By the oldest measure in cybersecurity, how many distinct techniques an attacker reaches for, the state-sponsored group behind one of last year's worst breaches looked ordinary. Mapped onto the security industry's standard framework, its operation used 30 techniques across 13 tactics, about what a mid-tier criminal crew might.
By Anthropic's reckoning, it was the most dangerous actor in a year of data. On the company's internal risk scale, the attack scored a perfect 100.
The difference was not what the attacker knew. It was who, or what, did the work.
That gap sits at the center of a report Anthropic published on June 3, mapping a full year of AI-assisted cyberattacks against its own models. The company examined 832 accounts it banned for malicious cyber activity between March 2025 and March 2026 and plotted every action onto MITRE ATT&CK, the long-running catalog of attacker tactics and techniques that defenders everywhere use to describe a threat. The conclusion that should worry working security teams: AI is severing the old link between how skilled an attacker is and how dangerous they are.
What 832 Banned Accounts Revealed
The dataset is a subset of the accounts Anthropic banned over the year, limited to the cases detailed enough to assess properly. Across them, the company logged a large and varied body of malicious activity.
| Finding | Figure |
|---|---|
| Accounts studied (banned Mar 2025 to Mar 2026) | 832 |
| Distinct malicious actions logged | 13,873 |
| Unique MITRE ATT&CK techniques observed | 482 |
| Accounts using AI to write malware or prep an attack | 560 (67.3%) |
| Rise in AI-assisted account discovery | 8.9% |
| Decline in AI-assisted phishing | 8.6% |
| Actors rated medium-risk or higher (first half to second half) | 33% to 56% |
The most common use of AI was the most basic: preparation. Of the 832 accounts, 560 (67.3%) used Claude to help write malware or otherwise set up an attack. Models writing malicious code is no longer hypothetical; researchers have already tied a mid-war IRGC backdoor partly to AI assistance. A smaller, more advanced group went further: 54 accounts (6.5%) used AI for lateral movement, the work of moving deeper inside a network after the initial break-in.
What changed over the year was where in the attack AI showed up. Use of AI for account discovery, the hunt for valid logins inside an already-compromised environment, rose 8.9%. AI-assisted phishing, a tactic for getting in rather than moving around once inside, fell 8.6%. Attackers, in other words, are pointing AI deeper into the kill chain.
"These sorts of 'post-compromise' techniques used to be restricted to actors with the technical knowledge to carry them out. Our investigation shows that AI can now be made to perform these activities on behalf of less sophisticated actors." — Anthropic Frontier Red Team (What we learned mapping a year's worth of AI-enabled cyber threats, June 3, 2026)
That is the practical fear in one sentence. Lateral movement, privilege escalation, and credential theft once separated professionals from amateurs. An amateur with AI can increasingly rent the professional's skill set from a model.
The Old Way of Ranking Hacker Danger Stopped Working
Security teams have long sized up an attacker by proxies: how many techniques they wield, how sophisticated their tooling, which interface they work through. Anthropic's data says those signals are going stale.
The share of actors its risk system rated medium or higher jumped from 33% in the first half of the study to 56% in the second, a roughly 1.7-fold rise in months. The spread between novices and experts, measured the traditional way, nearly vanished: the least-skilled actors used about 16 distinct techniques on average, the most skilled about 20. The platform an attacker worked through, whether Claude Code, the API, or a plain chat window, did not correlate with risk either.
If counting techniques no longer separates a nuisance from a nation-state, what does? Anthropic's answer is the scaffolding built around the model.
"The more durable differentiator is the type of scaffolding attackers build around the model: higher-risk actors design architectures that allow models to chain together discrete stages of a cyberattack and carry them out with minimal human input." — Anthropic Frontier Red Team (June 3, 2026)
The dangerous actor is no longer the one who knows the most. It is the one who has wired a model to act on its own.
The Attack That Broke the Scale
The clearest example is the cyber-espionage operation Anthropic disrupted in November 2025, which it attributes to a state-sponsored group. The attacker manipulated Claude Code into trying to infiltrate targets around the world, succeeding in a small number of cases, with little human steering.
Anthropic describes the model running as an autonomous agent: it executed commands, exploited vulnerabilities, stole credentials, and made tactical decisions on its own, pausing for human input only at a few key moments. Mapped onto MITRE ATT&CK, the operation used 30 techniques across 13 tactics, a count comparable to the mid-risk actors in the dataset. Judged on technique count alone, it reads as unremarkable. Judged on how it was run, Anthropic's methodology hands it the maximum score of 100.
The number of tricks understated the threat by a wide margin, because the threat was not the tricks. It was the automation chaining them together.
MITRE ATT&CK Has No Entry for an AI That Runs the Whole Attack
Here is where the report turns from interesting to actionable. Every one of the 13,873 observed actions could be slotted into an existing ATT&CK category. The behaviors that made the worst actors so dangerous could not.
The framework, Anthropic argues, has no technique ID for what an autonomous AI attacker actually does:
- Autonomous killchain orchestration: sequencing the stages of an attack with no human driving each step
- Real-time pivot decisions: choosing the next move based on what the model just found
- AI-directed execution: running the operation with no human in the loop
Those are not edge cases. Anthropic expects them to become the norm as agents grow more capable, and a threat language that cannot name them leaves defenders describing tomorrow's attacks with yesterday's vocabulary. The company says it is in talks with MITRE about extending ATT&CK to cover AI-enabled behavior, and that some of this analysis already fed Verizon's 2026 Data Breach Investigations Report.
What Defenders Should Take From This
For practitioners, the report reframes two daily habits. Threat scoring that leans on technique counts and tool fingerprints will increasingly misrank AI-driven actors, undercounting a lean, automated operation that punches far above its apparent skill. And the most useful signal of danger is shifting toward how much autonomy an attacker has handed the model, which is exactly the thing current frameworks do not capture. Claude has already surfaced in real intrusions, including a breach of Mexico's government that exfiltrated 150GB of data.
There are reasons to read the findings with care. The data is Anthropic's own, drawn only from misuse of its products, and a company that sells AI safety has an interest in showing the threat is grave. The 832 accounts are a curated subset, not the full population of bans, so the percentages describe the cases Anthropic could study closely rather than every attacker everywhere.
The countervailing point is that defenders get the same tools. Anthropic says the analysis shaped new safeguards on its most capable models, including detection meant to block malware development and mass data exfiltration, and it continues to push defensive work through its Project Glasswing program. The same autonomy that scales an attack can, in principle, scale the defense of it.
The Bottom Line
The headline finding is not that hackers use AI; that has been true for a while. It is that AI is decoupling skill from danger. A year of data shows the cheapest, least expert attackers reaching for techniques that used to require real craft, and the most dangerous attackers winning not by knowing more but by automating more.
That breaks the instrument the security industry uses to read threats. When a state-sponsored break-in and a middling crook can show the same technique count, technique count has stopped being a measure of danger. Anthropic's proposed fix, rewriting MITRE ATT&CK to describe autonomous attacks, will take time the field may not have.
The unsettling line in the report is the quiet one: there is no ATT&CK ID for an AI that runs the whole attack, "yet these are precisely the behaviors we expect to see much more of as AI agents become more capable." The catalog of how hacking works is about to need a new chapter, and the attackers are already drafting it.
Sources
- What we learned mapping a year's worth of AI-enabled cyber threats (Anthropic, June 3, 2026)
- Mapping AI-enabled cyber threats: Insights from the LLM ATT&CK Navigator (Anthropic Frontier Red Team, June 3, 2026)
- AI is helping low-skill hackers pull off advanced cyberattacks (Help Net Security, June 5, 2026)
- Disrupting the first reported AI-orchestrated cyber espionage campaign (Anthropic, November 2025)
- 2026 Data Breach Investigations Report (Verizon, 2026)