Anthropic finds AI-enabled high-risk actors up 1.7x
Key insights
- Medium-or-higher-risk actors among 832 banned accounts jumped from 33% to 56% in one year, a roughly 1.7-fold increase.
- 67.3% of banned accounts used AI for malware writing, while AI-assisted phishing actually declined 8.6% in the same period.
- A November 2025 state-sponsored operation mapped to 30 techniques across 13 tactics and scored the maximum risk of 100.
Why this matters
The 1.7x year-over-year escalation in high-risk actor classification signals that AI is not just lowering barriers to entry but is actively upgrading the operational ceiling of existing threat actors, particularly in later and more complex attack stages. The November 2025 autonomous operation shows the threat model has already shifted: AI agents are making real-time tactical decisions during live intrusions, not just assisting with drafting or reconnaissance. The MITRE ATT&CK framework that underpins enterprise detection logic, red team exercises, and SOC tooling does not fully capture AI-orchestrated multi-step autonomous chains, meaning most defenders are operating on a taxonomy that no longer reflects the actual threat landscape.
Summary
Across 832 accounts banned for malicious cyber activity from March 2025 to March 2026, Anthropic found medium-or-higher-risk actors nearly doubled: 33% in the first half of the period, 56% in the second.
Of those 832, 560 used AI for malware writing while AI-assisted phishing fell 8.6%. Growth is in deeper, later-stage operations where AI is making real tactical decisions.
Essentially: (Anthropic) AI is doing the attack work, not just the prep.
- A November 2025 state-sponsored operation Anthropic disrupted mapped to 30 techniques across 13 tactics, scoring the maximum risk score of 100.
- The autonomous agent executed commands, exploited vulnerabilities, stole credentials, and made decisions with minimal human input.
- The MITRE ATT&CK framework does not fully capture these AI-orchestrated multi-step chains.
The classification tools defenders rely on were built before attackers had autonomous agents.
Potential risks and opportunities
Risks
- Security vendors whose detection rules map directly to MITRE ATT&CK (CrowdStrike, Splunk, Elastic) face undocumented blind spots: the framework does not fully capture the autonomous multi-step chains this report documents.
- Threat intelligence and risk-scoring models calibrated on the March 2025 baseline are already outdated given the confirmed 1.7-fold jump in high-risk actors across Anthropic's full one-year dataset.
- Defenders using human-paced incident response playbooks face compressed timelines against autonomous agents that can map to 30 techniques across 13 tactics with minimal human oversight, as demonstrated in the November 2025 operation.
Opportunities
- AI-native detection vendors (Darktrace, Vectra AI, Protect AI) can differentiate immediately by covering post-intrusion autonomous-agent behavior that MITRE ATT&CK does not yet classify.
- MITRE and ATT&CK framework contributors have a data-backed mandate to extend the taxonomy for AI-orchestrated attack chains, opening a standards-setting role before a competing framework fills the gap.
- Threat intelligence platforms (Recorded Future, Mandiant) can build a new AI-actor risk-scoring product tier leveraging the kind of autonomous-intrusion telemetry Anthropic's 832-account corpus represents.
What we don't know yet
- The nationality and full attribution of the November 2025 state-sponsored espionage operation Anthropic disrupted are not disclosed in the report.
- No disclosure of whether other major AI labs are conducting comparable banned-account analyses or whether Anthropic's risk-scoring methodology has been shared or validated industry-wide.
- No timeline given for when or whether MITRE plans to extend the ATT&CK framework to cover AI-orchestrated autonomous attack chains.
Originally reported by anthropic.com
Read the original article →Original headline: Anthropic-MITRE Annual AI Threat Report: Share of High-Risk AI-Assisted Actors Jumps 1.7x in One Year — MITRE ATT&CK Framework Lacks Categories for AI-Orchestrated Attack Chains