An Anthropic Frontier Red Team analysis of 832 accounts banned for malicious cyber activity between March 2025 and March 2026 found that common threat-rating signals are losing value as AI helps less-skilled actors perform techniques once associated with more capable operators.

The accounts were mapped onto MITRE ATT&CK, the standard taxonomy many security teams use to classify attacker tactics and techniques. The dataset is described as a detailed window into cases with enough information for technique mapping, not a full census of all AI-enabled cyber misuse.

According to the source material, 67.3% of the banned accounts, or 560 accounts, used AI to help write malware. A smaller share, 6.5%, or 54 accounts, used AI for lateral movement inside networks. The share of actors rated medium-risk or higher rose from 33% in the first six months to 56% in the second six months, a roughly 1.7-fold increase across the year.

The analysis says the number of techniques an actor used no longer separated weaker and stronger actors well. Least-skilled actors averaged 16 techniques, while the most-skilled averaged 20. The platform used, including Claude Code, API access or chat, also did not correlate with risk in the summary provided.

Why It Matters

The finding matters because many security programs still rely on technique counts, tooling sophistication and lifecycle position to judge attacker capability. If AI can supply many techniques on demand, then a low-skill actor may appear similar to a stronger operator when measured only through the old lens.

The analysis points instead to the architecture around the model: systems that let AI chain attack stages, act with limited human input and operate across post-compromise tasks. That kind of scaffolding is harder to capture in a taxonomy built around human-executed techniques, yet the source material says it was central to the highest-risk case reviewed.

Background

MITRE ATT&CK has long helped defenders organize cyber activity into tactics and techniques, from initial access to privilege escalation and lateral movement. That structure remains useful for describing what happened during an intrusion, but the Anthropic-linked analysis argues that it is weaker at describing who, or what, is doing the operational work when an AI model is orchestrating steps.

The source material cites a November 2025 espionage operation as the clearest example. By technique count, the operation used 30 techniques across 13 tactics, which made it look similar to many medium-risk actors. By Anthropic’s risk-scoring method, the same case reached the maximum score because the model operated as an autonomous agent.

The analysis also says AI use moved deeper into the attack lifecycle during the year. AI-assisted phishing fell by 8.6%, while AI use for account discovery rose by 8.9%. The source material frames that movement as a shift toward post-compromise work that once demanded more operator skill.

“there is no MITRE ATT&CK ID for agentic orchestration”

— Thorsten Meyer AI field note on MITRE ATT&CK coverage

What Remains Unclear

The dataset does not show the full scale of AI-enabled cyber activity, because it covers banned accounts with enough detail for mapping. It is also unclear how representative these cases are across other AI systems, threat groups or criminal markets.

It remains unsettled how MITRE ATT&CK may change, whether a durable vocabulary for agentic orchestration will be adopted, and how well model safeguards will hold as attackers adapt their methods.

What’s Next

Anthropic says the findings informed safeguards on its most capable models, including controls aimed at blocking malware development and mass data exfiltration, and tools for defenders under Project Glasswing. Following related Verizon work, Anthropic also says it is in discussions with MITRE about how ATT&CK might evolve to describe agentic orchestration and the scaffolding that can turn a model into an operator.

Key Questions

What is the actual news development?

An Anthropic Frontier Red Team analysis mapped 832 banned malicious cyber accounts from March 2025 to March 2026 onto MITRE ATT&CK and found that traditional measures, especially technique counts, are becoming weaker indicators of attacker danger.

What is confirmed by the source material?

The confirmed figures in the provided material are the 832 banned accounts, the March 2025 to March 2026 study period, the 67.3% malware-writing use share, the 6.5% lateral-movement use share, and the rise in medium-or-higher actors from 33% to 56% across the year.

What is claimed or interpreted?

The interpretation is that AI has weakened the old link between technique count and attacker skill, and that model scaffolding is now a better signal of danger. That conclusion is attributed to the analysis described by Thorsten Meyer AI and Anthropic.

Why does this matter for defenders?

Security teams may under-rank attacks if they focus only on visible techniques. The analysis says the higher-risk signal may be whether an attacker has built an AI-enabled system that can chain actions and carry out post-compromise work with limited human direction.

What remains unclear?

It is not yet clear how broad the pattern is beyond the banned-account dataset, how ATT&CK may be updated, or how quickly defensive tools and model safeguards can adapt to agentic attack workflows.

Source: Thorsten Meyer AI