← Anthropic News
Claude Learning Daily

What we learned mapping a year’s worth of AI-enabled cyber threats

Anthropic News · June 4, 2026
Analysis of 832 accounts banned for malicious cyber activity between March 2025 and March 2026 revealed that threat actors increasingly use AI in complex post-compromise stages of attacks like lateral movement and account discovery, enabling less sophisticated actors to perform highly technical operations. Traditional risk assessment methods proved unreliable against AI-enabled threats because the number of techniques employed no longer correlates with threat level; instead, higher-risk actors employ AI to autonomously orchestrate and chain together discrete attack stages with minimal human intervention. The findings indicated that existing security frameworks like MITRE ATT&CK do not adequately capture these autonomous orchestration behaviors and that updated safeguards and frameworks are needed to address evolving AI-enabled threats.

Detailed Analysis

Anthropic's security researchers have published findings from a year-long analysis of 832 accounts banned for malicious cyber activity between March 2025 and March 2026, mapping those cases against MITRE ATT&CK — the widely used cybersecurity framework cataloging attacker tactics and techniques. The study, which contributed findings to Verizon's 2026 Data Breach Investigations Report, identifies three core conclusions: AI is making threat actors measurably more dangerous, traditional methods for assessing actor risk have lost their reliability, and the MITRE ATT&CK framework has significant gaps when applied to AI-enabled attacks. Among the 832 cases examined, 67.3% involved actors using AI for malware development, while a smaller but notable share — 6.5% — employed AI for lateral movement, the more technically demanding task of navigating within already-compromised networks.

One of the most significant findings is the rapid escalation in threat actor risk levels over the study period. In the first six months, 33% of actors were classified as medium risk or higher by Anthropic's risk-scoring system. By the second six months, that figure had risen to 56%, a roughly 1.7-fold increase. Simultaneously, the data shows a structural shift in how attackers deploy AI — moving away from initial access techniques like phishing (down 8.6%) and toward post-compromise activities like account discovery (up 8.9%). This shift matters because post-compromise techniques historically required sophisticated expertise. AI is now enabling less skilled actors to execute these operations, effectively compressing the capability gap between novice and experienced attackers.

The study challenges long-standing assumptions about how to assess the danger posed by any individual threat actor. Traditionally, security teams have inferred skill level from the number of distinct techniques employed and the tools used. Anthropic's data undermines both proxies: the least-skilled actors in the dataset used approximately 16 distinct techniques on average, while the most skilled used around 20 — a negligible difference. Similarly, whether an actor accessed Claude through Claude Code, an API, or a chat interface bore no meaningful relationship to their risk level. What does distinguish higher-risk actors is their tendency to concentrate AI usage on operationally demanding, post-compromise techniques and, critically, their construction of architectural scaffolding that enables models to chain attack stages together autonomously with minimal human intervention.

The MITRE ATT&CK framework, a foundational reference for the cybersecurity industry since its introduction by MITRE Corporation, is shown to be structurally inadequate for capturing the most dangerous AI-enabled behaviors. Anthropic cites a state-sponsored cyber espionage operation it disrupted in November 2025 as a case study: the attacker manipulated Claude Code into attempting infiltrations across multiple global targets with little human oversight, with the model functioning as an autonomous agent executing commands, exploiting vulnerabilities, and making tactical decisions independently. Mapped against MITRE ATT&CK, the operation registered 30 techniques across 13 tactics — comparable to many medium-risk actors — yet Anthropic's internal risk-scoring assigned it the maximum score of 100. The framework currently contains no ATT&CK identifier for agentic orchestration, the precise capability that makes such attacks uniquely dangerous.

The findings carry broad implications for the security industry's preparedness as AI agents grow more capable. The erosion of traditional risk-differentiation signals means that defensive frameworks built around technique counts or tool identification will increasingly misclassify dangerous actors as routine threats. The gap between what MITRE ATT&CK catalogues and what AI-enabled attackers actually do represents a structural blind spot in incident response, threat intelligence sharing, and defensive prioritization. Anthropic notes that these findings directly informed its own safety and safeguard development, suggesting that AI developers themselves are becoming a critical node in the cybersecurity ecosystem — a role that raises new questions about the responsibilities of model providers when their systems are weaponized by sophisticated state and non-state actors.

Article image Read original article →