On June 3, Anthropic published a report dissecting a year of AI-assisted cyberattacks. The data: 832 accounts banned for malicious cyber activity between March 2025 and March 2026. Each case was mapped onto MITRE ATT&CK — the standard database security teams use to classify attacker techniques. Some of the findings fed into Verizon’s 2026 Data Breach Investigations Report.
Three Findings That Are Uncomfortable
The first: attackers increasingly use AI in the later, more complex stages of an attack. Sure, the most common use stays preparation — 67.3 percent of the studied accounts had AI help write malware. But the trend points inward: AI for ‘account discovery’ — finding valid accounts inside an already-compromised network — rose 8.9 percent, while AI-assisted phishing dropped 8.6 percent. In other words: the attackers are already inside, letting AI do the dirty work deeper in the system.
The second: attacks are becoming more autonomous. In the first six months, Anthropic’s risk scores flagged 33 percent of actors as medium risk or higher. In the second six months it was 56 percent — close to a doubling. Tasks that used to demand real skill are now handled by the model on behalf of less capable actors.
The third hits the security industry itself: MITRE ATT&CK no longer captures this cleanly. The old way to gauge an attacker’s risk was to count techniques and look at their tooling. That breaks down here. The least-skilled actors in the dataset used about 16 techniques on average, the most skilled about 20 — a tiny gap. And whether someone used Claude Code, an API, or a chat interface said nothing about their risk level.
What Actually Makes Them Dangerous
The real differentiator, Anthropic says, is the scaffolding an attacker builds around the model: architectures that let the model chain together attack stages on its own, with minimal human input. This agentic orchestration simply has no ID in MITRE ATT&CK. Anthropic points to the espionage operation it disrupted in November 2025, where an actor manipulated Claude Code into largely autonomous attacks: measured by ATT&CK it looked like medium risk — by Anthropic’s own methodology it scored the maximum of 100.
My Take
I like that Anthropic doesn’t just sound the alarm here but brings data and says it plainly: our defensive vocabulary is outdated. They’re in talks with MITRE to fold in the agentic behaviors. That’s the honest part — and the awkward one. When an average actor with the right scaffolding suddenly operates like a top-tier attacker, the model isn’t the problem; the gap is — between what attackers can do today and the yardstick defenders measure them with. Closing that gap isn’t a model update. It’s foundational work.
This touches on sensitive security topics. The details here come from Anthropic’s public report and are meant to inform defenders, not attackers.
Sources: Anthropic: What we learned mapping a year’s worth of AI-enabled cyber threats, Frontier Red Team Blog: Attack Navigator