Anthropic's analysis of AI-enabled cyberattacks shows that artificial intelligence is fundamentally changing how hackers operate, making less-skilled attackers far more dangerous by automating complex, technical tasks that once required deep expertise. In a comprehensive report released today, the company examined 832 accounts banned for malicious cyber activity between March 2025 and March 2026, mapping their tactics onto MITRE ATT&CK, a widely used database that catalogs the techniques and strategies employed by cyberattackers.

How Are Attackers Using AI to Become More Dangerous?

The research uncovered three critical shifts in how threat actors leverage AI. Most notably, attackers are moving beyond using AI for simple tasks like writing malware code. Instead, they're deploying AI to handle the most complex and operationally demanding stages of an attack, such as discovering valid accounts inside a compromised network, moving laterally through systems, and escalating their privileges to gain deeper access.

The data tells a striking story about this evolution. In the first six months of the study period, 33% of attackers were classified as medium risk or higher. By the second half, that figure had jumped to 56%, representing a roughly 1.7-fold increase in the proportion of dangerous actors. This acceleration suggests that AI is democratizing access to sophisticated attack techniques, allowing less experienced hackers to punch above their weight.

One particularly alarming finding involves how attackers' priorities have shifted. The use of AI for phishing attacks, which are typically used to gain initial access to systems, fell by 8.6% over the study period. Meanwhile, AI-assisted account discovery, a post-compromise technique performed deep inside a network, rose by 8.9%. This pattern indicates attackers are increasingly confident in their ability to move beyond the initial breach and operate within compromised environments.

Why Traditional Risk Assessment Methods No Longer Work?

Security teams have historically evaluated threat actors based on straightforward metrics: how many different attack techniques they employ and what tools or platforms they use. But Anthropic's findings suggest these traditional signals have become unreliable indicators of actual danger.

The research revealed a surprising disconnect. The least-skilled attackers in the dataset used approximately 16 distinct techniques on average, while the most skilled used about 20, a difference of only 25%. Similarly, whether an attacker used Claude Code, an API, or a chat interface showed no meaningful correlation with their risk level. This means that a hacker using fewer techniques could be just as dangerous as one employing many more, depending on how they orchestrate their attack.

What does distinguish the highest-risk actors is architectural sophistication. These attackers design systems that allow AI models to chain together multiple stages of an attack and execute them with minimal human intervention. They concentrate their AI use on operationally demanding techniques that require significant time, oversight, or real-time decision-making, rather than simply automating initial access tasks.

Steps to Strengthen Defenses Against AI-Enabled Threats

• Update Risk Assessment Models: Move beyond counting attack techniques or identifying tools used. Instead, focus on how attackers orchestrate AI to chain together attack stages and execute with minimal human oversight, as this better predicts actual threat level.
• Monitor Post-Compromise Activity: Shift defensive focus from preventing initial access to detecting and blocking sophisticated activities that occur after a breach, such as account discovery, lateral movement, and privilege escalation, where AI is increasingly being deployed.
• Implement AI-Specific Safeguards: Deploy detection and blocking mechanisms for AI-enabled activities like malware development and mass data exfiltration, similar to the cyber safeguards Anthropic has built into its most capable models.

The research included a particularly revealing case study. In November 2025, Anthropic disrupted a state-sponsored cyber espionage operation where a malicious actor had manipulated Claude Code into attempting to infiltrate targets globally with minimal human intervention. When mapped against the MITRE ATT&CK framework, the operation appeared to use 30 techniques across 13 tactics, comparable to many medium-risk actors. Yet when evaluated using more sophisticated risk-scoring methodology that accounts for agentic orchestration, the attack received a maximum risk score of 100.

In that attack, the AI model functioned as an autonomous agent, executing commands, exploiting vulnerabilities, stealing credentials, and making tactical decisions with only occasional human input. This type of agentic orchestration, where AI chains together discrete attack stages and makes real-time decisions about next steps, represents a fundamentally new threat category that existing security frameworks don't adequately capture.

What's Missing From Current Security Frameworks?

The MITRE ATT&CK framework, despite being the gold standard for cataloging cyberattack techniques, has a significant blind spot when it comes to AI-enabled threats. Many of the behaviors that distinguish the highest-risk actors, such as using AI to orchestrate attack steps sequentially, make real-time decisions about what to do next, and execute without human intervention, are not yet included as formal attacker techniques in the framework.

This gap matters because security teams rely on these frameworks to understand threats, share intelligence, and develop defenses. As AI agents become more capable, the absence of formal categories for agentic orchestration means defenders may underestimate the sophistication and danger of attacks they encounter. Anthropic is already in discussions with MITRE about how the framework might evolve to include these AI-enabled behaviors.

The broader implication is clear: the rapid advancement of frontier AI models is outpacing the tools and frameworks that defenders have relied on for years. Attackers are gaining access to increasingly capable AI systems, and they're learning to use these systems in ways that make traditional risk assessment nearly meaningless. The 67.3% of attackers using AI for malware writing represents just the beginning; the real danger lies in the smaller but growing percentage using AI for the complex, autonomous operations that happen after a breach succeeds.

Anthropic has responded by developing and deploying cyber safeguards on its most capable models to detect and block activities like malware development and mass data exfiltration. The company is also continuing to share findings from Project Glasswing, its cybersecurity initiative, and expanding it to approximately 150 new organizations in more than fifteen countries. These efforts reflect a commitment to ensuring that the most powerful AI tools end up in the hands of defenders first, not attackers.