TL;DR
Anthropic mapped 832 banned accounts tied to malicious cyber activity from March 2025 to March 2026 onto MITRE ATT&CK and found that counting attacker techniques is losing value as a risk signal. The analysis says the stronger warning sign is whether attackers have built systems that let AI chain steps with limited human input.
Anthropic’s Frontier Red Team mapped 832 accounts banned for malicious cyber activity from March 2025 to March 2026 onto MITRE ATT&CK and found that the number of techniques an attacker uses is no longer a reliable guide to danger, according to source material from ThorstenMeyerAI.com summarizing the analysis.
The analysis focused on accounts with enough detail for technique-level review. It found that 560 accounts, or 67.3%, used AI to help write malware, while 54 accounts, or 6.5%, used AI for lateral movement inside networks.
The reported risk profile rose over the year. Medium-or-higher-risk actors made up 33% of cases in the first six months and 56% in the second six months, a roughly 1.7-fold increase, according to the source material.
The central finding is that technique counts flattened across skill levels. The source material says the least-skilled actors were associated with 16 techniques, while the most-skilled actors were associated with 20, a narrow gap that weakens an older security assumption: that more techniques usually mean a more capable attacker.
The frameworks can’t see the thing that matters
For decades, danger meant which techniques an attacker commands. A year of real AI-enabled attacks — 832 banned accounts mapped onto MITRE ATT&CK — shows that signal breaking, just as a new, harder-to-see one takes over.
A year of real misuse, mapped to the standard taxonomy
A window, not a census — these are the cases with enough detail to assess techniques thoroughly. Inside it, the risk level climbed fast.
WHAT WAS STUDIED
THE RISK CLIMB · MEDIUM-OR-HIGHER ACTORS
AI malware detection tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.

Artificial Intelligence for Cybersecurity: How AI Detects Cyber Threats, Prevents Hacking, and Protects Your Data, Identity, and Smart Devices (AI Cybersecurity Mastery Series)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
“More techniques” stopped meaning “more dangerous”
The old heuristic: count the techniques, judge the tooling. AI dissolved it — because the model supplies the techniques either way. Watch the old signal fail, then watch what it misses.
Risk score vs. technique count
Two ways to read the same attacker. One is going blind. Press play.
cyber threat intelligence software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.

Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Deeper into the attack — and into less-skilled hands
Across the year, AI use drifted from getting in toward acting once already inside — the operationally demanding stages that used to require an expert.
The attack lifecycle · where AI is now applied
The center of gravity moved right — toward post-compromise work.
network security monitoring devices
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.

Network Intrusion Detection
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
From “what they know” to “what they’ve built”
The report sorts the signals into three tiers — one dead, one fading, one durable.
Technique count & tooling
16 vs. 20 between novice and expert; platform doesn’t correlate. The model supplies the techniques either way.
Where in the lifecycle AI is applied
Concentrating on operationally demanding, post-compromise stages is a better signal — but it’s eroding as the whole population heads there.
The scaffolding around the model
Architectures that let the model chain stages and run with minimal human input. Not what they know — whether they’ve built a system that lets AI run the attack.
AI-powered intrusion detection system
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.

Operationalizing Threat Intelligence: A guide to developing and operationalizing cyber threat intelligence programs
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Fixing the map before the territory moves again
A taxonomy that can’t name the most dangerous behavior on the field will quietly mislead the people relying on it. The response runs in two directions.
Fed back into the models
The findings informed safeguards on the most capable models, built to detect & block some of what was observed:
- Blocking malware development
- Blocking mass data exfiltration
- Putting tools in defenders’ hands first (Project Glasswing)
Taking it to the source
Following the Verizon work, Anthropic says it’s in discussions with MITRE about how ATT&CK might evolve:
- A vocabulary for agentic orchestration
- Naming the scaffolding that makes a model an operator
- An interactive technique visualization on the Red blog
Reading it in proportion
- The 832 cases are a detailed subset, not the full population — the precise percentages are directional, not definitive.
- “More autonomous” is not “fully autonomous” — even the standout case needed human input at key moments, which is itself a place for defenders to intervene.
- This is one vendor’s window — the company with visibility into misuse of its own model, publishing what it found. The right thing to do with the data, and worth remembering as you read it.
Why It Matters
The finding matters because many security teams, threat-intelligence programs and industry frameworks use observed techniques to classify attackers and set response priorities. If AI systems can supply techniques to low-skilled users, then a technique list may describe what happened without showing who is dangerous or how much autonomy the operation had.
The analysis points to a different risk marker: the architecture around the model. According to the source material, systems that let AI chain attack stages and operate with minimal human input may matter more than the attacker’s personal knowledge. That shift could affect detection, incident response, model safeguards and how defenders interpret threat reports.
Background
MITRE ATT&CK is widely used to describe adversary tactics and techniques. The source material says Anthropic mapped the reviewed accounts onto that taxonomy and found that the taxonomy could capture many actions, but not the most important attribute in the highest-risk case: agentic orchestration.
One example cited was a November 2025 espionage operation. By technique count, it registered 30 techniques across 13 tactics, which made it look comparable to many medium-risk actors. Under Anthropic’s risk-scoring method, the same case reached a maximum risk score of 100 because the model operated as an autonomous agent, according to the source material.
The analysis also found AI use moving deeper into the attack lifecycle. AI-assisted phishing was described as falling by 8.6%, while AI use for account discovery was described as rising by 8.9%. The source material frames that movement as a shift from entry-stage activity toward post-compromise work.
What Remains Unclear
The dataset is described as a detailed subset, not a full census of AI-enabled cyber misuse. It is not yet clear how representative the 832 banned accounts are of activity across other AI systems, criminal markets or state-linked operations.
The source material also does not establish how quickly taxonomies such as MITRE ATT&CK will change, or whether defenders will adopt new labels for model scaffolding, autonomous chaining and human oversight levels.
What’s Next
Anthropic says the findings have informed safeguards on its more capable models, including efforts to block malware development and mass data exfiltration. The source material also says Anthropic is in discussions with MITRE about how ATT&CK could evolve to describe agentic orchestration and related scaffolding.
Key Questions
What was the actual development?
Anthropic analyzed 832 banned accounts tied to malicious cyber activity over a one-year period and found that common attacker-ranking signals, especially technique count, are losing reliability in AI-enabled cases.
Does this mean MITRE ATT&CK is wrong?
No. The report says the framework still describes many techniques used in attacks. The gap is that it does not currently name the AI orchestration layer that may make an operation more dangerous.
What appears to predict risk better now?
According to the source material, the stronger signal is the scaffolding around the AI model: whether an attacker has built a system that can chain stages and run parts of an operation with limited human input.
What remains unclear?
The dataset is not presented as a full count of all AI-enabled cyber misuse. It remains unclear how broadly these patterns apply across other platforms and how quickly industry taxonomies will adapt.
Source: Thorsten Meyer AI