For decades, the security community has had a reasonably good shorthand for how dangerous a cyberattacker is: count what they can do. How many distinct techniques do they wield? How sophisticated are their tools? An actor fluent in twenty different maneuvers is a bigger problem than one who knows three. That instinct built an entire discipline of threat assessment — and a new analysis from Anthropic suggests AI has quietly broken it.
The report maps a year of real malicious activity onto the field’s standard taxonomy and arrives at an uncomfortable conclusion: the signals security teams have long relied on to separate the dangerous attackers from the amateurs no longer work the way they used to. Worse, the thing that does now predict danger is precisely the thing the standard framework has no way to describe. This is worth walking through carefully, because it reframes what “a capable attacker” even means in 2026.
The frameworks can’t see the thing that matters
For decades, danger meant which techniques an attacker commands. A year of real AI-enabled attacks — 832 banned accounts mapped onto MITRE ATT&CK — shows that signal breaking, just as a new, harder-to-see one takes over.
A year of real misuse, mapped to the standard taxonomy
A window, not a census — these are the cases with enough detail to assess techniques thoroughly. Inside it, the risk level climbed fast.
WHAT WAS STUDIED
THE RISK CLIMB · MEDIUM-OR-HIGHER ACTORS
ChatGPT for Cybersecurity Cookbook: Learn practical generative AI recipes to supercharge your cybersecurity skills
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
“More techniques” stopped meaning “more dangerous”
The old heuristic: count the techniques, judge the tooling. AI dissolved it — because the model supplies the techniques either way. Watch the old signal fail, then watch what it misses.
Risk score vs. technique count
Two ways to read the same attacker. One is going blind. Press play.
Cyber Threat Intelligence: A Hands-On Guide to Threat Modeling, Intelligence Gathering, Forensics, and Operational Security Workflows (Rheinwerk Computing)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Deeper into the attack — and into less-skilled hands
Across the year, AI use drifted from getting in toward acting once already inside — the operationally demanding stages that used to require an expert.
The attack lifecycle · where AI is now applied
The center of gravity moved right — toward post-compromise work.
The Practice of Network Security Monitoring: Understanding Incident Detection and Response
Used Book in Good Condition
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
From “what they know” to “what they’ve built”
The report sorts the signals into three tiers — one dead, one fading, one durable.
Technique count & tooling
16 vs. 20 between novice and expert; platform doesn’t correlate. The model supplies the techniques either way.
Where in the lifecycle AI is applied
Concentrating on operationally demanding, post-compromise stages is a better signal — but it’s eroding as the whole population heads there.
The scaffolding around the model
Architectures that let the model chain stages and run with minimal human input. Not what they know — whether they’ve built a system that lets AI run the attack.
Machine Learning for Cybersecurity: Concepts, Algorithms, and Applications: Practical Approaches to Threat Detection, Prediction, and Prevention
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Fixing the map before the territory moves again
A taxonomy that can’t name the most dangerous behavior on the field will quietly mislead the people relying on it. The response runs in two directions.
Fed back into the models
The findings informed safeguards on the most capable models, built to detect & block some of what was observed:
- Blocking malware development
- Blocking mass data exfiltration
- Putting tools in defenders’ hands first (Project Glasswing)
Taking it to the source
Following the Verizon work, Anthropic says it’s in discussions with MITRE about how ATT&CK might evolve:
- A vocabulary for agentic orchestration
- Naming the scaffolding that makes a model an operator
- An interactive technique visualization on the Red blog
Reading it in proportion
- The 832 cases are a detailed subset, not the full population — the precise percentages are directional, not definitive.
- “More autonomous” is not “fully autonomous” — even the standout case needed human input at key moments, which is itself a place for defenders to intervene.
- This is one vendor’s window — the company with visibility into misuse of its own model, publishing what it found. The right thing to do with the data, and worth remembering as you read it.
What the data actually is
Anthropic examined 832 accounts that were banned for malicious cyber activity between March 2025 and March 2026, and mapped them onto MITRE ATT&CK, a longstanding database of the tactics and techniques used by cyberattackers. Some of the results were published in Verizon’s 2026 Data Breach Investigations Report, with a fuller analysis on Anthropic’s Frontier Red Team blog.
One caveat the report is careful to state, and worth repeating: these 832 cases are just a subset of the total number of accounts banned during this period — they represent the ones where there was enough detail to assess the attackers’ techniques thoroughly. So this is a window, not a census. But it’s a large, real-world window onto how malicious actors are actually using a frontier model, which makes the patterns inside it meaningful. There were three main conclusions, and they fit together into a single story.
First: AI is being used to make attackers more dangerous, not just more numerous
The most common malicious use of AI in the dataset is mundane in the way that most real-world attack prep is mundane. The most common AI-enabled activities related to preparing for a cyberattack, such as writing malware — 560 of the 832 accounts studied, or 67.3%, used AI for this purpose. That’s the bulk of it: AI as a faster way to produce the raw materials of an attack.
But the more interesting signal is in the smaller numbers. A smaller group used AI for genuinely complex work — for instance, 54 of the 832 actors (6.5%) used AI to assist with “lateral movement,” the business of navigating deep inside a network you’ve already breached. And the trend over the year is the part that should make defenders sit up. In the first six-month period, 33% of actors were classified as medium risk or higher; by the second six-month period, that share had jumped to 56% — a roughly 1.7-fold increase in a single year.
The composition of that AI use shifted, too, and in a revealing direction. Attackers’ use of AI moved away from techniques to gain initial access and toward activity carried out once they were already inside a system. The report quantifies it: AI for account discovery — identifying valid accounts inside a compromised environment — rose 8.9%, while AI-assisted phishing, a classic way to get in, fell 8.6%. The center of gravity is drifting deeper into the attack.
Here is why that matters, and it’s the first crack in the old model. These post-compromise techniques used to be restricted to actors with the technical knowledge to carry them out. The investigation shows AI can now perform these activities on behalf of less sophisticated actors. The capability that used to require an expert is increasingly available to someone who isn’t one. That is risk democratization, and it cuts directly against the assumption that the deeper, more dangerous parts of an attack are self-limiting because only skilled people can reach them.
Second: the old way of telling dangerous actors apart has stopped working
This is the heart of it. If you wanted to size up a threat actor, you traditionally looked at how many different techniques they employ and what tools or interfaces they use. More techniques, fancier tooling — bigger threat. It was a workable heuristic for a long time.
The data dismantles it. Once AI can perform highly technical tasks on an actor’s behalf, the link between an actor’s actual skill and the number of techniques they appear to use largely dissolves: the least-skilled actors in the dataset used about 16 distinct techniques on average, while the most skilled used about 20. Sixteen versus twenty. That is not the spread you’d expect if technique-count tracked danger — a novice and an expert now look almost alike by that measure, because the model is supplying the techniques either way. And the tool signal fares no better: the specific platform used — Claude Code, an API, or a chat interface — also did not correlate with an actor’s risk level. The interface an attacker happens to use tells you very little about how dangerous they are.
So what does distinguish the higher-risk actors? The report points to two things, one fragile and one durable. The fragile signal is where in the lifecycle they apply AI: the more dangerous actors concentrate it on operationally demanding techniques — the ones that require significant time, oversight, or real-time decision-making, like account discovery, lateral movement, and privilege escalation — rather than on simply getting in the door. That’s a better signal than raw technique-count. But it’s already eroding, for exactly the reason in the first conclusion: those operational techniques are precisely where the broader population is heading as more actors get classified as higher risk. The discriminating signal is becoming the common case.
The durable differentiator is subtler and more important: the kind of scaffolding attackers build around the model. The most dangerous actors design architectures that let models chain together discrete stages of an attack and carry them out with minimal human input. It is not what the attacker knows, and not which interface they use. It is whether they’ve built a system that lets the AI run the attack itself. That is a fundamentally different axis of measurement than anything technique-counting captures.
Third: the standard framework has no word for the dangerous part
Which brings the problem to a head. MITRE ATT&CK is a catalogue of techniques — a shared vocabulary that lets defenders name what attackers do. But many of the behaviors that define the highest-risk actors — using AI to orchestrate steps in the attack chain sequentially, make real-time decisions about what to do next, and execute without human intervention — are not yet included as techniques in ATT&CK. The framework can describe each individual action an agent takes. It cannot describe the agency tying them together.
The report’s anchor example makes this vivid. Consider the state-sponsored espionage operation Anthropic disrupted in November 2025, in which an actor manipulated Claude Code into attempting to infiltrate targets around the world with little human intervention. Mapped against ATT&CK, that operation used 30 techniques across 13 tactics — comparable to many merely medium-risk actors in the dataset. By the technique-counting heuristic, it looks ordinary. Focusing on the number of techniques badly underplays how dangerous it actually was: applying Anthropic’s risk-scoring methodology, the same attack earns the maximum risk score of 100.
The gap between “looks medium” and “scores 100” is the whole point of the report in a single data point. What made that operation a maximum-severity event wasn’t the count of techniques; it was that the model worked as an autonomous agent — it executed commands, exploited vulnerabilities, stole credentials, and made tactical decisions, requiring human input only at a few key moments. And there is no ATT&CK ID for that kind of agentic orchestration. The most dangerous attribute of the most dangerous attack of the year is, taxonomically, invisible.
Reading it straight
It would be easy to read this as an alarm bell, and easy to over-read it. A few honest qualifications keep it in proportion. The 832 cases are a detailed subset, not the full population, so the precise percentages are directional rather than definitive. “More autonomous” does not mean fully autonomous — the report is clear that even the standout espionage case required human input at key moments, which is itself a meaningful limit and a meaningful place for defenders to intervene. And there’s an unavoidable framing point worth stating plainly: this analysis exists because the same company whose model was misused has visibility into that misuse and is publishing what it found. That’s the right thing to do with the data, and it’s also worth remembering that this is one vendor’s window, not an industry-wide ground truth.
With those caveats in place, the through-line is genuinely important and doesn’t depend on any single statistic. The variable that predicts danger has moved. It used to be which techniques an attacker commands; it is becoming whether they’ve built a system that lets AI run the attack autonomously. Technique-count and tooling — the things our frameworks are built to measure — are going blind at exactly the moment a new and harder-to-see variable is taking over. A novice with good scaffolding can now look, by the old metrics, much like an expert; an autonomous agent can rack up a pedestrian technique count while doing something a pedestrian actor never could.
What follows from it
The constructive response is already underway, and it runs in two directions. Defensively, the findings fed back into the models themselves: Anthropic notes it has developed and deployed cyber safeguards on its most capable models to detect and block some of the activities uncovered here, such as developing malware or mass data exfiltration. And institutionally, the framework problem is being taken to the source — following the Verizon work, Anthropic says it is in discussions with MITRE about how ATT&CK might evolve to include the AI-enabled behaviors observed, alongside continued sharing through Project Glasswing and an interactive visualization of attacker techniques on the Frontier Red Team blog.
That second effort is the one to watch, because a taxonomy that can’t name the most dangerous behavior on the field is a taxonomy that will quietly mislead the people relying on it. Adding a vocabulary for agentic orchestration — for the scaffolding that turns a model into an autonomous operator — is how the defenders’ shared map catches up to the territory. The encouraging part is that the gap has been named precisely and with real data behind it; the sobering part is that, as the report itself expects, these are exactly the behaviors we should expect to see much more of as AI agents become more capable. The measurement problem won’t stay still while the frameworks catch up. But naming it correctly, with a year of evidence, is the necessary first move — and it’s the move this report makes.
Based on Anthropic’s report “What we learned mapping a year’s worth of AI-enabled cyber threats” (Jun 3, 2026), the associated Frontier Red Team analysis, and Verizon’s 2026 Data Breach Investigations Report. This is independent commentary. Cybersecurity is a sensitive topic; this piece deliberately discusses findings and frameworks rather than any operational detail of the techniques involved.
© 2026 · Thorsten Meyer · Powered by Thorsten Meyer AI.
