Hiding in the AI Traffic: Abusing MCP for LLM-Powered Agentic Red Teaming

TL;DR

The paper addresses the challenge of coordinating AI-driven red team operations across networks with reliable stealth and scalability. It introduces a novel MCP-enabled two-leg C2 architecture that decouples tasking from reasoning, enabling asynchronous, event-driven swarm-like reconnaissance via centralized memory. The authors demonstrate substantial improvements in speed and stealth, including autonomous planning, cross-host lateral movement, and on-demand payload generation, while engaging in an extensive ethical and defensive discussion. This work offers a realistic, lab-ready framework for AI-powered red teaming and informs defenses by highlighting new threat models and potential countermeasures in enterprise environments.

Abstract

Generative AI is reshaping offensive cybersecurity by enabling autonomous red team agents that can plan, execute, and adapt during penetration tests. However, existing approaches face trade-offs between generality and specialization, and practical deployments reveal challenges such as hallucinations, context limitations, and ethical concerns. In this work, we introduce a novel command & control (C2) architecture leveraging the Model Context Protocol (MCP) to coordinate distributed, adaptive reconnaissance agents covertly across networks. Notably, we find that our architecture not only improves goal-directed behavior of the system as whole, but also eliminates key host and network artifacts that can be used to detect and prevent command & control behavior altogether. We begin with a comprehensive review of state-of-the-art generative red teaming methods, from fine-tuned specialist models to modular or agentic frameworks, analyzing their automation capabilities against task-specific accuracy. We then detail how our MCP-based C2 can overcome current limitations by enabling asynchronous, parallel operations and real-time intelligence sharing without periodic beaconing. We furthermore explore advanced adversarial capabilities of this architecture, its detection-evasion techniques, and address dual-use ethical implications, proposing defensive measures and controlled evaluation in lab settings. Experimental comparisons with traditional C2 show drastic reductions in manual effort and detection footprint. We conclude with future directions for integrating autonomous exploitation, defensive LLM agents, predictive evasive maneuvers, and multi-agent swarms. The proposed MCP-enabled C2 framework demonstrates a significant step toward realistic, AI-driven red team operations that can simulate advanced persistent threats while informing the development of next-generation defensive systems.

Figures (9)

• Figure 1: Conceptual diagram of the decoupled, two-leg C2 communication flow. The MCP Agent acts as a proxy, sending a high-level, benign-appearing query (2a) to a public LLM, which returns a detailed, multi-step attack plan (2b) for execution.
• Figure 2: Specialist LLM vs Agentic Framework Approach
• Figure 3: Classic C2 beaconing traffic from Cobalt Strike. The highly regular, periodic spikes represent the agent's "heartbeat," a predictable pattern that is a primary target for network-based threat detection.
• Figure 4: Communication pattern between the mcp_agent and the MCP server. Activity is sparse and event-driven, occurring only to fetch a task or deliver results. The absence of a discernible period stands in stark contrast to beaconing.
• Figure 5: Agent-LLM C2 (non-streaming). Top: Initiator spikes grow as more context is sent to the LLM. Bottom: The concurrent traffic to the MCP server remains dormant during the LLM interaction.