Subscribe to the Non-Human & AI Identity Journal
Home Glossary Threats, Abuse & Incident Response Command-and-control
Threats, Abuse & Incident Response

Command-and-control

← Back to Glossary
By NHI Mgmt Group Updated July 8, 2026 Domain: Threats, Abuse & Incident Response

Command-and-control is the communication channel an attacker uses to issue instructions to malware and receive results back from a compromised host. For XWorm, the channel is encrypted and used for session management, payload delivery, surveillance, and modular expansion of capabilities after compromise.

Expanded Definition

Command-and-control, often abbreviated C2 or C&C, is the bidirectional communication path that lets an adversary direct malware, collect results, and adapt operations after compromise. In the NHI context, it matters because the same mechanics that support legitimate orchestration, remote administration, and agent coordination can be abused once an AI agent, workload identity, or service account is taken over.

Definitions vary across vendors on whether C2 refers only to attacker infrastructure or also to the command transport itself. For NHI governance, the useful boundary is operational: if an identity can receive instructions, fetch payloads, or exfiltrate outputs over a persistent channel, that channel deserves C2 scrutiny. This aligns with broader identity and resilience thinking in the NIST Cybersecurity Framework 2.0, especially around monitoring, response, and recovery.

Command-and-control is commonly misapplied when teams treat outbound connectivity as normal application traffic and fail to distinguish scheduled automation from covert remote instruction paths.

Examples and Use Cases

Implementing C2 controls rigorously often introduces latency and inspection overhead, requiring organisations to weigh detection depth against the operational friction of tightly governed outbound communications.

  • An infected service account uses encrypted HTTPS beacons to poll for commands, blending into ordinary egress and hiding tasking from basic firewall logs.
  • An AI agent with tool access receives instructions through a remote orchestration channel, and attackers abuse that path to issue unauthorized actions after credential theft.
  • A compromised build runner reaches out to attacker infrastructure to download the next-stage payload, illustrating why pipeline identities need the same scrutiny as production identities. See Ultimate Guide to NHIs — Standards.
  • Phishing or secret exposure gives an adversary control over an API key, then the key is used as the C2 foothold for data collection, lateral movement, and persistence.
  • Security teams compare suspicious outbound patterns with guidance from the NIST Cybersecurity Framework 2.0 to separate legitimate automation from hostile command traffic.

Why It Matters in NHI Security

C2 is where identity compromise becomes active operations. Once a non-human identity is being used to receive instructions, the issue is no longer only credential theft; it becomes control of an execution path. That is why NHI Management Group emphasizes lifecycle controls, egress visibility, and rapid revocation in its Ultimate Guide to NHIs — Standards. The risk is amplified by the fact that 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, making it easier for attackers to obtain the keys needed to establish or sustain C2.

In practice, C2 exposure often reveals broader governance failures: excessive privileges, weak rotation, and poor visibility into service accounts. If a compromised identity can call home freely, the attacker gains a durable control plane for surveillance, persistence, and modular expansion of capability. Organisations typically encounter the full operational cost only after anomalous egress, token abuse, or agent misuse has already triggered incident response, at which point command-and-control becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-07C2 abuse relies on stolen NHI credentials and persistence channels.
NIST CSF 2.0DE.CMC2 is surfaced through anomalous communications and monitoring failures.
OWASP Agentic AI Top 10AI-05Agentic systems can be hijacked through their command transport and tool invocation paths.

Detect and constrain outbound control paths tied to compromised NHIs and review them for misuse.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org