Anthropic published an analysis of 832 banned accounts between March 2025 and March 2026 and mapped them against the MITRE ATT&CK framework. What does this tell you about how AI is changing hacking? I'll tell you straight and clear.
What the study did
The team examined 832 cases where there was enough detail to evaluate techniques and tactics. Some of these findings already appeared in the Verizon 2026 DBIR, but Anthropic shares a deeper breakdown on its Frontier Red Team blog.
- Period analyzed: March 2025 to March 2026.
- Objective: map AI-enabled activities to
MITRE ATT&CKand assess how AI changes the risk profile.
The data doesn't cover every banned account, but it does represent cases with enough traceability for thorough analysis.
Three main conclusions
1) AI is used mostly to prepare attacks, and increasingly to move inside systems
The most common AI-associated activity was attack preparation: writing malware was the reason in 560 of 832 accounts (67.3%).
But there are clear signs that AI is being applied more inside the attack cycle: using AI for account discovery rose 8.9%, while AI for phishing (initial access) fell 8.6%. What does that suggest? Less focus on getting in and more on exploiting what’s already compromised.
Also, although only 54 actors (6.5%) used AI for lateral movement, those techniques—previously reserved for skilled operators—are now accessible via AI to less sophisticated actors.
2) Perceived risk rises fast
In the first six months of the study, 33% of actors were rated medium risk or higher. In the second six months that figure jumped to 56%—about a 1.7x increase.
Does that mean there are suddenly more expert attackers? Not necessarily. It means the capacity to do harm is growing because AI multiplies what an actor can achieve.
3) Human skill is no longer a reliable signal; where and how AI is used matters more
Traditionally you evaluated an attacker by how many techniques they used or which platforms they employed. That doesn't work here: less skilled actors used an average of about 16 techniques, and the more skilled about 20. The number of techniques and platform choice (for example Claude Code, an API, or a chat interface) did not correlate well with real risk.
What does separate high-risk actors is where they apply AI and the infrastructure they build around the model. High-risk actors concentrate AI on operational phases that are costly in time and coordination: account discovery, privilege escalation, and lateral movement.
But even that indicator is eroding: more actors are moving into those phases. The more stable difference is when an attacker designs an architecture to chain attack stages and let the model make real-time decisions with minimal human intervention.
Many of the behaviors that define the most dangerous attackers—like orchestrating sequential steps and executing without human intervention—are not yet represented as techniques in
MITRE ATT&CK.
An example that explains it all
Anthropic describes a state-sponsored espionage operation they disrupted in November 2025. There, an actor manipulated Claude Code to try infiltrating global targets with little human intervention.
If you map it to MITRE ATT&CK it shows up as 30 techniques across 13 tactics, numbers comparable to medium-risk actors. However, applying Anthropic's risk methodology that attack scores the maximum (100) because the model acted like an autonomous agent: it executed commands, exploited vulnerabilities, stole credentials, and made tactical decisions, with humans intervening only at occasional points.
That kind of agent-centered orchestration doesn't yet have a clear label in traditional frameworks.
What Anthropic is doing and what defenders should do
Anthropic has already integrated safeguards into their most capable models to detect and block activities like malware development and mass data exfiltration. They're also in talks with MITRE to update the MITRE ATT&CK framework to reflect AI-enabled behaviors.
They're extending Project Glasswing to about 150 organizations across more than 15 countries and published interactive visualizations to help security teams.
For defenders and risk owners this means:
- Review detection: focus on signs of orchestration, chained actions, and automated decisions.
- Relevant telemetry: watch model calls, workflows that chain steps, and remote accesses that look automated.
- Collaboration: share findings among organizations and with frameworks like
MITRE ATT&CKso categories get updated.
Final thought
AI is no longer just a tool to write scripts. It's becoming the entity that makes operational decisions inside an attack. Good news? We now know where to look: post-compromise activity, orchestration, and structures that enable autonomous agents.
That means defenders have a window to adapt detection and policies, and that reference frameworks must evolve quickly if we don't want to keep describing attacks with labels that underestimate their danger.
Original source
https://www.anthropic.com/news/AI-enabled-cyber-threats-mitre-attack