In 1986, astronomer Cliff Stoll noticed a 75-cent discrepancy in the computing accounts at Lawrence Berkeley National Laboratory. Most people would have written it off as a rounding error. He didn't. That 75 cents led him down a rabbit hole that ended with a KGB-backed hacker named Markus Hess — hiding inside legitimate university systems, routing espionage through trusted infrastructure so his traffic looked like normal academic activity.
Stoll wrote a book about it: The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage (1989). The title comes from the cuckoo bird, which lays its eggs in other birds' nests — letting the host do all the work of incubation while the parasite thrives undetected.
Forty years later, the cuckoo is back. And this time, it's nesting in your AI tools.
TL;DR — What You'll Learn
- The research: Check Point demonstrated that Microsoft Copilot and xAI's Grok can be weaponized as covert command-and-control (C2) proxies — routing attacker commands through legitimate AI traffic.
- Why it matters: Traditional network monitoring won't catch this. The traffic looks like a normal AI assistant browsing the web.
- The security gap: Most organizations haven't updated their security controls to account for AI tools with network access — leaving a blind spot big enough to drive a C2 channel through.
- What to do about it: A practical checklist for locking down AI tools in your environment before attackers get there first.
Stoll's Cuckoo: The Original "Hide in Plain Sight"
To understand why the Check Point research matters, you need to understand what made Stoll's discovery so significant — and so hard to catch.
Markus Hess didn't break in through an exotic zero-day. He exploited a known vulnerability in GNU Emacs to gain access to a university system, then used that foothold to pivot through MILNET (the military's predecessor to the internet) into defense contractors, military bases, and the Pentagon itself. His genius wasn't technical sophistication — it was operational stealth.
Hess routed his connections through multiple legitimate systems. Each hop looked like normal traffic. The university thought the traffic was just another researcher. The defense systems thought it was the university. Nobody questioned it because it all came from trusted sources.
Stoll caught him because he was curious enough to chase a 75-cent anomaly that everyone else wanted to ignore. He literally set up a printer next to his desk and monitored connections for months — an improvised intrusion detection system built from stubbornness and an astronomer's obsession with precision.
That was 1986. The fundamental technique — hide your malicious activity inside trusted infrastructure so it looks like legitimate traffic — hasn't changed. But the "trusted infrastructure" has.
The 2026 Cuckoo: AI Assistants as C2 Relays
On February 17, 2026, Check Point Research published findings that should make every security team sit up straight. Their researchers demonstrated a technique they call "AI as a C2 proxy" — and the implications are significant.
Here's how it works:
Enterprise AI assistants like Microsoft Copilot and xAI's Grok have web browsing capabilities built in. They can fetch URLs, summarize web pages, and interact with external content. That's the feature. It's also the attack surface.
An attacker can set up a URL that contains encoded commands. They craft a prompt — or manipulate an existing conversation — to make the AI assistant fetch that URL. The assistant retrieves the content (which contains the attacker's instructions), processes it, and can be directed to take actions or relay information back. The AI becomes a bidirectional communication channel between the attacker and the compromised environment.
Why This Is Worse Than Traditional C2
Traditional C2 channels — malware phoning home to a command server — are detectable. Security tools flag unusual outbound connections, unknown domains, and suspicious traffic patterns. But when the traffic comes from Microsoft Copilot making a web request? That looks identical to legitimate enterprise AI usage. Your SIEM won't flag it. Your firewall won't block it. Your SOC analyst will scroll right past it.
Check Point's researchers put it plainly: the technique enables "AI-assisted malware operations, including generating reconnaissance workflows, scripting attacker actions, and dynamically deciding 'what to do next' during an intrusion."
Read that last part again: dynamically deciding what to do next. This isn't a static payload. It's an AI-augmented attack that adapts in real time based on what it finds in your environment.
Stoll's cuckoo used university networks as trusted hosts. The 2026 cuckoo uses your enterprise AI assistant. Same playbook. Same principle. Dramatically larger blast radius.
The Security Blind Spot
Here's where this gets uncomfortable for anyone responsible for defending a network.
I work as a fractional CISO for small and mid-sized companies. I've reviewed dozens of security programs in the last year. And I can count on one hand the number that had any controls around AI tool governance.
Ask yourself three questions:
- Access control: Do your AI assistants have the same access restrictions as the employees using them — or more? Most organizations gave Copilot access to everything a user can see without thinking about what that means when the AI can also browse the internet.
- Boundary enforcement: When an AI tool fetches a URL from inside your network, is that crossing your security boundary? Who decides which URLs are allowed? In most environments, nobody does — it's a completely unmonitored channel.
- Detection capability: Could you distinguish a legitimate Copilot web fetch from a C2 relay? Are you monitoring AI assistant traffic separately from general web traffic, or is it all one undifferentiated blob in your logs?
For most organizations, the honest answer to all of these is "no" or "we haven't thought about it." And that's not because security teams are negligent — it's because AI tools got deployed faster than security controls could adapt. The business wanted productivity gains now. Security reviews could wait. Except now the attack surface is wide open.
Google's 100,000 Red Flags
The Check Point research didn't drop in isolation. Around the same time, Google disclosed that they've identified over 100,000 prompts suspected of attempting to extract Gemini's proprietary reasoning through model extraction attacks.
That's not 100,000 attacks over a year. That's the detected volume of a single attack category against a single AI platform.
The pattern is clear: AI systems aren't just productivity tools anymore. They're attack surfaces. They're infrastructure. And like all infrastructure, they need to be governed, monitored, and included in your threat model.
Stoll would recognize this immediately. The systems everyone trusts are exactly the systems worth compromising.
What Your Security Program Needs — Now
I'm not going to tell you to stop using AI tools. That ship has sailed, and frankly, the productivity gains are real. But you need to treat AI assistants as what they are: network-connected software with external data access running inside your security boundary.
Here's the practical checklist I'm walking my clients through right now:
1. Inventory Your AI Tools
You can't secure what you don't know about. Build a complete inventory of every AI tool with network access in your environment — sanctioned and shadow IT. This includes browser extensions, IDE integrations, and embedded copilots in SaaS products. Most organizations I audit are shocked by how many AI tools have quietly been adopted across departments.
2. Map Data Flows
For each AI tool: What data can it access? What external URLs can it fetch? Where do responses go? Can it execute actions (send emails, modify files, trigger workflows)? If an AI assistant can browse the web from inside your network, it can be turned into a relay. Document these data flows the same way you'd document any other system integration.
3. Lock Down Access and Boundaries
Treat AI tools like any other network-connected application:
- Least privilege: Add AI tools to your access control matrix. They should only reach the data and systems their users actually need — not everything the user's SSO token grants.
- URL filtering: Treat AI web browsing as a boundary crossing. Apply the same URL filtering and DLP controls you'd apply to any other outbound channel. If Copilot doesn't need to fetch arbitrary URLs, don't let it.
- Dedicated monitoring: Log AI tool traffic separately. What URLs are fetched, what data is sent, what comes back. Your SIEM should have rules specifically for anomalous AI assistant behavior — not just generic web traffic alerts.
- Threat modeling: Include AI tools in your risk assessments. The Check Point research gives you a concrete, citable threat scenario to justify the investment.
4. Segment AI Tool Traffic
Consider network segmentation for AI tool traffic. If Copilot doesn't need to fetch arbitrary URLs to do its job in your environment, restrict it. Allowlisting is more work than blocklisting, but it's the only approach that would have caught the C2 relay technique Check Point demonstrated. Proxy AI web requests through a controlled gateway where you can inspect and log them.
5. Build an AI Incident Response Playbook
What happens when you detect suspicious AI tool behavior? Most IR playbooks don't cover this scenario yet. Define the triggers (unusual URL patterns, data exfiltration indicators, anomalous usage times), the containment steps (disable the tool, revoke tokens, isolate the endpoint), and the investigation process. Run a tabletop exercise using the Check Point C2 proxy scenario. You'll be surprised how many gaps surface.
The Question That Matters
Cliff Stoll caught his cuckoo because he paid attention to a tiny anomaly that everyone else dismissed. He was curious, methodical, and stubborn enough to follow a 75-cent thread until it unraveled a KGB espionage operation.
The 2026 version of that question is simpler but just as important: Who is watching your AI tools closely enough to notice when something is wrong?
If you don't have a good answer, you're not alone. But the research is public, the techniques are documented, and the clock is ticking before this moves from proof-of-concept to in-the-wild exploitation.
The cuckoo is patient. It always has been.
Is Your AI Stack a Backdoor?
Take our 3-minute self-assessment to identify AI governance gaps in your security program — before your auditor does.
Take the Assessment →Peter Hallen is a fractional CISO who helps growing companies build security programs that actually work — not just pass audits. If the Check Point research has you rethinking your AI security posture, let's talk.