Anthropic published a June 3 report on AI-enabled cyber misuse, mapping 832 accounts banned for malicious cyber activity between March 2025 and March 2026 onto the MITRE ATT&CK framework. The company says the cases are only a subset of total banned accounts, limited to those where it had enough detail to assess attacker techniques.
The finding to watch is where AI is being used. Anthropic says malicious actors are not only using models to prepare attacks. They are increasingly applying AI deeper in the attack life cycle, including account discovery, lateral movement, privilege escalation, and chained workflows that can execute with less human input.
The shift is post-compromise
The easiest AI-cyber story is phishing and malware drafting. Anthropic’s data points somewhere more operationally important. The most common activity in the dataset was still preparation: 560 of the 832 accounts used AI for malware writing. But Anthropic says a smaller set used AI for harder work, including 54 accounts that used it to help with lateral movement inside a compromised network.
The time trend is the clearer warning. Anthropic says its medium-or-higher risk classification rose from 33% of actors in the first six months of the study to 56% in the second six months. It also says account discovery rose 8.9%, while AI-assisted phishing fell 8.6%. That suggests a move away from only getting into systems and toward doing more once inside.
Those numbers do not prove that every attacker became more capable. They do suggest the risk signal is changing. If AI can help a weaker actor perform post-compromise tasks that previously required more skill, defenders cannot rely on old assumptions about what low-skill activity looks like.
Old skill signals are getting weaker
Anthropic says traditional risk signals are becoming less reliable. In its dataset, the least-skilled actors used about 16 distinct techniques on average, while the most skilled used about 20. The platform used - Claude Code, API, or chat interface - also did not correlate cleanly with risk.
That is the uncomfortable part. A model can give a less sophisticated actor access to more technique variety, and the surface they use may not reveal much. The stronger signal is what they are trying to do with the model. Anthropic says higher-risk actors concentrated AI use on more operationally demanding tasks such as account discovery, lateral movement, and privilege escalation.
Even that signal may not hold forever. Anthropic’s own analysis says broader AI misuse is moving in that direction. If many attackers begin using models for post-compromise work, defenders need to detect the orchestration pattern, not just the individual technique.
MITRE needs an AI layer
Anthropic’s critique of MITRE ATT&CK is not that the framework is obsolete. It is that many AI-specific behaviors are hard to express inside it. The report points to model-driven orchestration, sequential chaining, real-time decision making, and execution with minimal human intervention as behaviors that distinguish higher-risk actors but are not fully represented as attacker techniques.
That has a practical consequence for security teams. If a detection framework only records the human-visible step, it may miss the part that changed: a model planning the next move, selecting tools, chaining actions, or adapting to feedback. The same final action can carry a different risk profile when it is one step in an AI-assisted loop.
What defenders should take from it
The operational read is specific. First, review whether abuse monitoring and incident triage can distinguish simple prompt misuse from chained activity. Second, treat post-compromise AI use as a higher-priority signal than generic “AI wrote code” activity. Third, update internal taxonomies so analysts can mark orchestration, autonomy, and model-mediated decision points when they appear.
Anthropic’s report also matters for AI providers. If the risky behavior is a workflow pattern, policy enforcement cannot be only keyword filtering or static prompt classification. It needs behavioral context: repeated tool use, step chaining, privilege-seeking patterns, and whether the model is being used to reduce the amount of human skill needed to operate inside a target environment.
For broader context on Anthropic’s model and safety strategy, see our Anthropic company profile and the AI model leaderboard.
