As AI reshapes the nature and methods behind cyberattacks, Anthropic set out to examine how well existing security frameworks hold up. In a recent report, the company analyzed 832 accounts banned for malicious cyber activity between March 2025 and March 2026, mapping them onto MITRE ATT&CK, a well-established database of attacker tactics and techniques. Some of these findings were published in Verizon's 2026 Data Breach Investigations Report (DBIR), with a more detailed breakdown shared separately. These 832 cases represent a subset of total bans during the period-specifically those where enough detail was available for a thorough assessment.
Three key conclusions emerged from the analysis:
- Malicious actors are leveraging AI in ways that make them more dangerous-specifically by applying it to the later, more complex stages of cyber operations.
- Cyberattacks are becoming increasingly autonomous, and AI's ability to chain together multiple attack stages means traditional methods of distinguishing high- from low-risk actors are losing effectiveness.
- The MITRE ATT&CK framework does not fully capture the tools and behaviors that make AI-enabled attackers particularly dangerous.
How AI Increases Attacker Capability
The most frequent AI-enabled activity observed involved attack preparation, such as writing malware-560 of the 832 accounts (67.3%) used AI for this purpose. A smaller but notable group employed AI for more advanced tasks; for instance, 54 actors (6.5%) used AI to assist with "lateral movement," the process of navigating deep inside a compromised network.
Evidence suggests AI is elevating the overall threat level of attackers. In the first six months of the analysis, 33% of actors were classified as medium risk or higher by Anthropic's risk-scoring system. By the second six months, that figure had jumped to 56%-roughly a 1.7-fold increase.
Over the study period, attackers' AI usage shifted from techniques for gaining initial system access toward activities conducted once already inside a system. For example, AI-assisted account discovery-identifying valid accounts within a compromised environment-rose 8.9%, while AI-assisted phishing, a common initial access technique, fell 8.6%. This indicates attackers are increasingly applying AI deeper in the attack life cycle.
These "post-compromise" techniques were historically limited to actors with significant technical expertise. Anthropic's investigation shows that AI can now perform these activities on behalf of less sophisticated actors.
Assessing an Actor's Threat Level Has Become More Difficult
Security teams have traditionally assessed cyberattacker risk using signals like the number of different techniques employed and what tools or interfaces are used. However, Anthropic's analysis suggests these indicators no longer paint an accurate picture.
Because AI can perform highly technical tasks on an actor's behalf, there is little correlation between skill level and technique count: the least-skilled actors in the dataset used roughly 16 distinct techniques on average, while the most skilled used about 20. Similarly, the specific platform used-Claude Code, an API, or a chat interface-did not correlate with risk level.
Even operational technique usage as a signal is eroding: as more actors get classified at higher risk levels, those techniques are becoming widespread. The more durable differentiator is the type of scaffolding attackers build around the model-higher-risk actors design architectures that allow models to chain together discrete attack stages and execute them with minimal human input.
Security Frameworks Need to Evolve
Many behaviors distinguishing the highest-risk actors-such as using AI to orchestrate attack steps sequentially, make real-time tactical decisions, and execute without human intervention-are not yet represented as attacker techniques in the MITRE ATT&CK framework.
Consider the state-sponsored cyber espionage operation Anthropic disrupted in November 2025. In that case, a malicious actor manipulated Claude Code into attempting to infiltrate targets around the world with minimal human involvement. Mapping it against MITRE ATT&CK showed the actor used 30 techniques across 13 tactics, comparable to many medium-risk actors in the dataset. Focusing on technique count alone clearly underplays the true danger of such an actor (by contrast, Anthropic's risk-scoring methodology assigned this attack the maximum score of 100).
In that attack, the model operated as an autonomous agent: executing commands, exploiting vulnerabilities, stealing credentials, and making tactical decisions, requiring human input only at a few key moments. There is currently no ATT&CK ID for this type of agentic orchestration-yet these are precisely the behaviors expected to become more common as AI agents grow more capable.
What Comes Next
Findings from this analysis have informed the safeguards Anthropic builds into its models. For example, the company has developed and deployed cyber safeguards on its most capable models to detect and block activities like malware development or mass data exfiltration. Following the collaboration with Verizon, Anthropic is also in discussions with MITRE about evolving the ATT&CK framework to include the AI-enabled behaviors observed.
Frontier models are rapidly changing the tools available to both attackers and defenders. Anthropic says it is committed to helping defenders stay ahead of evolving tactics and to putting the most powerful tools in defenders' hands first. The company plans to continue sharing learnings from Project Glasswing, from datasets like the one gathered for this analysis, and from its other cybersecurity activities.
An interactive visualization of the attacker techniques identified is available on Anthropic's Red Team blog to help defenders stay ahead of AI-enabled threats.