TL;DR

Anthropic mapped 832 banned accounts tied to malicious cyber activity from March 2025 to March 2026 onto MITRE ATT&CK and found that counting attacker techniques is losing value as a risk signal. The analysis says the stronger warning sign is whether attackers have built systems that let AI chain steps with limited human input.

Anthropic’s Frontier Red Team mapped 832 accounts banned for malicious cyber activity from March 2025 to March 2026 onto MITRE ATT&CK and found that the number of techniques an attacker uses is no longer a reliable guide to danger, according to source material from ThorstenMeyerAI.com summarizing the analysis.

The analysis focused on accounts with enough detail for technique-level review. It found that 560 accounts, or 67.3%, used AI to help write malware, while 54 accounts, or 6.5%, used AI for lateral movement inside networks.

The reported risk profile rose over the year. Medium-or-higher-risk actors made up 33% of cases in the first six months and 56% in the second six months, a roughly 1.7-fold increase, according to the source material.

The central finding is that technique counts flattened across skill levels. The source material says the least-skilled actors were associated with 16 techniques, while the most-skilled actors were associated with 20, a narrow gap that weakens an older security assumption: that more techniques usually mean a more capable attacker.

ThorstenMeyerAI.com
AI & Security · Field Note
AI-enabled cyber threats · a year mapped

The frameworks can’t see the thing that matters

For decades, danger meant which techniques an attacker commands. A year of real AI-enabled attacks — 832 banned accounts mapped onto MITRE ATT&CK — shows that signal breaking, just as a new, harder-to-see one takes over.

Anthropic Frontier Red Team · Mar 2025–Mar 2026 · 832 accounts · via Verizon DBIR
01The dataset

A year of real misuse, mapped to the standard taxonomy

A window, not a census — these are the cases with enough detail to assess techniques thoroughly. Inside it, the risk level climbed fast.

WHAT WAS STUDIED

832 accounts
Banned for malicious cyber activity, Mar 2025–Mar 2026, mapped onto MITRE ATT&CK. The most common AI use was prep — 67.3% (560) used AI to help write malware; 6.5% (54) for lateral movement deep inside networks.

THE RISK CLIMB · MEDIUM-OR-HIGHER ACTORS

First 6 months33%
33%
Second 6 months56%
56%
≈ 1.7× increase in a single year
02The measurement breaks · press play
Amazon

AI malware detection tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Artificial Intelligence for Cybersecurity: How AI Detects Cyber Threats, Prevents Hacking, and Protects Your Data, Identity, and Smart Devices (AI Cybersecurity Mastery Series)

Artificial Intelligence for Cybersecurity: How AI Detects Cyber Threats, Prevents Hacking, and Protects Your Data, Identity, and Smart Devices (AI Cybersecurity Mastery Series)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

“More techniques” stopped meaning “more dangerous”

The old heuristic: count the techniques, judge the tooling. AI dissolved it — because the model supplies the techniques either way. Watch the old signal fail, then watch what it misses.

Risk score vs. technique count

Two ways to read the same attacker. One is going blind. Press play.

the old signalSkill ≈ number of techniques?
Least-skilled
16
Most-skilled
20
16 vs. 20. A novice and an expert now look almost alike by technique-count — and the platform (Claude Code / API / chat) didn’t correlate with risk either.
what it missesThe Nov 2025 espionage operation
by technique count
30
techniques · 13 tactics
Looks like many medium-risk actors. Unremarkable.
by risk-scoring methodology
100
max risk score
The model ran as an autonomous agent — same case.
The most dangerous attribute of the year’s most dangerous attack is taxonomically invisible. ⌁ there is no MITRE ATT&CK ID for agentic orchestration
03Where the AI moved
Amazon

cyber threat intelligence software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software

Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Deeper into the attack — and into less-skilled hands

Across the year, AI use drifted from getting in toward acting once already inside — the operationally demanding stages that used to require an expert.

The attack lifecycle · where AI is now applied

The center of gravity moved right — toward post-compromise work.

Initial access
phishing, getting in
Account discovery
finding valid accounts
Lateral movement
navigating the network
Privilege escalation
deeper control
↓ 8.6%
AI-assisted phishing
A classic way to gain access — falling.
↑ 8.9%
AI for account discovery
Post-compromise work — rising.
The crack in the old model: post-compromise techniques used to be restricted to actors skilled enough to perform them. AI can now perform them on behalf of less sophisticated actors — the dangerous deep stages are no longer self-limiting.
04What actually predicts danger now
Amazon

network security monitoring devices

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Network Intrusion Detection

Network Intrusion Detection

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

From “what they know” to “what they’ve built”

The report sorts the signals into three tiers — one dead, one fading, one durable.

🔢

Technique count & tooling

16 vs. 20 between novice and expert; platform doesn’t correlate. The model supplies the techniques either way.

dead signal
📍

Where in the lifecycle AI is applied

Concentrating on operationally demanding, post-compromise stages is a better signal — but it’s eroding as the whole population heads there.

fading signal
🏗️

The scaffolding around the model

Architectures that let the model chain stages and run with minimal human input. Not what they know — whether they’ve built a system that lets AI run the attack.

durable signal
05What follows · read straight
Amazon

AI-powered intrusion detection system

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Operationalizing Threat Intelligence: A guide to developing and operationalizing cyber threat intelligence programs

Operationalizing Threat Intelligence: A guide to developing and operationalizing cyber threat intelligence programs

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Fixing the map before the territory moves again

A taxonomy that can’t name the most dangerous behavior on the field will quietly mislead the people relying on it. The response runs in two directions.

🛡️ defensively

Fed back into the models

The findings informed safeguards on the most capable models, built to detect & block some of what was observed:

  • Blocking malware development
  • Blocking mass data exfiltration
  • Putting tools in defenders’ hands first (Project Glasswing)
🧭 institutionally

Taking it to the source

Following the Verizon work, Anthropic says it’s in discussions with MITRE about how ATT&CK might evolve:

  • A vocabulary for agentic orchestration
  • Naming the scaffolding that makes a model an operator
  • An interactive technique visualization on the Red blog

Reading it in proportion

  • The 832 cases are a detailed subset, not the full population — the precise percentages are directional, not definitive.
  • “More autonomous” is not “fully autonomous” — even the standout case needed human input at key moments, which is itself a place for defenders to intervene.
  • This is one vendor’s window — the company with visibility into misuse of its own model, publishing what it found. The right thing to do with the data, and worth remembering as you read it.
ThorstenMeyerAI.com
Source: Anthropic, “What we learned mapping a year’s worth of AI-enabled cyber threats” (Jun 3, 2026) · Frontier Red Team · Verizon 2026 DBIR · figures per the report · independent commentary · findings only, no operational detail.

Why It Matters

The finding matters because many security teams, threat-intelligence programs and industry frameworks use observed techniques to classify attackers and set response priorities. If AI systems can supply techniques to low-skilled users, then a technique list may describe what happened without showing who is dangerous or how much autonomy the operation had.

The analysis points to a different risk marker: the architecture around the model. According to the source material, systems that let AI chain attack stages and operate with minimal human input may matter more than the attacker’s personal knowledge. That shift could affect detection, incident response, model safeguards and how defenders interpret threat reports.

Background

MITRE ATT&CK is widely used to describe adversary tactics and techniques. The source material says Anthropic mapped the reviewed accounts onto that taxonomy and found that the taxonomy could capture many actions, but not the most important attribute in the highest-risk case: agentic orchestration.

One example cited was a November 2025 espionage operation. By technique count, it registered 30 techniques across 13 tactics, which made it look comparable to many medium-risk actors. Under Anthropic’s risk-scoring method, the same case reached a maximum risk score of 100 because the model operated as an autonomous agent, according to the source material.

The analysis also found AI use moving deeper into the attack lifecycle. AI-assisted phishing was described as falling by 8.6%, while AI use for account discovery was described as rising by 8.9%. The source material frames that movement as a shift from entry-stage activity toward post-compromise work.

What Remains Unclear

The dataset is described as a detailed subset, not a full census of AI-enabled cyber misuse. It is not yet clear how representative the 832 banned accounts are of activity across other AI systems, criminal markets or state-linked operations.

The source material also does not establish how quickly taxonomies such as MITRE ATT&CK will change, or whether defenders will adopt new labels for model scaffolding, autonomous chaining and human oversight levels.

What’s Next

Anthropic says the findings have informed safeguards on its more capable models, including efforts to block malware development and mass data exfiltration. The source material also says Anthropic is in discussions with MITRE about how ATT&CK could evolve to describe agentic orchestration and related scaffolding.

Key Questions

What was the actual development?

Anthropic analyzed 832 banned accounts tied to malicious cyber activity over a one-year period and found that common attacker-ranking signals, especially technique count, are losing reliability in AI-enabled cases.

Does this mean MITRE ATT&CK is wrong?

No. The report says the framework still describes many techniques used in attacks. The gap is that it does not currently name the AI orchestration layer that may make an operation more dangerous.

What appears to predict risk better now?

According to the source material, the stronger signal is the scaffolding around the AI model: whether an attacker has built a system that can chain stages and run parts of an operation with limited human input.

What remains unclear?

The dataset is not presented as a full count of all AI-enabled cyber misuse. It remains unclear how broadly these patterns apply across other platforms and how quickly industry taxonomies will adapt.

Source: Thorsten Meyer AI

You May Also Like

Avengers Labs: How Ukraine Turned Its Front Line Into the World’s Scarcest AI Dataset

Ukraine’s Avengers Labs leverages battlefield drone footage to train AI models, transforming combat data into a key defense resource amid ongoing war.

Two Channels: How the Pentagon Just Split Frontier-AI Procurement in Half

The Pentagon has split its AI procurement into two separate channels, placing Anthropic in a strategic, non-redundant category, affecting vendor relationships and capabilities.

Amazon, Facebook, FBI have access to a private intelligence-sharing network

Revealed: Amazon, Facebook, and FBI are part of Seattle Shield, a secretive intelligence-sharing network used for monitoring protests and potential threats since 2009.

7 Best Security Surveillance Deals for Prime Day Savings in 2026

Discover the best security surveillance deals for Prime Day 2026, including wired, wireless, and multi-camera systems for home and business security.