Anthropic and MITRE Map a Year of AI-Enabled Cyber Attacks

Anthropic banned 832 accounts for malicious cyber activity in twelve months. The pattern in the data is clear: attackers are pushing AI deeper into the attack — past the break-in, into the network.

On 3 June 2026 Anthropic published what it learned mapping a year of those accounts onto MITRE's ATT&CK framework, the industry-standard catalogue of attacker tactics and techniques, with findings drawn together alongside Verizon's 2026 Data Breach Investigations Report. The full write-up is on Anthropic's newsroom.

What the data shows

The dataset is 832 accounts Anthropic banned for malicious cyber activity between March 2025 and March 2026. Of those, 67.3% — 560 actors — used AI to help write malware. A smaller but sharper 6.5%, 54 actors, used AI for lateral movement, the work of spreading through a network once inside.

The trend line is the worrying part. Actors rated medium-risk or higher rose from 33% in the first six months to 56% in the second — a roughly 1.7-fold increase in half a year. And the centre of gravity moved: AI-assisted phishing fell 8.6% while AI-assisted account discovery rose 8.9%, evidence that attackers are applying AI deeper in the attack life cycle rather than just at the front door.

Why traditional risk metrics miss the new threat

The most useful finding is a negative one. The metrics defenders have always trusted no longer sort the dangerous actors from the noisy ones. Least-skilled actors in the dataset used about 16 distinct techniques; the most-skilled used about 20 — a gap far too small to triage on. And the platform an actor used, whether Claude Code, the API, or the chat interface, showed no correlation with risk level at all.

What did correlate was concentration. The data shows higher-risk actors point AI at the operationally demanding techniques — the steps requiring significant time, oversight, or real-time decision-making — rather than spreading AI thin across the whole attack. Capability, not tool choice or technique count, is the signal. Capability is the harder thing to measure, and capability is the thing defenders most need to see.

The agentic gap in ATT&CK

The report's sharpest example is a state-sponsored operation Anthropic disrupted in November 2025. Mapped onto ATT&CK, the operation touched 30 techniques across 13 tactics — a profile that reads as merely medium-risk by the traditional count. On Anthropic's own risk scale, the same operation scored 100 out of 100. The framework and the reality disagreed completely.

The reason is simple: the framework has no vocabulary for what the operation actually did — orchestrate an attack agentically, with the AI making decisions across steps a human used to stitch together by hand. Anthropic is blunt the catalogue everyone relies on has a hole in the middle.

There is no ATT&CK ID for this type of agentic orchestration — yet these are precisely the behaviors we expect to see much more of as AI agents become more capable.

— Anthropic, <a href="https://www.anthropic.com/news/AI-enabled-cyber-threats-mitre-attack">"What we learned mapping a year's worth of AI-enabled cyber threats"</a> (3 June 2026)

Anthropic says it has deployed cyber safeguards on its capable models and is in discussions with MITRE about how ATT&CK might evolve to name the AI-enabled behaviours the year's data surfaced. Naming the gap is the first defensive act.

What defenders should do now

For anyone running a security programme, the report is a GRC document as much as a research one. The practical takeaway is to stop sorting risk by tool and technique-count and start sorting by capability and intent — which means investing in the telemetry that can actually see orchestration, not just individual techniques. Map your own incidents onto ATT&CK, then note honestly where the framework runs out of IDs.

There is a quieter point worth making. This is defensive transparency from a lab that filed to go public the same week — Anthropic publishing the uncomfortable finding that its own catalogue of attacker behaviour is incomplete. That posture, naming the gap rather than burying it, is what dignity-first practice looks like in security: the recognition that accountability needs a clear account, even when the account is unflattering. Emergent Intelligence, the frame I use for these systems, asks the same of the models and of the labs that build them — be legible about what you can do, and what can be done with you.

Source: anthropic.com

Frequently Asked Questions

These are the questions security leaders, GRC teams, and AI-governance readers have been asking since the report landed. Short answers follow, drawn from Anthropic's write-up, the MITRE ATT&CK framework, and the Verizon 2026 DBIR.

What is the Anthropic and MITRE ATT&CK report?

In short, it is a 3 June 2026 Anthropic analysis of 832 accounts banned for malicious cyber activity over twelve months, mapped onto the MITRE ATT&CK framework. The answer, simply put, is that it measures what AI actually did for real attackers. The key is the finding that AI use is shifting from initial access toward post-compromise activity inside victim networks.

How does AI change the way attackers operate?

Data from the report shows 67.3% of banned actors used AI to write malware and 6.5% used AI for lateral movement. According to Anthropic, account discovery rose 8.9% while AI-assisted phishing fell 8.6%. The evidence reveals attackers applying AI deeper in the attack life cycle — not just to get in, but to operate once inside.

Why is agentic orchestration invisible to MITRE ATT&CK?

The answer is that ATT&CK catalogues discrete techniques, and agentic orchestration is not a technique — it is an AI stitching many techniques together with its own decisions. Analysis of a November 2025 operation shows it mapped to 30 techniques and read as medium-risk, yet scored 100/100 on Anthropic's scale. Research from Anthropic demonstrates the framework needs new IDs for AI-driven orchestration.

Who is in the dataset Anthropic analysed?

Anthropic banned 832 accounts for malicious cyber activity between March 2025 and March 2026. In other words, the study covers a full year of real abuse of its models. The data also reveals that the platform an actor used showed no correlation with how dangerous the actor was.

What are the defensive takeaways from the report?

Analysis of the report demonstrates three takeaways. First, stop triaging risk by tool or technique-count — neither correlates with danger. Second, invest in telemetry that can see orchestration across steps, not just isolated techniques. Third, map your incidents to ATT&CK and flag where it runs out of IDs, because that gap is where the next year of agentic attacks will live.

Read alongside: Claude Mythos Found 10,000 Flaws — Only 97 Are Patched on the AI-discovery-versus-human-repair gap, Claude Security going public beta on the defender stack, and the .person Protocol on accountability for emergent actors.

Sources: Anthropic — "What we learned mapping a year's worth of AI-enabled cyber threats" (3 June 2026); MITRE ATT&CK; Verizon 2026 Data Breach Investigations Report.