The threat intelligence community has spent decades building frameworks to assess how dangerous a cyberattacker is. Anthropic just published data suggesting those frameworks are failing — not because they were poorly designed, but because AI has fundamentally changed the relationship between attacker skill and attacker capability, and AI-assisted cyberattacks are now becoming a norm.
Anthropic’s Frontier Red Team published findings drawn from 832 accounts banned for malicious cyber activity between March 2025 and 2026, mapping each case against MITRE ATT&CK, the industry’s most widely used taxonomy of attacker tactics and techniques.
A subset of those findings appeared in Verizon’s 2026 Data Breach Investigations Report. The full analysis, published simultaneously with an interactive visualization on Anthropic’s Red blog, delivers three conclusions that should unsettle security teams relying on traditional risk-scoring models.
AI Is Moving Deeper Into the Attack Chain
The most common AI-assisted activity in the dataset is also the most expected – writing malware. Of the 832 accounts studied, 560 or 67.3% used AI for that purpose. But the more significant finding is directional. Across the twelve-month study period, AI use shifted measurably from initial-access techniques toward post-compromise activity. It’s the harder, more technically demanding work that happens after an attacker is already inside a network.
AI-assisted account discovery — identifying valid accounts inside a compromised environment — rose 8.9% across the period. AI-assisted phishing, a standard initial-access technique, fell 8.6%. Lateral movement, the process of navigating deeper inside a compromised network to reach high-value targets, was used with AI assistance by 54 of the 832 actors, or 6.5%. These are precisely the techniques that have historically required sophisticated operators to execute effectively. AI is democratizing them.
The risk-scoring data makes that democratization concrete. In the first six months of the study period, 33% of actors were classified as medium risk or higher. By the second six months, that share had jumped to 56% — a roughly 1.7-fold increase in just six months.
The Old Signals for Measuring Threat Level No Longer Work
Security teams have traditionally assessed actor sophistication by counting how many distinct techniques they employ and observing what tools or interfaces they use. Anthropic’s data shows those signals have decoupled from actual risk in an AI-enabled environment.
The least-skilled actors in the dataset used an average of 16 distinct techniques. The most skilled used an average of 20. The gap is so small as to be operationally meaningless for triage purposes. Similarly, whether an attacker used Claude Code, the API, or a chat interface showed no correlation with risk level.
What does distinguish higher-risk actors is where in the attack lifecycle they apply AI. Higher-risk operators concentrate AI use on operationally demanding techniques — account discovery, lateral movement, privilege escalation — rather than merely on initial-access tasks. But even that signal is eroding. Those post-compromise techniques are exactly where the broader attacker population is now heading, as more actors get reclassified as higher risk and the behavior diffuses downward through the threat actor ecosystem.
The more durable differentiator, Anthropic found, is architectural. The highest-risk actors build scaffolding around models that allows AI to chain together discrete stages of a cyberattack and execute them with minimal human input. That capability — agentic attack orchestration — is the real frontier of AI-enabled threat activity, and it is not captured anywhere in the current MITRE ATT&CK framework.
MITRE ATT&CK Was Not Built for AI Agents
Researchers show the framework gap with an example of a state-sponsored cyber espionage operation the company disrupted in November 2025, in which a malicious actor manipulated Claude Code into attempting to infiltrate targets worldwide with minimal human intervention.
Read: Chinese Hackers Weaponize Claude AI to Execute First Autonomous Cyber Espionage Campaign at Scale
Mapping that operation against MITRE ATT&CK produced a count of 30 techniques across 13 tactics — a profile comparable to many medium-risk actors in the dataset, and one that drastically understates how dangerous the operation actually was. Anthropic’s own risk-scoring methodology, applied to the same operation, returned a maximum score of 100.
The gap exists because MITRE ATT&CK was designed to document what attackers do, not how they orchestrate it. An AI agent that executes commands, exploits vulnerabilities, steals credentials, and makes real-time tactical decisions across a full attack chain — requiring human input only at a few key moments — is a categorically different threat actor than a human operator executing those same steps manually. There is no ATT&CK ID for agentic orchestration. There is no technique entry for autonomous chaining of attack stages. There is no tactic that captures the removal of human decision bottlenecks from the attack lifecycle.
Anthropic says it is in active discussions with MITRE about how the ATT&CK framework might evolve to include these AI-enabled behaviors. The company has also used the findings from this analysis to inform the cyber safeguards built into its most capable models — including detection and blocking mechanisms for malware development and mass data exfiltration activities documented in the dataset.
Risk triage models built on technique counts, tool-type signals, or initial-access sophistication are now systematically underclassifying AI-enabled actors. A threat actor who uses 16 techniques with AI assistance may pose the same operational risk as one using 25 techniques manually. An attacker deploying a free-tier chat interface may be running the same agentic attack chain as one using a direct API connection.
The more meaningful questions for detection and triage are behavioral and architectural. Is this actor using AI post-compromise rather than merely for initial access? Is there evidence of automated chaining between attack stages? Is human intervention being removed from operationally demanding steps? Those questions are not yet embedded in standard detection frameworks — and closing that gap, researchers argue, is now an urgent priority for the industry.
