous diversion of emergency security forces away from potential real-world threats ▪ High potential for life-safety incidents and accidental harm during armed police responses ▪ Severe psychological impact, trauma, and constant fear in targeted schools and venues ▪ Strategic disruption of civic life, educational continuity, and public safety confidence Strategic Integration & Offensive Purpose AI tools enable false emergency calls on 911 lines, venue hotlines, and school systems. Real-world anchors include AI-generated swatting calls with synthetic gunfire and screams targeting US schools and universities (linked to groups such as Purgatory), and repeated hoax bomb/death threats against Shen Yun Performing Arts and Falun Gong events worldwide (multiple incidents traced to Chinese origins, including cancellations in Toronto, Australia, and elsewhere with demands to halt performances). VNSAs and domestic extremists leverage open-source voice models for operations. State actors (PLA/CCP) integrate into gray-zone coercion. Cross-domain payoff includes diversion of security forces.

Risk Assessment ▪ High feasibility using widely available deepfake and synthetic media generation tools ▪ Moderate detectability under careful expert scrutiny, but highly effective for mass audiences ▪ Low cost for producing high-impact, multi-modal propaganda in real-time ▪ Scalable for rapid adaptation of narratives as conflict zone events unfold ▪ Significant challenges in debunking misinformation within active combat and noise zones Threat Assessment ▪ Systematic loss of objective truth and verification in conflict reporting and history ▪ High potential for inciting immediate local violence, retaliation, or ethnic tension ▪ Effective obfuscation of war crimes, operational movements, and state responsibility ▪ Strategic manipulation of international diplomatic support and humanitarian optics Strategic Integration & Offensive Purpose AI tools enable rapid creation of compelling propaganda and disinformation on platforms such as Telegram, TikTok, and X. Real-world anchors include ISIS-K Voice of Khorasan guidance on AI for propaganda and documented deepfake use by Hezbollah and Hamas for operational claims. VNSAs and proxies leverage open-source models for low-barrier content generation. Cross-domain payoff includes amplification of kinetic or maritime operations.

Risk Assessment ▪ High feasibility leveraging bulk personal data brokers and automated IoT vulnerabilities ▪ Zero detectability for individual targets within massive, automated surveillance datasets ▪ Moderate cost for developing and deploying planet-scale, AI-driven tracking systems ▪ Massively scalable across urban environments via millions of pre-compromised cameras and systems ▪ Extreme defensive challenges in securing billions of vulnerable, internet-connected devices Threat Assessment ▪ Permanent loss of individual privacy, anonymity, and freedom of movement globally ▪ High potential for targeted political repression, criminal extortion, and behavioral control ▪ Creation of inescapable, automated state and proxy control loops over target populations ▪ Provides adversaries with a strategic advantage in neutralizing dissent and tracking targets Strategic Integration & Offensive Purpose Adversaries are conducting massive compromise of first responder drone computers, endpoints, and systems for large-scale data collection and surveillance. They are also carrying out widespread compromise of Flock Safety cameras across the United States to enable persistent surveillance on American citizens. State actors (CCP/PLA, Russia, Iran, North Korea) and cartels (CJNG, CDS, CDG, CDN) weaponize AI to analyze bulk commercial data for target profiling. In Mexico, the Sinaloa Cartel (CDS) hired a hacker who accessed an FBI official’s phone records and infiltrated Mexico City’s surveillance camera network to track FBI informants, leading to the intimidation and killing of multiple cooperating witnesses.

Risk Assessment ▪ High feasibility leveraging sophisticated deepfake impersonation and automated phishing frameworks ▪ Moderate detectability as AI-driven fraud tactics continuously adapt to behavioral detection ▪ Low overhead cost relative to the potential for massive illicit financial returns ▪ Extreme scalability through automated, multi-modal scam campaigns targeting millions ▪ High defensive challenges in authenticating remote financial interactions and identities Threat Assessment ▪ Massive, systemic financial losses for individuals, enterprises, and public institutions ▪ Potential for large-scale economic and operational disruption through coordinated fraud ▪ Rapid erosion of public trust in digital financial systems and remote authentication ▪ Strategic, deniable revenue generation for sanctioned regimes and global criminal networks Strategic Integration & Offensive Purpose F3 provides a behavior-based taxonomy of fraud tactics complementing the adapted Kill Chain. Recon and Weaponization accelerate via financial targeting and deepfake identity deception. Delivery and Exploitation occur via AI scam campaigns and BEC. C2 and Actions on Objectives benefit from automation and scaling of fraud operations. AI-Assisted Counterfeit USD Production Concept: In controlled simulation environments, adversaries may leverage generative AI to accelerate design, production, and distribution of high-fidelity counterfeit $100 bills — replicating security features (watermarks, security threads, color-shifting ink, microprinting), simulating ink/texture detection outcomes, and enabling rapid iteration on circulated feedback. Cartels, hybrids, VNSAs, and North Korea gain asymmetric advantage through reduced production costs and minimized supply-chain signatures.

Risk Assessment ▪ High feasibility utilizing stolen real-world PII and AI-generated forged documentation ▪ Low detectability as synthetic identities blend seamlessly with legitimate population data ▪ Moderate cost for building high-fidelity synthetic profiles and supporting histories ▪ Scalable for mass account creation, credit establishment, and persona laundering ▪ Deep defensive challenges in verifying historical identity cross-references and patterns Threat Assessment ▪ Enables deep, persistent infiltration of government, financial, and military institutions ▪ Facilitates large-scale, untraceable money laundering and cryptocurrency operations ▪ Strategic concealment of hostile intelligence operatives and clandestine networks ▪ Long-term degradation of national security vetting systems and financial integrity Strategic Integration & Offensive Purpose Enables persistent espionage, deep infiltration, large-scale money laundering, cryptocurrency laundering, and operational funding with high deniability. Real stolen PII provides credibility while AI fabricates consistent supporting documents at scale. This capability converges with supply-chain attacks for PII acquisition, IoT compromise for ongoing validation, and cyber-physical vectors for broader financial disruption.

Risk Assessment ▪ High feasibility for state-level units and organized violent non-state actors (VNSAs) ▪ Low detectability of initial digital planning, target profiling, and recon phases ▪ Low operational cost relative to the destructive potential of physical strikes ▪ Scalable across specialized sabotage units and decentralized extremist cells ▪ Significant challenges in intercepting physical preparation and clandestine reconnaissance Threat Assessment ▪ High potential for mass casualties and total destruction of critical physical infrastructure ▪ Demonstrated lethality against a diverse range of military, government, and soft targets ▪ High psychological impact and erosion of public safety perceptions in target zones ▪ Strategic disruption of essential military operations and civil governance continuity Strategic Integration & Offensive Purpose AI accelerates the full F2T2EA cycle. Find, Fix, and Track compress via target identification and reconnaissance. Target and Engage benefit from attack planning, explosive optimization, and scenario simulation. Assess closes the loop via AI-assisted execution support. State sabotage units and VNSA/cartel networks gain near-real-time targeting cycles with reduced latency. AI-Assisted Multi-Stage Terrorist Attack Planning Concept: In controlled simulation environments, AI may support multi-stage attack planning by integrating recon data, scenario simulation, and decision support across sequential phases (surveillance, rehearsal, execution, exfiltration). AI models timing dependencies, resource allocation, and contingency options — reducing human coordination overhead and improving adaptability in complex operations.

Risk Assessment ▪ Extremely high feasibility using publicly available large language models and multi-agent frameworks ▪ Very low detectability due to natural language interaction and plausible deniability ▪ Low cost barrier — accessible to individuals with minimal technical expertise ▪ Highly scalable, enabling simultaneous planning of multiple coordinated attacks ▪ Severe defensive challenges as AI compresses the traditional attack planning timeline dramatically Threat Assessment ▪ Lowers the skill threshold for complex, mass-casualty attacks on high-profile targets ▪ Potential for coordinated swarm assaults on critical infrastructure and transportation hubs ▪ Shift toward precision hits on elected officials, judiciary targets, and anti-corruption units ▪ Strategic expansion of operational reach via "Assassination-by-Remote" capabilities Strategic Integration & Offensive Purpose Adversaries use AI to mastermind multi-stage attacks. Real-World Anchors (2025-2026): In January 2026, the Islamic State Sahel Province (ISSP) launched the largest coordinated drone assault in the region, striking Niamey International Airport in Niger with 10 kamikaze drones. In October 2025, the CJNG used a drone-dropped "potato bomb" to strike the prosecutor’s office in Tijuana, targeting the anti-kidnapping unit. Foiled jihadist plots in Belgium and Australia (Late 2025) involved drone-powered IEDs intended for precision hits on officials. This evolution allows cartels to trigger strikes from one border state while targets are in another, utilizing drones to track mayors and business leaders from hundreds of miles away.

Risk Assessment ▪ High feasibility utilizing readily available chemistry data and tactical planning archives ▪ Effectively zero detectability of locally hosted AI research and scenario modeling ▪ Zero additional cost beyond basic internet access and consumer-grade hardware ▪ Highly scalable for uncoordinated lone actors globally with minimal oversight ▪ Massive challenges in preventing rapid "flash-to-bang" radicalization and execution Threat Assessment ▪ Increases the frequency and unpredictability of attacks against soft public targets ▪ High potential lethality from AI-optimized improvised devices and tactical planning ▪ Extreme public fear, social disruption, and erosion of safety in daily environments ▪ Strategic strain on domestic security, law enforcement, and health response budgets Strategic Integration & Offensive Purpose AI tools lower the technical barrier for planning small-scale attacks using readily available materials. Real-world anchors include: ▪ Las Vegas VBIED (January 1, 2025): U.S. Army Special Forces Master Sergeant Matthew Livelsberger used ChatGPT to research explosive quantities, fireworks legality, and material ignition thresholds while planning a Cybertruck bombing. Confirmed via LVMPD digital forensics. ▪ Palm Springs ANFO Car Bomb (May 17, 2025): Guy Edward Bartkus researched ammonium nitrate fuel oil (ANFO) explosive mixtures and detonation velocity using an AI chat application, as documented in the DOJ criminal complaint against co-conspirator Daniel Jongyon Park. ▪ Manhattan IED Plot (June 2025): Michael Gann self-reported using an AI application to determine precursor chemicals and mixing ratios for flash powder IEDs. He constructed seven devices in under a week; corroborated by conventional web searches in the DOJ indictment. Plus ISIS-K Voice of Khorasan magazine guidance on responsible use of AI for research and propaganda. VNSAs leverage open-source models to accelerate the full attack planning cycle. Cross-domain payoff includes feeding operators into drone or fiber-optic FPV vectors.

Risk Assessment ▪ High feasibility using consumer 3D printers and AI-leveraged STL/CAD generation ▪ Low detectability of decentralized manufacturing in non-industrial or residential settings ▪ Very low cost for mass production compared to clandestine weapon trafficking ▪ Extremely scalable for rapid re-armament of clandestine cells and lone actors ▪ Significant challenges in restricting the propagation of digital weapon design files Threat Assessment ▪ Rapid proliferation of untraceable "ghost guns," landmines, and IED components across borders ▪ Systematic erosion of the effectiveness of standard metal-detection security layers ▪ High potential lethality in secured zones, public transit hubs, and crowded events ▪ Strategic empowerment of insurgent, terrorist, and organized criminal networks Strategic Integration & Offensive Purpose AI enables rapid, untraceable generation of printable weapon components and delivery systems that bypass traditional supply chains and detection. Real-world anchors include ISIS-affiliated media promoting 3D-printable FGC-9 firearms for lone-actor attacks, widespread use of 3D-printed drone frames, fins, sabots, and payload mechanisms in Ukraine, Myanmar rebel ops, Houthi/Al-Shabaab experiments, and seizures of 3D-printed ghost guns with auto-sears or IED casings. Significant escalation includes the deployment of 3D-printed landmines and static charges by Mexican cartels (CJNG, CDS) to secure territory and by both sides in the Russia-Ukraine war for area denial. VNSAs leverage open-source generative tools for low-barrier, air-gapped production on consumer printers. Cross-domain payoff includes feeding printable payloads directly into DJI/Agras or fiber-optic FPV swarms for precision delivery.

Risk Assessment ▪ High feasibility using local LLMs fine-tuned on extremist and technical archives ▪ Zero detectability of air-gapped generation of customized operational knowledge ▪ Zero operational cost for the continuous production of adapted tactical guides ▪ Massive scalability for the rapid upskilling of decentralized global networks ▪ Significant challenges in intercepting the digital distribution of localized, adapted TTPs Threat Assessment ▪ Significant, measurable improvement in the lethality of low-experience extremist actors ▪ Continuous, automated adversary adaptation to military and law enforcement countermeasures ▪ Rapid normalization and proliferation of sophisticated bomb-making and evasion knowledge ▪ Strategic survival and evolution of VNSA knowledge bases despite leadership attrition Strategic Integration & Offensive Purpose AI tools compress the creation and distribution of operational knowledge, allowing rapid upskilling of low-experience operators while enabling continuous adaptation to defender countermeasures. Real-world anchors include ISIS-K Voice of Khorasan magazine and QEF “A Guide to AI Tools” providing explicit guidance on responsible use of generative AI for propaganda, research, and content creation; documented circulation of AI-generated or AI-enhanced bomb-making visuals, training materials, and “tech support” documents on jihadist channels advising on secure prompting and evasion. VNSAs leverage open-source models for low-barrier, air-gapped production of customized manuals and TTP updates. Cross-domain payoff includes direct feeding of trained operators into fiber-optic FPV, DJI/Agras, 3D-printed weapons/payloads, and lone-actor kinetic vectors while amplifying evasion across all domains.

Risk Assessment ▪ Low cost and easily accessible using consumer-grade 3D printers and high-strength filaments ▪ Total evasion of standard metal detectors in high-security zones (courthouses, government buildings, airports) ▪ Can be manufactured in-situ or smuggled with zero signature into restricted perimeters ▪ High feasibility for decentralized cells with minimal logistics or technical footprint Threat Assessment ▪ Facilitates mass stabbing attacks in previously 'secure' environments where metal interdiction is the primary defense ▪ High strategic risk in the United Kingdom and Western urban centers due to ease of production and regulatory gaps ▪ Potential to evade TSA and aviation security protocols, enabling onboard or sterile-zone threat escalation ▪ Erosion of public confidence in the effectiveness of conventional perimeter security layers Strategic Integration & Offensive Purpose Adversaries, particularly lone actors and FTO affiliates in the UK and Western Europe, utilize 3D printing and AI-optimized designs to manufacture non-metallic edged weapons. Using durable composites like glass-filled nylon, these weapons are specifically designed to bypass the primary security layer of metal detection in courthouses, government facilities, and critical transportation hubs. AI assists in optimizing grain structure and blade geometry for maximum durability during high-kinetic events. This capability creates a decentralized, untraceable arsenal for mass casualty stabbing operations.

Risk Assessment ▪ High feasibility using COTS platforms + open-source/edge AI kits; barriers dropping rapidly post-Ukraine/Mexico lessons. ▪ Moderate-to-low detectability during transit (disguised as commercial logistics) and pre-activation. ▪ Low per-unit cost with high scalability for attrition or swarm tactics. ▪ Significant defensive challenges: UGVs excel in terrain where aerial C-UAS is less effective; operate under cover, in buildings, or tunnels. ▪ Proliferation risk via dual-use supply chains (China-dominated robotics components). Threat Assessment ▪ Enables persistent ground-level ISR and direct kinetic strikes with reduced manpower exposure. ▪ High lethality in urban ambushes, border incursions, base perimeter breaches, or infrastructure sabotage. ▪ Psychological impact: "Ghost" robotic assaults erode defender morale and overload response forces. ▪ Convergence multiplier: Pairs with drone ISR for coordinated air-ground attacks; potential CBRN dispersal on mobile platforms. ▪ Strategic erosion of traditional fixed defenses and manned patrols. Strategic Integration & Offensive Purpose Adversaries deploy AI-augmented UGVs for autonomous or semi-autonomous kinetic operations across hybrid battlefields. Platforms range from modified commercial rovers to militarized chassis carrying explosives (VBIED-style), weapons, or chemical payloads. Onboard AI enables terrain-hugging navigation, target acquisition, and engagement with minimal operator input — ideal for border smuggling corridors, urban infiltration, or sustained assaults on critical infrastructure (power substations, rail, refineries). Real-World Anchors (2025–2026) ▪ Russian/Ukrainian experimentation with AI-ground robotics in combined arms (mine-laying, assault, EW support). ▪ Mexican cartel adaptations: Ground robotic platforms for tunnel/terrain logistics and armed incursions, learning from aerial drone success. ▪ PLA and IRGC investments in exportable UGV systems for proxy forces. ▪ Broader trend toward LAWS (Lethal Autonomous Weapon Systems) proliferation.

Risk Assessment ▪ High feasibility utilizing widely available COTS smart glasses with integrated AI ▪ Extremely low detectability as the hardware is identical to common consumer wearables ▪ Low cost compared to specialized military-grade covert surveillance equipment ▪ Scalable for deployment by diverse infiltration units and uncoordinated lone actors ▪ Massive challenges in prohibiting or detecting recording in public and soft-target areas Threat Assessment ▪ Enables detailed, covert reconnaissance and pattern-of-life analysis of high-value targets ▪ Significantly increases the success rate of lone-actor and small-cell urban strikes ▪ Systematic compromise of security force routines, site layouts, and response blind spots ▪ Provides a strategic edge for urban terrorists and undercover state intelligence operatives Strategic Integration & Offensive Purpose State actors and FTOs equip operatives with Meta Ray-Ban Smart Glasses (or similar AI-powered smart glasses). The built-in camera and on-device AI continuously record video, perform real-time object and facial recognition, and stream footage back to a command node. The AI analyzes the environment, identifies high-value targets, maps patrol routes, detects security cameras, and automatically generates kinetic attack plans — including optimal approach vectors, timing windows, and escape routes. This capability was demonstrated in the 2025 New Year’s Day terrorist attack on Bourbon Street in New Orleans, where the attacker used Meta Ray-Ban Smart Glasses to conduct pre-attack reconnaissance by covertly recording video of the French Quarter and target area during two prior visits on bicycle.

Risk Assessment ▪ High feasibility for state cyber units and advanced technical sabotage groups ▪ Low detectability of dormant firmware zero-days inside Battery Management Systems ▪ Moderate cost compared to the resulting systemic infrastructure destruction ▪ Scalable across specific EV fleets, data centers, and grid-level storage installations ▪ Massive challenges in verifying and maintaining hardware-level safety guardrail integrity Threat Assessment ▪ Large-scale physical destruction (fire/explosion) of data centers and EV charging hubs ▪ Potential for systemic transport and cloud service outages through coordinated strikes ▪ High risk to life in high-density urban settings or confined industrial facilities ▪ Strategic economic and logistical paralysis via destruction of energy storage assets Strategic Integration & Offensive Purpose State actors and advanced VNSAs use AI to discover and chain zero-day exploits against Battery Management Systems (BMS). AI-assisted tools analyze BMS firmware, develop custom zero-days to override voltage, temperature, and current limits, falsify sensor data, and deliberately trigger an exothermic feedback loop in lithium-ion battery packs. This results in rapid thermal runaway, fire, and explosion. This is distinct from software supply chain attacks — it requires direct exploitation of the BMS controller itself (not just poisoning training data or models). The attack physically destroys data centers, EV fleets, BESS installations, and any high-density lithium battery infrastructure.

Risk Assessment ▪ Moderate feasibility for developed state programs and sophisticated cartel labs ▪ Low detectability of initial chemical synthesis planning and precursors by standard monitors ▪ Low cost relative to other mass-casualty CBRN options ▪ Scalable for localized or regional chemical events depending on precursor access ▪ Significant defensive challenges in detecting diverse precursors and unconventional labs Threat Assessment ▪ High potential for localized mass casualties and severe, long-term health impacts ▪ Extreme lethality when deployed in enclosed public spaces or high-density transit nodes ▪ Widespread public panic, cascading social disruption, and erosion of civil order ▪ Strategic degradation of urban public safety, emergency services, and economic activity Strategic Integration & Offensive Purpose AI supports Kill Chain compression across chemical threat workflows: Recon and Weaponization via precursor identification, synthesis pathway modeling, and toxicity analysis; Delivery and Exploitation via production process optimization; C2 and Actions on Objectives via operational decision support. State CBRN programs, VNSA cells, and cartels may significantly shorten development timelines — from months to weeks — while minimizing supply-chain and detection signatures. AI in Fentanyl Synthesis Concept: In controlled simulation environments, AI may accelerate fentanyl synthesis workflows by assisting with precursor identification, synthesis pathway modeling, and production process optimization — including alternative routes using diverted precursors, toxicity and stability evaluation of analogs, and yield scale-up simulation. Cartels and capable VNSA cells gain asymmetric advantage through rapid analog iteration and reduced reliance on traditional laboratory expertise. AI in Chemical Threats Concept: In controlled simulation environments, AI may compress the full adapted Kill Chain for chemical threats — from rapid exploration of novel compounds or dual-use industrial chemicals during Recon/Weaponization, through scalable manufacturing modeling in Delivery/Exploitation, to real-time operational decision support in C2/Actions on Objectives. This includes AI-assisted exploration of fentanyl analogs or novel agents tailored for specific effects, with minimized physical infrastructure requirements.

Risk Assessment ▪ High feasibility using Chinese industrial labs and AI-driven molecular design ▪ Low detectability as new analogs evade standard drug testing and scheduling ▪ High profitability relative to low manufacturing costs ▪ Extremely scalable for mass production and global distribution through cartel networks ▪ Massive challenges for emergency medical systems in treating novel, ultra-potent analogs Threat Assessment ▪ Widespread, catastrophic health impacts and high mortality rates in target populations ▪ Total exhaustion of emergency response, law enforcement, and toxicological resources ▪ Robust, long-term revenue generation for sanctioned regimes and global criminal syndicates ▪ Strategic degradation of social fabric and economic stability in Western nations Strategic Integration & Offensive Purpose CCP/PLA leverages AI to design and optimize new synthetic opioid payloads significantly deadlier than fentanyl or current orphine-class compounds such as Cychlorphine (already ~10x fentanyl potency). These next-generation molecules are engineered for extreme potency, high resistance to naloxone reversal, and evasion of existing detection methods. The operational model remains two-stage: Chinese industrial chemical labs, protected or incentivized by the state, produce high-purity novel precursors and powders using AI-accelerated discovery of new scaffolds and synthesis pathways. Mexican cartels receive bulk material and use AI-refined processes to press it into counterfeit pills (oxycodone, hydrocodone, stimulants), increasing lethality density while minimizing physical footprint for smuggling. Cartels can also establish their own domestic labs for on-site synthesis and final-stage production. AI integration allows continuous refinement of production workflows and fast development of replacement analogs whenever a compound faces scheduling or detection pressure. This sustains a high-volume, high-lethality narcotic flow that degrades target population health, overwhelms emergency medical systems, and generates ongoing revenue streams to fund broader cartel and proxy operations.

Risk Assessment ▪ Moderate feasibility for developed state programs and sophisticated VNSAs ▪ Low detectability of initial radiological source acquisition and planning phases ▪ Low operational cost relative to the massive disruptive impact of an RDD strike ▪ Scalable for localized or regional contamination events depending on source access ▪ Significant challenges in detecting and intercepting diverse radiological materials in transit Threat Assessment ▪ Chronic health impacts and mass psychological terror in target urban populations ▪ Potential for long-term denial-of-area and severe economic costs for decontamination ▪ Strategic disruption of urban public safety, emergency services, and city operations ▪ High potential for cascading social panic and loss of confidence in public health safety Strategic Integration & Offensive Purpose AI supports Kill Chain compression: Recon and Weaponization via dispersion modeling and source placement optimization. Delivery and Exploitation via scenario simulation and route planning. C2 and Actions on Objectives via operational decision support and consequence assessment. State programs, VNSA cells, cartels, and hybrid networks enhance planning precision while reducing detectable signatures. Offensive Playbook: Integrate with smuggling optimization for RDD deployment.

Risk Assessment ▪ Moderate feasibility for developed state actors; low for non-state actors ▪ Extremely low detectability of early-stage nuclear simulation and optimization research ▪ High program cost for states, but AI reduces the threshold for technical upskilling ▪ Highly scalable for state actors seeking rapid advancement in nuclear capabilities ▪ Massive challenges in international proliferation monitoring and technical data restriction Threat Assessment ▪ Potential for existential-level casualties and total physical destruction of target cities ▪ Fundamental strategic shift in global security architecture and nuclear deterrence ▪ Permanent environmental and economic devastation in fallout and strike zones ▪ Ultimate strategic weapon for state-level existential conflict and regime survival Strategic Integration & Offensive Purpose AI supports Kill Chain compression: Recon and Weaponization via enrichment pathway simulation and yield optimization. Delivery via trajectory planning and system integration. C2 and Actions on Objectives via fallout simulation and operational decision support. State programs and sponsored technical cells reduce expertise barriers and signatures. Offensive Playbook: Use for proxy delivery planning with tool-sharing pipelines.

Risk Assessment ▪ High feasibility for developed state programs with access to advanced genomic datasets and sophisticated VNSA cells ▪ Zero-to-low detectability of digital research, de novo pathogen modeling, in silico testing, and AI-accelerated phases ▪ Moderate-to-high development cost significantly reduced by AI (time-to-payload collapse from years to weeks/months) ▪ Scalable for localized outbreaks, regional biological events, or global impact scenarios ▪ Extreme challenges in identifying/classifying novel, machine-modified, or chimeric agents and developing timely countermeasures Threat Assessment ▪ High-to-global potential for mass casualties, pandemic-level events, and total collapse of regional or national healthcare systems ▪ Extreme lethality with tunable traits (targeted genetic, ethnic, age-based, or behavioral specificity) ▪ Widespread public panic, cascading social disruption, economic paralysis, and breakdown of civil governance ▪ Strategic degradation of national security, military readiness, economic stability, and irreversible shifts in global health security Strategic Integration & Offensive Purpose AI accelerates and unifies the full adapted development sequence across all bio-weaponry workflows — from traditional agents to next-generation synthetic viruses. State programs and advanced VNSA/hybrid cells gain rapid iteration, enhanced precision, reduced infrastructure footprints, and superior deniability through “natural-looking” novel pathogens. Real-World Anchors ▪ COVID-19 outbreak originating from Wuhan, China — textbook case of “Unrestricted Warfare” in the biological domain ▪ CCP-linked illegal biolabs in Reedley, California and Las Vegas, Nevada operated by Chinese national Jia Bei Zhu with direct ties to PRC state-controlled entities and military-civil fusion ▪ Las Vegas biolab located in a residential area near major roadways with noted concerns over potential impact on local water supply infrastructure AI-Supported Bio-Terrorism Concept: In controlled simulation environments, AI fully supports bio-terrorism and state biological workflows by assisting with protein/pathogen modeling, de novo genome design, gain-of-function enhancements, experimental acceleration, production optimization, and concealment tactics — dramatically reducing knowledge barriers, wet-lab time, and signatures while enabling programmable stealth agents. Offensive Playbook: Mine literature and predict structures via local multimodal models. VNSAs/cartels/Hezbollah/JNIM use air-gapped BioPython + local LLMs for targeted toxins, fentanyl-analog escalation, or chimeric viral payloads on consumer GPUs. Hybrid networks blend traditional bio-weaponry with AI-optimized traits for maximum asymmetric impact. Real-world precedent demonstrates forward deployment of CCP-linked biological infrastructure on U.S. soil for potential mass infection via water systems or aerosol release. Red-team emulation should focus on observable indicators of AI-generated simulation patterns, anomalous genomic data, and dual-use platform acquisitions to strengthen biosecurity monitoring.

Risk Assessment ▪ High feasibility via dual-use research (ag "protection" cover). Low cost with university access + AI tools. Moderate-to-high detectability for overt smuggling but difficult for AI-designed stealth variants. Scalable through farmland ownership for testing/release points and supply chain insertion. Defensive challenges severe due to US ag concentration, export reliance, and limited rapid-response fungicides/genetic countermeasures. AI lowers expertise barrier dramatically. Threat Assessment ▪ Catastrophic economic damage (billions in losses from Fusarium alone globally; engineered strains could amplify). Food price spikes, export collapse, supply chain disruption, secondary effects on livestock/feed. Psychological/national security impact via perceived vulnerability of homeland food production. Long-term soil/water contamination possible. Strategic Integration & Offensive Purpose CCP integrates AI-augmented agro-bio capabilities into hybrid warfare doctrine for non-kinetic attrition against US food security and economic resilience. Farmland acquisitions (via linked entities) provide forward positioning for monitoring, testing, or deployment. Academic smuggling cases demonstrate exploitation of open US research labs (e.g., University of Michigan Molecular Plant-Microbe Interaction Lab) as vectors for pathogen acquisition, testing, and reverse-engineering. AI accelerates development of "plausible deniability" agents mimicking natural outbreaks. Aligns with broader PLA bio-research programs (per US State Dept compliance reports) and dual-use AI/biotech push. Goal: Undermine US strategic autonomy, enable leverage in crisis, or support gray-zone dominance without kinetic escalation. Real-World Anchor ▪ CCP-linked entities (including CCP members and firms with PLA/gov ties) control ~277,000+ acres of US agricultural land (USDA data), with notable concentrations near military installations and critical infrastructure. Examples include Chen Tianqiao (CCP member) ~200k acres in Oregon, Sun Guangxin-linked purchases in Texas, Fufeng Group in North Dakota. ▪ 2025 University of Michigan cases: Chinese nationals (some CCP-linked) charged with smuggling Fusarium graminearum (potential agroterrorism weapon) and other biological materials into UM labs for research on the same pathogens studied in China. Multiple indictments (Jian/Liu et al.) highlight pattern of infiltration.

Risk Assessment ▪ High feasibility through persistent poisoning of public, open-source datasets ▪ Low detectability of dormant backdoors and triggers within massive model weights ▪ Low operational cost relative to the massive strategic impact on AI-dependent defenses ▪ Massively scalable across all critical sectors reliant on automated classification systems ▪ Extreme challenges in verifying the integrity of multi-terabyte training datasets Threat Assessment ▪ Progressive degradation and eventual failure of national security and military AI systems ▪ Potential for catastrophic, silent failure of autonomous weapons and sensor networks ▪ Systematic erosion of trust in AI-driven decision making and sensor reliability ▪ Provides adversaries with a strategic advantage to bypass any AI-based detection layer Strategic Integration & Offensive Purpose AI enables manipulation of defender datasets and models to degrade AI-dependent security systems. State actors and hybrid networks achieve broad detection-layer degradation. VNSAs gain asymmetric advantage through contamination of public open-source ecosystems. Red-team emulation should model poisoned datasets and triggered behaviors to strengthen AI supply-chain integrity. Offensive Playbook: Poison upstream public data before fine-tuning your own evasion-resistant local models.

Risk Assessment ▪ High feasibility utilizing sophisticated predictive routing and evasion modeling AI ▪ Low detectability of optimized smuggling routes and behavioral mimicry tactics ▪ Low cost compared to traditional, high-risk human reconnaissance and planning ▪ Extreme scalability for cartel, VNSA, and state-proxy mission sets globally ▪ Significant challenges in securing thousands of miles of border and maritime space Threat Assessment ▪ Robust, uninterrupted flow of high-lethality narcotics, weapons, and hostile personnel ▪ Strategic empowerment of cartels, VNSAs, and regional criminal organizations ▪ Continuous degradation of border security, law enforcement resources, and sovereignty ▪ Persistent, scalable funding and asset delivery for state-proxy and hostile operations Strategic Integration & Offensive Purpose AI accelerates logistics workflows through predictive routing and camouflage generation. State proxies, cartels, and VNSA networks gain asymmetric advantage through reduced interception rates and minimized logistical footprints. Red-team emulation should model AI-generated route variations and decoy signatures to strengthen border and supply-chain monitoring. Offensive Playbook: Tie to drone swarms or chemical payloads for border dominance.

Risk Assessment ▪ High feasibility utilizing massive multi-domain data fusion and automated wargaming ▪ Difficult to detect strategic-level wargaming and operational pre-planning intent ▪ High cost for full-domain state integration, but offset by high strategic return ▪ Highly scalable for large-scale maritime, air, and cyber-kinetic operations ▪ Massive challenges in countering quantum-accelerated OODA loop compression Threat Assessment ▪ Rapid, decisive military outcomes in favor of the PLA in a cross-strait contingency ▪ High potential for overwhelming US and allied response cycles and decision-making ▪ High risk of regional destabilization and global conflict escalation outcomes ▪ Fundamental strategic shift in Indo-Pacific dominance toward a single dominant power Strategic Integration & Offensive Purpose AI compresses pre-conflict preparation by fusing massive multi-domain data for predictive wargaming and adaptive planning, augmented by quantum elements for accelerated scenario iteration. Red-team emulation should model synthetic simulation artifacts, accelerated planning signatures, and quantum-related data patterns to strengthen multi-domain ISR and contingency hardening. Advanced Wargaming Concept: PLA may conceptually leverage advanced AI wargaming platforms augmented by emerging quantum capabilities to fuse cyber/naval/satellite ISR datasets for rapid course-of-action iteration and OODA loop compression. Includes generative intelligence tools for predicting adversary shifts, digital chief-of-staff systems for faster decision support under jamming, and quantum-enhanced processing for optimized logistics, munitions sustainment modeling, and joint force orchestration. Delivers compressed decision cycles and saturation advantage in high-intensity cross-strait operations. Offensive Playbook Entry: Integrate with LAWS clusters and Bio/Chem acceleration rows for full-spectrum PLA Taiwan campaign dominance. VNSA/hybrid actors study and adapt subsets via open-source/offline stacks for proxy or asymmetric replication.

Risk Assessment ▪ High feasibility using low-cost USV technology and AI-driven maritime navigation ▪ Low detectability among massive commercial shipping traffic and dark fleet operations ▪ Low cost for maintaining persistent, deniable harassment and sabotage capabilities ▪ Highly scalable for archipelago blockades or coordinated undersea cable harassment ▪ Significant challenges in attribution of maritime "accidents" and gray-zone maneuvers Threat Assessment ▪ Severe disruption of regional Undersea Cable (UGC) communications and energy security ▪ Isolation of island nations and strategic naval facilities during pre-conflict phases ▪ Rapid exhaustion of defender naval and coast guard resources through swarming ▪ Strategic concealment of kinetic military preparations under gray-zone covers Strategic Integration & Offensive Purpose AI enables sustained, deniable maritime disruption via swarming "fishing" vessels or USVs that harass naval/coast guard assets, block access, or conduct cable sabotage. The PLA is actively deploying autonomous submarine surveillance drones and naval ISR platforms for persistent tracking of subsurface assets and real-time data collection across contested waters. These systems utilize AI for acoustic signature recognition and automated target acquisition, providing a strategic advantage in undersea warfare. Real-world anchors include repeated 2025-2026 incidents of Chinese-linked vessels (e.g., Hong Tai 58, Xingshun 39, Tai 58) severing or attempting to sever Taiwan’s undersea cables (TPE, TPKM3 systems) using flag-of-convenience ships, AIS manipulation, and anchor-dragging with plausible deniability; parallel Houthi use of explosive-laden USVs and drones for Red Sea shipping harassment. PLA integrates this into Taiwan blockade/pre-invasion phases to erode communications, force resource dispersion, and mask kinetic preparations. VNSAs adapt similar low-cost AI navigation for smuggling routes while maintaining deniability. Cross-domain payoff includes diversion of defender naval/air assets, creating windows for fiber-optic FPV or DJI Agras operations inland, and amplification via cognitive disinformation claiming "accidents" or "civilian incidents."