Anthropic study reports on AI use in cyber attacks

Anthropic has released a report of a study mapping a year’s worth of AI-enabled cyberthreats. The company says the study examined 832 accounts that were banned for malicious cyber activity between March 2025 and March 2026 and mapped them onto MITRE ATT&CK, a longstanding database of the tactics and techniques used by cyber attackers. Some of the results were published in Verizon’s 2026 Data Breach Investigations Report.

The 832 cases are only a subset of the total number of accounts banned during this period, but they represent those where Anthropic had enough detail to conduct a thorough assessment of the attackers’ techniques.

There were three main conclusions from the analysis:

1. Malicious actors are using AI in ways that make them more dangerous. More specifically, threat actors are using AI in the later, more complex stages of their cyber operations.
2. Cyber attacks are becoming more autonomous, and the fact that AI can be used to chain together many parts of the attack means that the old ways of differentiating high- from low-risk actors are no longer as effective.
3. The MITRE ATT&CK framework does not fully capture the tools and activities that make AI-enabled attackers so dangerous.

The most common AI-enabled activities in Anthropic’s database related to preparing for a cyber attack, such as writing malware (67.3% used AI for this purpose). A smaller number of actors use AI for more complex activities — for example, 6.5% used AI to assist with lateral movement, which involves navigating deep inside a compromised network.

Evidence was also found that was consistent with AI being used to help increase the threat level of attackers. In the first six-month period of analysis, 33% of actors were classified by Anthropic’s risk-scoring system as medium risk or higher, but by the second six-month period, that share had jumped to 56% — a roughly 1.7-fold increase.

Across the period studied, attackers’ use of AI shifted from techniques to gain initial access to a system towards activity carried out once they were inside the system. For example, the use of AI for account discovery — identifying valid accounts inside a compromised environment — rose 8.9%, while AI-assisted phishing — a common technique to gain access to a system — fell 8.6%. This suggests that attackers are increasingly applying AI deeper in the attack lifecycle.

These sorts of ‘post-compromise’ techniques used to be restricted to actors with the technical knowledge to carry them out. Anthropic’s investigation shows that AI can now be made to perform these activities on behalf of less sophisticated actors.

Now that AI can perform highly technical tasks on an actor’s behalf, there’s little correlation between the skill of a threat actor and how many techniques they use: the least-skilled actors in Anthropic’s dataset used about 16 distinct techniques on average, whereas the most skilled used about 20. Likewise, the specific platform used — Claude Code, an API, or a chat interface — also did not correlate with an actor’s risk level.

Why security frameworks need to change

Many of the behaviours that distinguish the highest-risk actors — such as the use of AI to orchestrate steps in the attack chain sequentially, make real-time decisions about what to do next, and execute without human intervention — are not yet included as attacker techniques in the MITRE ATT&CK framework.

Anthropic revealed it disrupted a state-sponsored cyber espionage operation in November 2025, in which a malicious actor manipulated Claude Code into attempting to infiltrate targets around the world with little human intervention. Mapping it against the MITRE ATT&CK framework shows that the actor used 30 techniques across 13 tactics, which was comparable to many medium-risk actors. In that attack, the model worked as an autonomous agent: it executed commands, exploited vulnerabilities, stole credentials and made tactical decisions, only requiring human input at a few key moments. There is no ATT&CK ID for this type of agentic orchestration — yet these are precisely the behaviours Anthropic expects to see much more of as AI agents become more capable.

More detail can be found in an Anthropic Red blog post here.

Image credit: iStock.com/ArtemisDiana