What the First LLM-Driven Intrusion Means for SOC Reporting Workflows

On May 10, 2026, Sysdig documented the first known intrusion in which an LLM agent drove every decision in the post-exploitation phase — from initial access to a fully exfiltrated internal database — in under sixty minutes. This post breaks down what actually happened, why it represents a genuine category shift in the threat landscape, and what it means for the SOC reporting workflows that were built for a slower kind of adversary.