TL;DR
Anthropic published a report June 3 analyzing 832 accounts banned for malicious cyber activity between March 2025 and March 2026, mapping them onto the MITRE ATT&CK framework. The three findings: attackers are using AI deeper in the attack chain, not just for initial break-ins. Attacks are getting more autonomous. And the old way of telling dangerous hackers from amateurs no longer works.
The standout stat is the skill collapse. The least-skilled attackers in the dataset used about 16 distinct techniques on average. The most-skilled used about 20. That gap used to be enormous. AI closed it. 67.3% of the accounts used AI to write malware, and the share of actors rated medium-risk or higher jumped from 33% to 56% in a single year. AI-assisted post-compromise work, the technically hard stuff that used to require real expertise, is now available to anyone who can prompt a model.
The uncomfortable part: this is the same company that just raised $65 billion partly on the strength of selling cyber defense through Project Glasswing, and whose Claude Code tool was the one a Chinese state group used to run a near-autonomous espionage campaign last November. Anthropic is documenting a problem it sits on both sides of.
Best for anyone in security, IT, or running a business with an attack surface, plus people tracking the Anthropic cybersecurity story. Not ideal for readers who want reassurance, because the report doesn’t offer much.
For thirty years the comforting thing about hacking was that it was hard.
The truly dangerous attackers were rare because the skills were rare. You needed years to learn how to move laterally through a network, escalate privileges, harvest credentials without tripping every alarm. That difficulty was a filter. It kept most of the threats amateur.
Anthropic just published the receipts on that filter dissolving.
What Anthropic Actually Did
Anthropic released a report June 3 analyzing 832 accounts it banned for malicious cyber activity between March 2025 and March 2026. The team mapped each one onto MITRE ATT&CK, the long-standing industry database of attacker tactics and techniques. Some of the findings went into Verizon’s 2026 Data Breach Investigations Report. The fuller version went on Anthropic’s own blog.
The 832 cases aren’t the total. They’re the subset where Anthropic had enough detail to assess the attacker’s actual techniques. So treat the numbers as a representative sample, not a full census. Even as a sample, they’re stark.
There were three conclusions. Attackers are using AI in the later, more complex stages of operations, not just the break-in. Attacks are becoming more autonomous as AI chains the steps together. And the MITRE ATT&CK framework, the thing the whole security industry uses to categorize threats, doesn’t actually capture what makes AI-enabled attackers dangerous.
The Skill Collapse Is the Story
Here’s the number that matters most, and it’s the one Anthropic states plainly without dwelling on it.
Security teams have always assessed how dangerous a hacker is partly by counting techniques. More techniques, more sophistication, higher threat. It was a decent proxy because technique breadth tracked skill. That proxy just broke. Per the report, the least-skilled actors in the dataset used about 16 distinct techniques on average. The most-skilled used about 20. That’s barely a gap. Twenty years ago the difference between a script kiddie and a nation-state operator was a canyon. Now it’s a rounding error.
The reason is simple. AI does the hard part now. The report found that 560 of the 832 accounts, 67.3%, used AI to write malware. More telling, the use of AI shifted across the year from getting into systems toward operating once inside them. AI-assisted account discovery, finding valid accounts inside a compromised network, rose 8.9%. AI-assisted phishing, a classic entry technique, fell 8.6%. Attackers are pushing AI deeper into the attack, into the post-compromise work that used to be the exclusive territory of people who really knew what they were doing.
Anthropic says it directly: these post-compromise techniques used to be restricted to actors with the technical knowledge to carry them out. Now AI performs them on behalf of less sophisticated actors. The expertise barrier that kept most attackers amateur is being dismantled, one prompt at a time.
The Risk Curve Bent Up Fast
The other number worth sitting with is the speed.
In the first six months of the study period, 33% of the actors scored medium-risk or higher on Anthropic’s risk system. In the second six months, that share hit 56%. A 1.7-fold jump in twelve months. That’s not a gradual climb. That’s a curve bending upward inside a single year, which is roughly the cadence at which the underlying models got more capable.
And the signals security teams have relied on are eroding all at once. The platform an attacker used, whether Claude Code, an API, or a plain chat interface, didn’t correlate with their risk level. Technique count no longer tracks skill. The one thing that still helps distinguish the truly dangerous actors is where they apply AI in the attack life cycle, the operationally demanding stuff like lateral movement and privilege escalation. But the report admits even that signal is fading, because the whole population is moving in that direction as the tools improve.
The most durable differentiator left, per Anthropic, isn’t skill at all. It’s the scaffolding. The highest-risk actors build architectures that let the model chain discrete attack stages together and run them with minimal human input. In other words, the dangerous part isn’t the hacker anymore. It’s how well they’ve wired up the agent.
The Part Where Anthropic Is on Both Sides
A report like this reads as a public service, and partly it is. But it’s worth being clear-eyed about who’s publishing it.
This is the same company that, as we covered, is building Project Glasswing into a cybersecurity offering it just helped raise $65 billion against. It’s the same Claude Code that, by Anthropic’s own November disclosure, a Chinese state-sponsored group manipulated into running a near-autonomous espionage campaign against roughly thirty global targets. The report references that exact incident as its worst-case example. The model executed commands, exploited vulnerabilities, stole credentials, and made tactical decisions, needing a human only at a few key moments.
So the structure here is a company documenting, in careful detail, the dangers of a tool it sells, in a report that doubles as a case for the defensive product it also sells. That’s not an accusation of bad faith. The research looks genuinely useful, the MITRE collaboration is real, and the safeguards Anthropic says it deployed are a reasonable response. It’s just the same asymmetry that runs through the entire Mythos story. The company with the most powerful offensive capability is also the one selling you the shield, defining the threat model, and deciding who gets early access to the defense. The 40-odd Glasswing organizations get the strongest protection first. Everyone else reads the report.
There’s also a quieter tension. Anthropic notes it deployed cyber safeguards on its most capable models to detect and block things like malware development and mass exfiltration. Good. But the report’s own data shows attackers shifting to post-compromise techniques that look less like obvious malware and more like ordinary system administration. Those are exactly the activities hardest to block without also blocking legitimate use. The safeguards catch the loud stuff. The report describes attackers getting quieter.
Why MITRE ATT&CK Can’t Keep Up
The most forward-looking finding is the one about frameworks, and it has consequences past this one report.
MITRE ATT&CK is the shared language of cybersecurity. It’s how teams categorize what an attacker did and compare notes. Anthropic’s point is that the behaviors defining the most dangerous AI-enabled actors, the model orchestrating attack steps in sequence, making real-time decisions about what to do next, executing without human intervention, simply aren’t in the framework. There’s no ATT&CK ID for agentic orchestration.
The November espionage case proves the gap. Mapped against MITRE, that attack used 30 techniques across 13 tactics, which looked like a middling medium-risk actor on paper. Run through Anthropic’s own risk scoring, it earned the maximum score of 100. The framework everyone relies on would have radically understated how dangerous it was. When your measuring stick can’t see the thing that makes the new attacks deadly, you get blindsided, and the whole industry is currently using that measuring stick.
Anthropic says it’s in talks with MITRE about evolving the framework. That’s the right move. It also means the standard tooling the security industry runs on is, by the admission of one of the labs at the frontier, a step behind the threat right now.
What To Actually Do With This
Strip out the corporate positioning and there are real takeaways for anyone with something worth attacking.
The threat model changed and your defenses probably assume the old one. If your security posture still treats unsophisticated attackers as low-risk because they “can’t” do the advanced stuff, that assumption is now wrong. The advanced stuff is rented. Plan for the amateur with an agent, not just the elite operator.
Watch the post-compromise layer, not just the perimeter. The report’s clearest trend is attackers moving AI deeper into systems, into lateral movement and account discovery, while pulling back on noisy entry techniques like phishing. Detection that focuses on keeping people out matters less when the dangerous behavior happens after they’re already in. Internal monitoring, least-privilege access, and anomaly detection on lateral movement are where the curve is heading.
And read the threat reports from the labs, but read them as what they are. Anthropic, OpenAI, and Google are now the primary source of frontier threat intelligence because they see the attacks happen on their platforms. That makes their reports genuinely valuable and structurally conflicted at the same time. Use the data. Notice that the company handing it to you also sells the fix.
The comforting thing about hacking used to be that it was hard. Anthropic just published a year of evidence that it isn’t anymore. The filter that kept most threats amateur is gone, and the people who removed it are the same ones now selling the replacement. That’s the actual story, and it’s only going to get louder as the agents get better.
