MILBERT.AI Hunts and Kills MFA Bypass Attacks in Real Time

James McMurry, founder of ThreatHunter.ai and creator of MILBERT.AI (and co-founder of VETCON), has built the first agentic AI system that detects and stops these advanced adversary-in-the-middle attacks during the authentication process, not hours or days later.

The Authentication Layer Is Broken

Security architectures make a dangerous assumption: that any session token issued after MFA is trustworthy. Attackers exploit this by placing reverse proxies between the user and authentication service, stealing both credentials and tokens while keeping the login flow looking legitimate.

“If you think MFA makes you safe, you’re already compromised,” said McMurry. “MILBERT hunts the threats your security tools can’t even see.”

Recent Microsoft Threat Intelligence reporting confirms that Void Blizzard successfully compromised over 20 NATO-aligned organizations using these tactics, stealing huge volumes of email and files while MFA systems happily displayed “successful authentication” statuses.

MILBERT’s Agentic Defense Architecture

MILBERT integrates directly with identity providers like Azure AD and Okta, embedding agentic AI reasoning into the authentication layer itself. It detects and responds in seconds by correlating behavioral patterns, technical indicators, and real-time threat intelligence that legacy systems ignore.

Core capabilities include:

• Real-Time Session Token Analysis to detect proxy manipulation and relay attacks
• Advanced Browser Fingerprinting to identify spoofed or inconsistent execution environments
• Behavioral Baseline Enforcement to catch subtle anomalies in user activity
• Autonomous Threat Response to kill compromised sessions instantly and block attacker infrastructure
• Multi-Source Threat Intelligence Fusion from hundreds of feeds plus proprietary research

Proven in Live Attacks

Early deployments show MILBERT detecting novel attacks within seconds and blocking them before any lateral movement, with detection rates over 80% and false positives under 1%. Unlike SIEMs, EDR, or email gateways, MILBERT operates at the authentication layer, exactly where attackers now focus.

In one deployment at a major entertainment company, MILBERT identified an active compromise on 23 accounts within minutes of activating MILBERT. The breaches had been ongoing for over 45 days, completely undetected despite the organization’s implementation of what they considered industry best practices, including comprehensive MFA deployment across all systems. Their existing security stack, SIEM, outsourced MDR and email security, had missed the compromises entirely, with nary a whisper.

“MILBERT.ai is like putting a veteran security analyst inside every login attempt,” McMurry said. “It thinks, decides, and acts before an attacker can touch your data.”

Deploy in Hours, Defend Immediately

MILBERT is a cloud-native SaaS platform that integrates through standard SAML/OIDC protocols with minimal configuration. It scales automatically from mid-market to global enterprises without performance loss. Introductory pricing starts at $5,000 annually, making enterprise-grade identity protection accessible to organizations of any size.

ThreatHunter.ai has published a 30-page technical paper, MILBERT: Agentic AI Defense Against Advanced Credential Theft, detailing real-world campaign forensics and detection methodologies against state-sponsored threat groups.

Meet MILBERT in Las Vegas

McMurry will be available for technical demonstrations during DEFCON, and at VETCON, the veteran-led cybersecurity event he co-founded to assist veterans and active duty military personnel transitioning into the cybersecurity industry. Security professionals, media, and conference attendees can visit VETCON at DEFCON, held at the Las Vegas Convention Center, to see MILBERT’s architecture and real-world detections firsthand and speak with McMurry in person.