Anthropic maps how attackers are weaponising AI, and what defenders should watch

For most of the past year the question about AI and security has been abstract: could attackers misuse these tools, and how badly? Anthropic has now answered it with data. The company analysed 832 accounts it banned for malicious cyber activity between March 2025 and March 2026, and mapped what each account was actually trying to do onto the MITRE ATT&CK framework, the industry’s shared vocabulary for attacker behaviour. The result is one of the clearer pictures we have of how AI is being used by real adversaries, rather than how it might be.

What the data shows

The headline finding is that AI is most useful to attackers as a code factory. Across the 832 banned accounts, writing malware accounted for 67.3% of the AI use observed (roughly 560 actors), making it the single most common activity by a wide margin. That is a practical, unglamorous use of the technology: it lowers the skill and time required to produce working malicious code.

Two shifts over the year matter more than the static numbers.

• The actors got more capable. In the first six months, 33% of actors were assessed as medium risk or higher. In the second half that figure rose to 56%, described by Anthropic as roughly a 1.7-fold increase. The population is not just growing; it is getting more serious.
• The work moved deeper into the network. Use of AI for initial access fell (AI-assisted phishing dropped 8.6%) while activity tied to operating inside a compromised environment grew, with account discovery up 8.9%. The emphasis is shifting from getting in to moving around once in.

Most striking is the trend towards autonomy. Higher-risk actors built architectures that let the model chain together discrete stages of an attack and carry them out with minimal human input. Anthropic points to a state-sponsored operation it disrupted in November 2025, in which a model operated as an autonomous agent and required human intervention only at a few key moments.

The framework gap

There is a quieter finding with longer-term consequences. The MITRE ATT&CK framework, which defenders the world over use to describe and detect attacker behaviour, has no clean way to represent agentic orchestration: the autonomous chaining of steps and real-time decision-making that defines the most dangerous AI-enabled attacks. Anthropic says it is discussing how the framework should evolve with MITRE to close that gap.

That matters because tooling follows taxonomy. If our shared language for attacks cannot describe an AI running an attack chain by itself, the detection rules, dashboards and playbooks built on that language will be slow to catch it.

Why it matters for businesses

You do not need to be a state-level target for this to be relevant. The same dynamics that make a sophisticated actor faster make routine attacks cheaper and more numerous. When malware is the most common use of AI by banned accounts, the volume and variety of malicious code in circulation goes up for everyone. And as attackers automate the post-compromise phase (the part where they quietly look around inside a network), the window between a breach and real damage gets shorter.

The uncomfortable implication is that defence cannot stay manual while offence becomes automated. An attacker whose agent works through discovery and lateral movement overnight is not going to be caught by a security review that happens once a quarter.

What to do about it

The response is not panic, and it is not a single product. It is to close the speed gap deliberately, in a few practical directions.

• Watch for in-network behaviour, not just the front door. With activity shifting towards account discovery and lateral movement, monitoring needs to cover what happens after someone is already inside, not only the moment they try to get in.
• Shorten the time from signal to response. If attackers can chain steps autonomously, defenders benefit from automation that triages alerts, correlates events and contains obvious threats without waiting for someone to read an email.
• Keep a human at the consequential moments. Automating detection and triage is sensible; automating destructive action is not. The decisions that lock accounts or take systems offline still belong to a person, with the machine doing the legwork.

The takeaway

The value of Anthropic’s analysis is that it replaces speculation with measurement. AI is being used by attackers, mostly to write malware, increasingly by more capable actors, and increasingly to run operations inside networks with little human input. None of that is a reason to retreat from AI; it is a reason to use the same capabilities in defence, thoughtfully and with humans where the stakes are highest. The attackers have already automated. The sensible move is to meet them with automation you control.

Source: Anthropic: What we learned mapping a year’s worth of AI-enabled cyber threats