Anthropic has published one of the clearest snapshots yet of how AI is changing cyber abuse. The company examined 832 accounts banned for malicious cyber activity between March 2025 and March 2026, then mapped those cases onto the MITRE ATT&CK framework.
The striking part is not that attackers are using AI to write malware. That was already expected. The sharper signal is where the usage is moving: deeper into the attack lifecycle, after an attacker already has access.
Anthropic found 13,873 observed malicious actions across 482 unique ATT&CK techniques and all 14 ATT&CK tactics. Malware development remained the most common category, with 560 of the 832 accounts using AI for that purpose. But the higher-risk trend was in post-compromise work: account discovery, lateral movement, privilege escalation, credential activity, defensive evasion, and chained execution.
The risk profile changed fast
According to Anthropic, the share of actors classified as medium risk or higher rose from 33% in the first half of the study window to 56% in the second. That is roughly a 1.7x increase inside one year.
The company also found that AI-assisted phishing fell while account discovery rose. That matters because phishing sits near the front door of an intrusion, while account discovery is something an attacker does once they are already inside and trying to understand where to move next.
In plain terms, the model is not only helping people create entry tools. It is starting to help them operate inside systems.
Skill is becoming harder to read
Security teams usually infer attacker risk from signals such as technical sophistication, tooling, platform choice, and the number of techniques used. Anthropic argues those old signals are weakening.
One reason is simple: AI can let a less-skilled actor perform tasks that used to require deeper technical knowledge. In Anthropic's dataset, the least-skilled actors still averaged about 16 distinct techniques, while the most skilled averaged about 20. The gap exists, but it is much smaller than defenders might expect.
The platform also did not neatly identify risk. Whether an actor used Claude.ai, the API, or an agentic coding interface such as Claude Code was less important than what they used the model to do.
The real separator is orchestration. Higher-risk actors build scaffolding around the model so it can chain together stages of an attack, make decisions in real time, and execute with minimal human input.
MITRE ATT&CK needs new language
MITRE ATT&CK remains one of the security industry's core maps for adversary behavior. But Anthropic's report argues that it does not yet fully capture what makes AI-enabled attacks dangerous.
There are IDs for many familiar techniques, from malware development to lateral movement. There is not yet a clean category for autonomous kill-chain orchestration, AI-directed execution without human intervention, or real-time model-driven pivot decisions.
That gap matters because defenders classify what they can name. If the taxonomy only counts familiar techniques, it can understate the risk of an agentic attack that uses a moderate number of standard techniques but chains them together at machine speed.
Anthropic points back to the AI-orchestrated espionage campaign it disrupted in November 2025. Mapped to MITRE ATT&CK, the campaign used 30 techniques across 13 tactics, comparable to many medium-risk actors. But under Anthropic's own risk-scoring method, it reached the maximum score of 100 because the model was used as an autonomous agent executing commands, exploiting vulnerabilities, stealing credentials, and making tactical choices with little human input.
What builders should take from it
For most app teams, the lesson is not "build a cyber threat intelligence program." The practical lesson is that AI-connected software needs clearer boundaries, stronger abuse detection, and better logging from the start.
Any product that lets AI touch user files, accounts, credentials, code, browser sessions, internal tools, or business workflows inherits a version of this problem. Useful autonomy and dangerous autonomy can look similar until the intent, permissions, and execution context are visible.
For SunMarc App Labs, that points to a durable product rule: AI features should be legible. Users should know what the system can access, what it can change, what is stored, what remains local, and when a suggestion becomes an action. This is not only compliance language. It is product quality.
Anthropic's report is useful because it moves the conversation away from abstract AI cyber fear and into operational detail. The next phase of AI security will be judged by how well defenders can describe, detect, and interrupt autonomous behavior before it becomes ordinary attack infrastructure.
Relevant links
- Anthropic: What we learned mapping a year's worth of AI-enabled cyber threats
- Anthropic Frontier Red Team: LLM ATT&CK Navigator
- MITRE ATT&CK framework
- Verizon: 2026 Data Breach Investigations Report
- Anthropic: Disrupting the first reported AI-orchestrated cyber espionage campaign
- SunMarc: AI Cybersecurity Just Hit a New Threshold