832
banned accounts analyzed for AI-enabled malicious cyber activity over 12 months
1.7x
increase in medium/high-risk AI-enabled threat actors from 33% to 56% over the study period
56.4
average risk score for actors using lateral movement techniques vs 46.8 overall baseline
13,873
ATT&CK technique observations mapped across all 14 tactics in the 12-month analysis

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Most threat intelligence on AI-enabled attacks is speculative: red team exercises, proof-of-concept demonstrations, or extrapolation from model capabilities. Anthropic's Attack Navigator analysis is different. It covers 832 accounts that were actually banned for malicious cyber activity between March 2025 and March 2026 -- real threat actors, real attacks, real AI usage mapped to real ATT&CK techniques.

The 13,873 technique observations across all 14 MITRE ATT&CK tactics constitute the largest empirical dataset on AI-enabled threat actor behavior published to date. The findings are specific enough to act on: which techniques AI is amplifying, which are declining, what distinguishes high-risk actors from medium-risk ones, and what behavioral signals defenders should be monitoring.

The headline finding -- medium/high-risk actors grew from 33% to 56% of the population in one year -- is significant. But the mechanism behind that growth is the actionable insight. It is not that attackers are becoming more technically sophisticated. It is that a subset of actors has figured out how to build orchestration infrastructure that makes AI models operate autonomously through multi-stage attack chains. Understanding that distinction changes what defenders need to build.

The Dataset: 832 Banned Accounts Over 12 Months

Anthropic's Attack Navigator analysis covered 832 accounts banned for malicious cyber activity between March 2025 and March 2026. The methodology mapped each actor's observed behavior to the MITRE ATT&CK framework, producing 13,873 technique observations spanning all 14 tactics -- Initial Access through Impact.

This is not a simulated exercise or a red team reconstruction. These are real threat actors who used real AI models for real attacks, identified through Anthropic's usage monitoring, and whose behavior was sufficiently documented to support ATT&CK mapping. The sample includes actors across the full risk spectrum from opportunistic script-kiddie-level to sophisticated agentic operators.

The 12-month window allows meaningful trend analysis: H1 2025 versus H2 2025 technique frequency, risk score distribution changes over time, and the identification of emerging patterns that were not visible in shorter observation windows. For practitioners building threat intelligence programs, this dataset provides the first statistically grounded baseline for what AI-enabled malicious cyber activity actually looks like at scale.

The Risk Trajectory: 1.7x Increase in High-Risk Actors

In March 2025, 33% of malicious cyber actors in the dataset were classified as medium or high risk. By March 2026, that figure was 56%. A 1.7x increase in one year is not noise in a dataset of this size -- it reflects a structural shift in the population of actors using AI for attacks.

The most important finding from the risk classification analysis is what drives the jump. It is not technical skill. It is not tool breadth. It is not familiarity with specific ATT&CK techniques. The single characteristic that most consistently differentiates high-risk actors from medium-risk ones is agentic scaffolding: the construction of orchestration infrastructure that enables AI models to operate autonomously through multi-stage attack chains without operator direction at each step.

The GTG-1002 case study illustrates this precisely. GTG-1002 deployed Claude Code on Kali Linux, integrated open-source pentesting tools into the model's available toolset, and built an autonomous pipeline that handled recon, asset discovery, and data exfiltration without requiring manual direction at each stage. The result was a maximum risk score. GTG-1002's technical sophistication was not exceptional. Its orchestration architecture was. Defenders who frame AI-enabled threat response around blocking access to powerful models are addressing the wrong variable.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Which ATT&CK Techniques Are Growing

Defense evasion is the most widely distributed technique in the dataset: 84.4% of actors use it, a figure that has remained stable across the observation period. Its ubiquity means it is not a differentiator -- it is table stakes for actors who persist long enough to generate ATT&CK observations.

The growth is concentrated in later-stage operations. Account discovery increased 8.9% from H1 to H2. Automated exfiltration increased 6.2%. These are the techniques that accelerate time-to-damage after initial access -- the phase where speed is the attacker's primary advantage and where human IR response is most likely to be too slow.

The declining techniques are equally informative. Standalone malware development dropped 12%. Obfuscation dropped 8.6%. Attackers are using AI less for preparation and more for operation. They are spending less effort building tools and more effort moving through environments and extracting data.

Lateral movement stands out as the single strongest predictor of high-risk classification. Actors in the dataset who used lateral movement techniques averaged risk scores of 56.4 versus 46.8 for the overall population. If your detection engineering has to prioritize one ATT&CK tactic for AI-enabled threat coverage, lateral movement is where the signal is strongest.

What This Means for Defenders and the ATT&CK Framework

The agentic scaffolding pattern creates a detection problem that existing rule sets are not designed to solve. A Claude Code instance orchestrating 50 parallel agents through a Kali Linux environment generates different behavioral signals than a human operator running Mimikatz manually. High API call volume, parallel process spawning, automated credential testing sequences, and machine-speed data staging are the indicators -- not the presence of any specific tool signature.

Practical defensive updates: (1) Build behavioral detection rules for agentic tool use patterns specifically: API call rate thresholds, parallel process spawn counts, automated authentication attempt sequences at non-human timing intervals. (2) Treat lateral movement as the highest-priority detection investment for AI-enabled threat coverage -- the risk score data is unambiguous on this. (3) Update IR playbooks to assume machine-speed data staging once initial access is confirmed. The 6.2% growth in automated exfiltration is not an edge case; it is becoming standard operating procedure for high-risk actors.

On the framework side: Anthropic is working with MITRE to evolve ATT&CK to capture AI-native attack patterns including autonomous kill-chain orchestration and real-time pivot decisions. The current framework's technique granularity was designed for human operators. As agentic scaffolding becomes more common, defenders will need a taxonomy that can represent behavior that occurs at machine speed across parallel execution threads -- something the current ATT&CK structure does not natively support.

The bottom line

The Attack Navigator analysis provides the first large-scale empirical baseline for AI-enabled threat actor behavior. The 1.7x risk trajectory increase, the agentic scaffolding differentiator, and the lateral movement risk signal are all specific enough to drive immediate detection engineering changes. Security teams that update behavioral detection rules, lateral movement monitoring, and IR trigger thresholds based on this data will be ahead of the majority of defenders. For a practitioner-focused assessment of what AI cybersecurity capabilities mean for your threat model, read the free Mythos Brief at /mythos-brief.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is Anthropic's Attack Navigator analysis?

Anthropic's Attack Navigator analysis examined 832 accounts banned from Claude for malicious cyber activity between March 2025 and March 2026. Each actor's observed behavior was mapped to the MITRE ATT&CK framework, producing 13,873 technique observations across all 14 tactics. The goal was to identify which ATT&CK techniques AI models enable most and how threat actor risk profiles are shifting.

How does agentic scaffolding make threat actors more dangerous?

Agentic scaffolding means building orchestration infrastructure around an AI model -- pipelines that handle recon, asset discovery, and data exfiltration without operator direction at each step. Actors with this infrastructure achieve dramatically higher risk scores because the AI operates continuously and in parallel rather than waiting for human instruction. The GTG-1002 case study, which deployed Claude Code on Kali Linux with integrated open-source pentesting tools, received a maximum risk score.

Which MITRE ATT&CK techniques are AI models enabling most?

Defense evasion is the most widely used technique (84.4% of actors), though it is stable rather than growing. The techniques showing the strongest growth from H1 to H2 are account discovery (+8.9%) and automated exfiltration (+6.2%). Lateral movement is the single strongest predictor of high-risk classification: actors using lateral movement averaged risk scores of 56.4 versus 46.8 overall.

What is the GTG-1002 threat actor case study?

GTG-1002 is a threat actor case study from Anthropic's Attack Navigator analysis representing the highest-risk AI-enabled attacker profile. GTG-1002 deployed Claude Code on a Kali Linux environment, integrated open-source pentesting tools, and built an autonomous pipeline for recon, asset discovery, and exfiltration. It received a maximum risk score and exemplifies the agentic scaffolding pattern that separates the highest-risk actors from medium-risk ones.

How do I detect AI-enabled threat actors in my environment?

AI-enabled high-risk actors generate distinct behavioral signals from human operators: high API call volume, parallel process spawning, automated credential testing sequences, and machine-speed data staging. Detection should prioritize behavioral rules for these patterns rather than signature-based detection of individual tools. Lateral movement remains the highest-value detection priority -- actors using it averaged risk scores 9.6 points above baseline.

Is MITRE ATT&CK being updated to cover AI-native attack patterns?

Yes. Anthropic is working with MITRE to evolve the ATT&CK framework to capture AI-native attack patterns including autonomous kill-chain orchestration and real-time pivot decisions. The current framework was designed for human operators and does not have native representations for agentic behavior. The taxonomy work is ongoing as of mid-2026.

Sources & references

  1. Anthropic Attack Navigator threat actor analysis
  2. Assessing Claude Mythos Preview cybersecurity capabilities, Anthropic
  3. MITRE ATT&CK Framework
  4. Claude Mythos AI Finds 10,000 High-Severity Flaws, The Hacker News
  5. Why Frontier AI Models Mark a Turning Point for Cybersecurity, Arctic Wolf

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.