Anthropic said an analysis of 832 accounts banned for malicious cyber activity found that traditional measures of attacker capability, including how many techniques an actor uses, are becoming less reliable as AI systems help less-skilled actors perform more advanced cyber operations.

The company’s Frontier Red Team mapped malicious activity observed from March 2025 to March 2026 onto the MITRE ATT&CK taxonomy, using cases with enough detail to assess cyber techniques. Anthropic said 67.3% of the accounts, or 560, used AI to help write malware, while 6.5%, or 54, used AI for lateral movement inside networks.

The report said risk levels rose over the year. Medium-or-higher risk actors made up 33% of the first six months of cases and 56% of the second six months, an increase of about 1.7 times. Anthropic also said AI use moved deeper into the attack lifecycle, with AI-assisted phishing falling by 8.6% while AI use for account discovery rose by 8.9%.

A central finding is that counting techniques may no longer show who is most dangerous. According to the analysis, the least-skilled actors used 16 techniques while the most-skilled used 20, a narrow gap. Anthropic also said the platform used, including Claude Code, API access or chat, did not correlate with risk.

ThorstenMeyerAI.com

AI & Security · Field Note

AI-enabled cyber threats · a year mapped

The frameworks can’t see the thing that matters

For decades, danger meant which techniques an attacker commands. A year of real AI-enabled attacks — 832 banned accounts mapped onto MITRE ATT&CK — shows that signal breaking, just as a new, harder-to-see one takes over.

Anthropic Frontier Red Team · Mar 2025–Mar 2026 · 832 accounts · via Verizon DBIR

01The dataset

A year of real misuse, mapped to the standard taxonomy

A window, not a census — these are the cases with enough detail to assess techniques thoroughly. Inside it, the risk level climbed fast.

WHAT WAS STUDIED

832 accounts

Banned for malicious cyber activity, Mar 2025–Mar 2026, mapped onto MITRE ATT&CK. The most common AI use was prep — 67.3% (560) used AI to help write malware; 6.5% (54) for lateral movement deep inside networks.

THE RISK CLIMB · MEDIUM-OR-HIGHER ACTORS

First 6 months33%

33%

Second 6 months56%

56%

≈ 1.7× increase in a single year

02The measurement breaks · press play

Amazon

AI malware detection tools

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Amazon

AI cybersecurity threat detection tools

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

“More techniques” stopped meaning “more dangerous”

The old heuristic: count the techniques, judge the tooling. AI dissolved it — because the model supplies the techniques either way. Watch the old signal fail, then watch what it misses.

Risk score vs. technique count

Two ways to read the same attacker. One is going blind. Press play.

▶ run the comparison

the old signalSkill ≈ number of techniques?

Least-skilled

16

Most-skilled

20

16 vs. 20. A novice and an expert now look almost alike by technique-count — and the platform (Claude Code / API / chat) didn’t correlate with risk either.

what it missesThe Nov 2025 espionage operation

by technique count

30

techniques · 13 tactics

Looks like many medium-risk actors. Unremarkable.

by risk-scoring methodology

100

max risk score

The model ran as an autonomous agent — same case.

The most dangerous attribute of the year’s most dangerous attack is taxonomically invisible. ⌁ there is no MITRE ATT&CK ID for agentic orchestration

03Where the AI moved

Amazon

cyber threat intelligence software

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Deeper into the attack — and into less-skilled hands

Across the year, AI use drifted from getting in toward acting once already inside — the operationally demanding stages that used to require an expert.

The attack lifecycle · where AI is now applied

The center of gravity moved right — toward post-compromise work.

Initial access

phishing, getting in

Account discovery

finding valid accounts

Lateral movement

navigating the network

Privilege escalation

deeper control

↓ 8.6%

AI-assisted phishing

A classic way to gain access — falling.

↑ 8.9%

AI for account discovery

Post-compromise work — rising.

The crack in the old model: post-compromise techniques used to be restricted to actors skilled enough to perform them. AI can now perform them on behalf of less sophisticated actors — the dangerous deep stages are no longer self-limiting.

04What actually predicts danger now

Amazon

network security monitoring devices

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Amazon

network intrusion detection system

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

From “what they know” to “what they’ve built”

The report sorts the signals into three tiers — one dead, one fading, one durable.

🔢

Technique count & tooling

16 vs. 20 between novice and expert; platform doesn’t correlate. The model supplies the techniques either way.

dead signal

📍

Where in the lifecycle AI is applied

Concentrating on operationally demanding, post-compromise stages is a better signal — but it’s eroding as the whole population heads there.

fading signal

🏗️

The scaffolding around the model

Architectures that let the model chain stages and run with minimal human input. Not what they know — whether they’ve built a system that lets AI run the attack.

durable signal

05What follows · read straight

Amazon

AI-powered intrusion detection system

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Amazon

cyber attack simulation kits

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Fixing the map before the territory moves again

A taxonomy that can’t name the most dangerous behavior on the field will quietly mislead the people relying on it. The response runs in two directions.

🛡️ defensively

Fed back into the models

The findings informed safeguards on the most capable models, built to detect & block some of what was observed:

• Blocking malware development
• Blocking mass data exfiltration
• Putting tools in defenders’ hands first (Project Glasswing)

🧭 institutionally

Taking it to the source

Following the Verizon work, Anthropic says it’s in discussions with MITRE about how ATT&CK might evolve:

• A vocabulary for agentic orchestration
• Naming the scaffolding that makes a model an operator
• An interactive technique visualization on the Red blog

Reading it in proportion

• The 832 cases are a detailed subset, not the full population — the precise percentages are directional, not definitive.
• “More autonomous” is not “fully autonomous” — even the standout case needed human input at key moments, which is itself a place for defenders to intervene.
• This is one vendor’s window — the company with visibility into misuse of its own model, publishing what it found. The right thing to do with the data, and worth remembering as you read it.

ThorstenMeyerAI.com

Source: Anthropic, “What we learned mapping a year’s worth of AI-enabled cyber threats” (Jun 3, 2026) · Frontier Red Team · Verizon 2026 DBIR · figures per the report · independent commentary · findings only, no operational detail.

Why It Matters

The findings matter because many security teams rely on taxonomies and technique counts to judge actor capability, prioritize investigations and compare threats. If AI tools supply advanced techniques to actors who would not otherwise have them, defenders may underrate cases that look ordinary by older measures.

Anthropic’s analysis points to a shift from measuring what attackers know to measuring what they have built around the model. The report says systems that let AI chain stages, use tools and act with limited human input are a more durable sign of risk than technique volume alone.

Background

MITRE ATT&CK is widely used to describe adversary tactics and techniques. It helps defenders map activity across stages such as initial access, discovery, lateral movement and privilege escalation. Anthropic’s report argues that this structure remains useful but misses a new feature of AI-enabled attacks: model orchestration across multiple steps.

The source material highlights a November 2025 espionage operation as the clearest example. By technique count, the operation used 30 techniques across 13 tactics, which could resemble many medium-risk cases. Under Anthropic’s risk-scoring method, the same case received a maximum risk score because the model ran as an autonomous agent.

What Remains Unclear

The dataset is not a full census of AI-enabled cyber misuse. The source material describes the 832 accounts as a detailed subset of banned cases with enough information to map against MITRE ATT&CK. It is also unclear how quickly taxonomies will change, how broadly the findings apply beyond Anthropic’s platform and what attackers may do as model safeguards improve.

What’s Next

Anthropic said the findings informed safeguards intended to block malware development, mass data exfiltration and other observed abuse patterns. The company also said it is in discussions with MITRE about how ATT&CK might account for agentic orchestration and the scaffolding that turns a model into an operator.

Key Questions

What did Anthropic study?

Anthropic studied 832 accounts banned for malicious cyber activity between March 2025 and March 2026 and mapped their behavior to MITRE ATT&CK where enough detail was available.

What changed in how AI was used?

The report says AI use shifted from early-stage activity such as phishing toward post-compromise tasks, including account discovery and lateral movement, which have usually required more expertise.

Why are technique counts less useful?

Anthropic says AI can provide techniques to actors with different skill levels, narrowing the gap between low-skill and high-skill attackers when measured only by technique count.

What is agentic orchestration?

In this report, it refers to systems that allow an AI model to chain multiple attack stages, use tools and operate with limited human input. Anthropic says that behavior is a stronger risk signal than the number of techniques used.

What remains unclear?

The report does not show the full scale of AI-enabled cyber misuse across all platforms. It also remains unclear when, or how, standard taxonomies will add language for agentic attack systems.

Source: Thorsten Meyer AI