Between March 2025 and March 2026, Anthropic's trust and safety teams banned 832 accounts for using Claude to assist with malicious cyber operations. That might read as a moderation statistic. But Anthropic did something less common with the data: it systematically catalogued what each of those actors actually did, matched every observed technique to the MITRE ATT&CK framework, and published the results this week as a policy paper alongside Verizon's 2026 Data Breach Investigations Report. The picture that emerges is one of AI becoming a genuine force multiplier for cyberattackers, and of a security industry that has not yet updated its taxonomies to describe what that means.
What the Data Shows
The 832 accounts collectively produced 13,873 distinct actions, spread across 482 unique MITRE ATT&CK techniques and all 14 of the framework's tactic categories. Malware development was by far the most common application: 560 of the 832 accounts, or 67.3 percent, used Claude to help write malicious code. That figure aligns with what security researchers have anecdotally described for the past two years, but its scale here provides harder ground for a claim that has mostly relied on incident reports and red-team exercises.
Post-compromise activity was rarer but more telling. Lateral movement, the process of navigating deeper into a compromised network after initial access, appeared in 54 accounts, or 6.5 percent of the total. That might seem modest until you consider the context: lateral movement requires real-time decision-making under operational pressure, with network topology that changes as defenders respond. That any meaningful number of attackers used an AI model to assist with that phase suggests the technology is now being applied at stages of an attack chain where it was largely absent two years ago.
Key Findings
- Accounts analyzed832 (Mar 2025 – Mar 2026)
- Used AI to write malware67.3% (560 actors)
- Used AI for lateral movement6.5% (54 actors)
- MITRE ATT&CK techniques observed482 across all 14 tactics
- Medium-to-high risk actors, first six months33%
- Medium-to-high risk actors, second six months56% (1.7x increase)
The Risk Tier Shift
The trend line is the most striking element of the report. In the first six months of the study period, 33 percent of the 832 actors were classified as medium risk or higher, meaning their AI-assisted activity crossed a threshold of capability or intent that Anthropic's reviewers considered materially dangerous. By the second six months, that number had risen to 56 percent. A 1.7-fold increase in the share of serious actors in a single year is not a marginal change. It indicates that more sophisticated threat groups are finding genuine operational value in AI assistance, not just opportunistic experimentation.
The progression also reflects a pattern that analysts have described elsewhere: lower-skill actors used AI first, mostly for phishing text and basic script generation, while more capable groups took longer to integrate AI into their workflows but applied it more effectively once they did. The data suggests that second wave has now arrived in force. AI is no longer primarily a tool that makes novice attackers look slightly more professional. It is also a tool that helps experienced attackers move through complex operations faster.
"Many of the behaviors that distinguish the highest-risk actors — such as using AI to orchestrate steps sequentially, make real-time decisions about what to do next, and execute without human intervention — are not yet included as attacker techniques in the MITRE ATT&CK framework." Anthropic, "What We Learned Mapping a Year's Worth of AI-Enabled Cyber Threats," June 2026
The MITRE ATT&CK Gap
Anthropic's most pointed observation is that the MITRE ATT&CK framework, the industry's dominant vocabulary for describing adversary behavior, has not kept up with what AI enables. ATT&CK is built around discrete techniques, static moves an attacker makes. AI-enabled operations often look different: the attacker uses a model to reason across multiple steps, adapt to environmental feedback, and chain techniques in sequences that shift based on what the model recommends in real time. That kind of adaptive orchestration does not map cleanly onto any existing ATT&CK entry.
Anthropic is in active discussions with MITRE about how the framework might evolve to incorporate these patterns. The company also published a companion tool, the LLM ATT&CK Navigator, which lets security teams visualize the techniques observed in the 832-account dataset overlaid on the standard ATT&CK matrix. The intent is to give defenders a concrete starting point for threat modeling AI-assisted attacks even before the framework is formally updated.
The report intersects with Anthropic's broader security work. Project Glasswing, which uses Claude to find and fix software vulnerabilities before bad actors can exploit them, addresses the defensive side of the same problem. The MITRE ATT&CK paper addresses the offensive side: understanding how attackers are already using AI so that defenders can anticipate where AI-assisted threats will go next. The Accenture partnership on AI security announced earlier this year is one of several enterprise relationships Anthropic is building around this threat intelligence work.
Implications for Security Teams
For practitioners, the Verizon DBIR collaboration gives the Anthropic data unusual reach. DBIR is one of the few security publications that enterprise security teams read systematically, so embedding findings about AI-enabled attack patterns there ensures the data lands in the conversations where security budgets are set. Anthropic's own paper provides the methodological detail that the DBIR summary cannot.
The practical takeaway is that threat models built before mid-2025 need revisiting. AI assistance in malware development was already well-documented; the data here confirms scale rather than phenomenon. But the lateral movement finding and the risk-tier shift together suggest that AI is now affecting the parts of an attack that require the most skill and judgment. That matters for how defenders allocate resources, how detection systems are tuned, and how AI security models like Claude Mythos are positioned against the threat landscape they were built to address.
Anthropic has committed to publishing annual updates to this analysis as part of its transparency efforts ahead of its IPO filing. Whether the 56-percent high-risk figure holds, rises, or falls in year two will say something important about whether the industry's defensive posture is keeping pace with the offensive one.
