LAS VEGAS: On a recent Friday morning, seven cybersecurity veterans gathered in a suite on the 60th floor of the Cosmopolitan hotel in Las Vegas.

Surrounded by laptops, network cables, spare Wi-Fi antennas and a wall-mounted television that doubled as a massive computer screen filled with esoteric programming code, they spent the next two days hacking into a computer network in San Antonio as part of an annual event called the National Collegiate Cyber Defense Competition.

As this “red team” of cybersecurity professionals attacked the network, dozens of elite computer science students in makeshift command centres across the country tried to stop them.

“Any time we gain access to their machines and steal data, they lose points,” said Alex Levinson, one of the leaders of the red team. “And the expectation is that we attack with custom malware, something unique and special they have never seen before.”

Run by the University of Texas, San Antonio, the event welcomed 10 collegiate “blue teams,” each the winner of a regional contest earlier in the year. This elaborate competition aimed to simulate the high-stakes world of cyberwarfare, which meant it included a new participant: artificial intelligence. And one of the blue teams was made up entirely of so-called AI agents, working mostly on their own.

With AI poised to play an increasingly important role in cybersecurity, the hacking competition demonstrated both the power of AI systems and their limitations. They can help attack computer networks, and help defend them. But they are also prone to mistakes. And they cannot yet match the skills of seasoned cybersecurity professionals – or even those of the country’s most promising computer science students.

But AI companies continue to improve these technologies. Anthropic said last month that it would limit the release of its latest AI technology, Claude Mythos, to a small number of trusted organisations because it might provide a new edge to malicious hackers. OpenAI later said it, too, would share similar technology with a limited group of partners.

Crouched over a glass table inside the Cosmopolitan suite, one of the red team’s veterans, Dan Borges, typed out an expanding list of instructions for the AI agents running on his laptop. As they probed the network in San Antonio, attacking one of the collegiate blue teams, the bots executed tasks on his behalf.

Borges, a 37-year-old security engineer whose resume includes stints at Uber and AI startup Scale AI, wore his baseball cap backward, over dark-brown hair that stretched halfway down his back. The cap read: “Aloha Got Soul.”

That morning, he tried to slip malicious software onto several dozen machines across the network. As his agents raced through this largely repetitive task, he planned the next stage of the attack. “They help me do things in parallel,” he said. “I can go fast, and I can go wide.”

But soon, one of his bots took an unexpected turn: It started installing malicious software on his own machine. This, the bot decided, was a good way to understand what the malware could do. “Absolutely the worst idea I have ever heard,” Borges said, breaking into a laugh.

When guided by trained experts like himself, Borges said, these technologies can accelerate a wide array of tasks related to cybersecurity. But he is still grappling with their flaws.

“Asking them to do something is very easy,” he said. “But you have to step back and say: What is the best way to get them to do what I want them to do?”

Two red team members, David Cowen and Evan Anderson, sat in front of the giant wall-mounted television, casually asking Claude Code to both organise and execute elaborate attacks with names like Project Mayhem. They leaned on the technology so heavily, they sometimes left the suite for sandwiches and coffee as Claude continued to probe the network in Texas.

Cowen, a jovial security consultant from Plano, Texas, with a billowing gray-brown beard, guffawed every time the AI bots did something unexpected. Anderson, a self-described hacker with tattoo sleeves on both arms who runs a Denver security company, Offensive Context, never batted an eye.

One afternoon after a lunch run, Cowen looked up at the TV screen and let out another cackle. While he was grabbing fried chicken sandwiches, one of his bots noticed that a blue team had loaded new software onto a machine in San Antonio. The bot then grabbed the software’s default password from a database, broke into the machine and started sharing the password with the other bots. “Amazing,” Cowen said, chuckling. “I was at lunch.”

But he was quick to say the bots are only as good as the people using them. He and Anderson kept their agents on a tight leash, focusing their efforts on particular tasks and trying to catch any serious missteps.

While the other red team members attacked blue teams filled with college students, Cowen and Anderson battled a blue team staffed solely with bots. In this year’s competition, Anthropic arranged for its AI technology to compete alongside the 10 teams of college students.

This automated cyberdefence team operated with little help from Anthropic employees. But while each of the collegiate teams included eight students, the Anthropic team had as many as 32 AI agents.

In the end, the bots finished seventh out of the 11 teams. The winner was Dakota State University, in South Dakota, a perennial contestant but a first-time champion.  – ©2026 The New York Times Company

This article originally appeared in The New York Times.