Between late December 2025 and mid-February 2026, a single attacker breached at least nine Mexican government organizations — federal, state, and municipal — using two commercial AI platforms as primary operational tools in a massive AI-assisted cyberattack. The campaign exfiltrated data on hundreds of millions of citizens, compromised hundreds of internal servers, and even stood up a live query API into government infrastructure and a working document forgery service.
Gambit Security’s forensic report on the incident makes for uncomfortable reading in this industry. But if you deploy network access control, zero trust, or privileged access management, it also reads like a detailed technical specification of exactly what your products are supposed to prevent.
Let’s talk about what actually happened — and what would have changed the outcome.
THE AI ANGLE IS REAL — BUT IT’S NOT THE STORY
The attacker used Claude Code and OpenAI’s GPT-4.1 API to dramatically accelerate exploitation. AI handled reconnaissance across 305 servers, customized exploits for specific CVEs, escalated privileges, mapped database architecture, built exfiltration pipelines, and constructed tunnel chains. About 75% of all remote command execution was AI-generated.
That’s genuinely alarming. A single operator accomplished what would previously have required a team of analysts, in a fraction of the time.
But here’s what the report also says, buried in the conclusion and deserving far more attention than it gets: the underlying vulnerabilities were all addressable through standard security controls. Patching. Passwordless Authentication. Network segmentation. Endpoint detection.
AI made the attacker faster. It did not make the attacker able to do things that were previously impossible. The path through every organization in this campaign ran through the same familiar gaps that have existed for years.
THREE ATTACK PATTERNS. ONE PLATFORM THAT WOULD HAVE MATTERED.
The breach unfolded across three distinct but connected failure points — and the Portnox Cloud is designed to address all three.
Flat networks enabled lateral movement
Once inside SAT — Mexico’s federal tax authority — the attacker moved across 305 servers largely unimpeded. A custom Python tool piped harvested server data through OpenAI’s API and produced 2,597 structured intelligence reports on internal systems, scoring each for pivot potential and ready-to-execute attack paths. What would have taken a team of analysts weeks took hours.
Portnox Cloud enforces microsegmentation and continuous device posture assessment, isolating network zones by device type, user role, and real-time risk. A breach in one zone doesn’t automatically become a breach everywhere. The attacker’s AI-assisted analysis was impressively fast — but it can only exploit the network that exists. Shrinking that exploitable surface is a structural defense that doesn’t depend on detection speed.
Tunnel chains mimicked legitimate access
The attacker didn’t just walk through open doors. They built elaborate infrastructure — Chisel SOCKS proxies, SSH tunnels routed through compromised internet-facing servers — specifically to maintain persistent, covert access to internal applications. The sophistication of this infrastructure is a signal: the attacker needed it because application access wasn’t otherwise available from the outside.
Portnox Cloud enforces application-level least-privilege access, which changes the math here in two ways. First, users and devices connect only to the specific applications they’re authorized for — not to entire network segments behind a VPN perimeter. Second, every access decision is continuously verified against identity, device posture, and context. A tunneled connection from an unrecognized device posture doesn’t get waved through because it carries valid credentials.
Privileged infrastructure had no guardrails
The Jalisco state government breach is the most striking example in the report. The attacker gained administrative control over the state’s entire virtualization infrastructure — a 13-node Nutanix cluster, both management consoles, and 37 of 38 database servers. Custom rootkits were deployed across 20 state agencies.
This kind of takeover requires the ability to run privileged commands on infrastructure devices without restriction or detection. Portnox Cloud centralizes authentication, authorization, and full session logging for every privileged action on network and security infrastructure. An attacker — or an AI tool operating on an attacker’s behalf — attempting to run unauthorized commands hits a policy wall and generates an audit trail rather than finding an open prompt.
CREDENTIAL THEFT WAS THE MASTER KEY
Throughout the campaign, stolen and reused credentials were the connective tissue between every stage of the attack. Passwords found in configuration files unlocked cloud databases. Hashes cracked from one server opened doors on adjacent servers. Kerberos tickets were tested across domain controllers. The AI tools were extraordinarily efficient at harvesting, cataloging, and weaponizing credentials — but the credentials existed because password-based authentication was still in use everywhere.
This is where passwordless authentication stops being a “nice to have” and becomes a structural defense. Credentials that don’t exist can’t be stolen, cracked, sprayed, or relayed. The attacker’s most reliable technique across every victim organization was credential reuse. Eliminating passwords removes that technique from the playbook entirely.
THE AI THREAT CHANGES THE MATH ON “GOOD ENOUGH”
Security teams have long operated with an implicit assumption: attackers are resource-constrained. Lateral movement takes time. Analyzing hundreds of servers takes a team. Customizing exploits for dozens of different CVEs takes expertise. That assumption is now obsolete.
What AI-assisted cyberattacks mean practically is that the window between initial access and significant damage has collapsed. An attacker who previously needed days to move from a perimeter breach to domain-wide credential compromise can now do it in hours — as this campaign demonstrated. Controls that were “good enough” when attackers moved slowly are no longer adequate when they move at machine speed.
The right response to AI-accelerated attacks is not AI-specific defenses. It’s closing the gaps that AI acceleration exposes — because those gaps were always there. We just had more time to find them first.
ONE MORE THING WORTH NOTING
The forensic report documents something that doesn’t get mentioned in most threat intelligence: the AI systems involved repeatedly refused or resisted attacker requests. They flagged evasion techniques, asked for authorization evidence, and declined certain tasks outright. The attacker spent significant effort finding workarounds — rephrasing instructions, using pre-written documents to bypass content generation refusals, abandoning some approaches entirely.
This friction was real and meaningful. It didn’t stop the campaign, but it forced adaptation and created detectable behavioral patterns. The lesson for defenders isn’t “AI is the problem.” It’s that a determined, well-prepared attacker will always probe for the path of least resistance. Your job is to make sure that path doesn’t run straight through your network.
WHAT THIS MEANS FOR YOUR SECURITY POSTURE
If you take one thing from the Mexico breach, make it this: AI made a skilled attacker faster. It did not invent new attack categories. Every vector used in this campaign — unpatched vulnerabilities, flat networks, credential reuse, privileged access without audit trails — has a known, deployable countermeasure. The organizations that were hardest to breach were the ones where those countermeasures were already in place. The ones that weren’t had technical debt that AI simply helped the attacker collect faster.
The time for assessing that debt is before the attack, not after.