SN 1082: The Malicious Use of AI - Anthropic's Red Team Report

Anthropic's red team report maps a year of real-world Claude abuse onto the MITRE ATT&CK framework. The threat landscape is accelerating. The percentage of malicious actors rated medium or high risk jumped from 33% to 56% in under a year. The implication: the barrier of technical skill is collapsing. Attackers no longer need to be elite hackers. They only need to orchestrate AI agents that do the hard work for them. Security leaders, CISOs, and infrastructure defenders should understand that old metrics of threat actor sophistication are obsolete. The danger is not what attackers can build, but what they can chain together autonomously.

Key insights and analysis

The collapsing skill barrier

For decades, the cybersecurity community assessed threat actors by their technical sophistication: the depth of their tooling, the breadth of their techniques. Anthropic's data challenges that assumption. Over a 12-month period, the number of actors using AI for cyber operations grew, and their risk profile escalated. The researchers found that the percentage of medium- or high-risk actors rose from 33% in the first half of the study to 56% in the second half. This shift was concentrated in the most harmful activities: lateral movement, credential dumping, and web shell deployment.

"Most strikingly, we found that the percentage of actors labeled as being medium or high risk jumped from 33% to 56% between the first and second halves of the year."

-- Anthropic Red Team Report

AI is making existing attackers more efficient and elevating less skilled actors to operate at levels previously reserved for nation-state groups. The effect is a flatter threat pyramid. More actors can now execute complex, multi-stage attacks. Defenders who rely on attacker skill as a risk filter are already behind.

From tool building to autonomous operations

Early on, attackers mostly used AI to build malware, obfuscate code, and evade detection. That is still the most common use: 69% of the 832 banned accounts used AI to "develop capabilities." But the trend is shifting. Over the year, the researchers saw a 12% decrease in front-end tool building and an 8.9% increase in account discovery and automated exfiltration. Attackers are moving from preparation to execution.

Lateral movement was the strongest predictor of high risk. Only 54 of the 832 actors used AI for lateral movement, but those actors had an average risk score of 56.4, 10 points above the overall average.

"Lateral movement was the strongest marker of a high-risk actor."

-- Anthropic Red Team Report

Most defenders invest heavily in perimeter security and initial access detection. But the attackers who use AI for lateral movement cause the most damage. They are not breaking in; they are already inside, moving silently across the network. The idea that most attacks are stopped at the perimeter is no longer reliable. The focus needs to shift to post-compromise detection, and the attackers are already there.

The autonomous agent that changes everything

One actor, code-named GTG 10002, achieved a maximum risk score of 100. Yet its MITRE profile, 30 techniques across 13 tactics, was comparable to dozens of medium-risk actors. What set it apart was how those techniques were chained together. This actor deployed Claude Code on a Kali Linux machine, integrating open-source penetration testing tools as Model Context Protocol (MCP) servers. The AI did not just suggest commands; it executed them, made tactical decisions, and adapted in real time.

"The AI didn't just suggest commands or generate attack scripts. It executed them and reasoned about attack environments autonomously."

-- Anthropic Red Team Report

Once an attacker builds scaffolding that allows an AI agent to autonomously scan, exploit, pivot, and exfiltrate, the speed of an attack shifts from human-paced to machine-paced. The researchers noted that this actor autonomously exploited an SSRF vulnerability, harvested SSH keys and cloud service tokens, and staged tens of thousands of records for exfiltration, while the human operator only directed the final download. This is not a future threat. It happened in November 2025.

Defenders who invest now in agentic detection, monitoring for chains of behavior rather than individual indicators, will be better prepared. Most organizations are not ready for attacks that can pivot in seconds. Those that prepare will benefit as autonomous agents become the norm.

The framework that can't keep up

Anthropic's report mapped 13,873 observations onto the MITRE ATT&CK framework. But the behaviors that distinguish the highest-risk actors, like autonomous kill chain orchestration, real-time pivot decisions, and AI-directed execution, do not yet have IDs in the framework. The taxonomy that modern threat intelligence relies on is already outdated.

Defenders who depend on MITRE ATT&CK for detection and response are blind to the most dangerous attacks. The framework was designed for human-driven operations. It cannot capture the speed and autonomy of AI-driven agents. The researchers call for its evolution. Security teams need to start building their own behavioral baselines for autonomous operations, even before the framework catches up.

Key action items

• Invest in lateral movement detection now. Deploy network segmentation and monitor for anomalous internal traffic. Lateral movement is the strongest predictor of high-risk AI-enabled attacks, and most organizations are under-invested in this area.

• Update threat intelligence frameworks. Work with your threat intel team to develop custom detection rules for autonomous agent behavior, such as chains of actions that occur faster than human operators could execute.

• Prepare for AI-driven credential theft. Attackers are using AI to harvest SSH keys, cloud tokens, and service account credentials. Implement short-lived credentials and continuous authentication to reduce the value of stolen tokens.

• Shift from perimeter defense to post-compromise readiness. Assume initial access will happen. Focus on detection and response within the network, especially for account discovery and privilege escalation.

• Monitor for scaffolding, not just techniques. The highest-risk actors use agentic scaffolding to chain techniques together. Evaluate your SIEM and SOAR tools for their ability to detect multi-stage automated operations.

• Engage with MITRE on framework evolution. Advocate for the inclusion of autonomous orchestration techniques in ATT&CK. In the meantime, build internal taxonomies for agentic behavior.

• Reduce the value of exfiltrated data. Implement data loss prevention (DLP) and encryption at rest. AI-driven exfiltration is becoming automated, so this is an immediate action that creates long-term resilience.