Mapping a Year of AI-Enabled Cyber Threats — Anthropic's MITRE ATT&CK Analysis (LLM ATT&CK Navigator + ARiES)

Source: ai-research/anthropic-ai-cyber-threats-mitre-news-2026-06-04.md (anthropic.com/news/AI-enabled-cyber-threats-mitre-attack, Policy + Frontier Red Team, Jun 3 2026) + ai-research/anthropic-llm-attack-navigator-red-2026-06-04.md (red.anthropic.com/2026/attack-navigator, by Kyla Guru, Alex Moix, Jacob Klein); announced via @AnthropicAI

Anthropic mapped a full year of real-world AI-enabled cyberattacks — 832 accounts banned between March 2025 and March 2026, 13,873 observed actions across 482 MITRE ATT&CK techniques and all 14 tactics — and published both the analysis and an interactive LLM ATT&CK Navigator for defenders. The headline reframe: the dividing line between low- and high-risk attackers is no longer technical skill but orchestration — how much of the killchain an actor wires the model to run autonomously. Partial results shipped in Verizon’s 2026 Data Breach Investigations Report; Anthropic is now in talks with MITRE about extending ATT&CK to cover agentic behaviors the taxonomy can’t yet name.

Key Takeaways

• Three conclusions: (1) threat actors are applying AI in the later, more complex stages of operations, making them more dangerous; (2) attacks are becoming more autonomous, so the old high-vs-low-risk actor signals no longer work; (3) MITRE ATT&CK does not capture the agentic orchestration behaviors that make AI-enabled attackers dangerous — there is no ATT&CK ID for “AI chains the killchain and decides in real time.”
• The risk population shifted fast: actors scoring medium-or-higher risk jumped from ~33.5% to ~56.1% between the two halves of the study year (~1.7×, a 22.6-point cohort shift) — without the actors themselves getting more skilled.
• What AI is mostly used for today is still prep: T1587 Develop Capabilities was the top technique family (574/832 actors, 69%; malware development 560 = 67.3%), then obfuscation (64.7%), data-from-local-system (55.9%), impair-defenses (54.9%). Defense evasion is the largest tactic (84.4% of actors). Late-stage tactics are rare in volume — impact, exfiltration, privilege escalation, lateral movement together are just 8.7% of observations.
• But the late-stage minority is where the danger is: lateral movement is the strongest high-risk marker — the 54 actors (6.5%) using AI for it averaged risk 56.4 vs the 46.8 mean (+10.5; “no other technique came close”). The highest-risk actors’ signature techniques (Remote Services SSH/SMB, Valid Accounts, OS Credential Dumping, Archive Collected Data, Web Shell) ran 3-5× more common than in the overall population.
• Traditional triage signals are broken: technical sophistication correlates with remaining risk components at only r = 0.28, technique breadth at r = 0.27 (median actor: 16 techniques; least-skilled ~16 vs most-skilled ~20). Interface choice doesn’t discriminate either — 80% of actors misused Claude Code, making agentic tooling “the default mode of access rather than a distinguishing one.”
• ARiES (AI Risk Enablement Score), 0-100: a composite of the actor’s threat profile, the model’s contribution to the requested harm, and observed/potential impact — deliberately additive, not multiplicative like classic Threat × Vulnerability × Impact, so partial enablement signals stay visible. The trade-off is explicit: ARiES measures how concerning a misuse case is, not whether an attack would succeed.
• The GTG-1002 case makes the framework gap concrete: the November 2025 state-sponsored espionage operation scored the maximum 100 — yet its MITRE profile (30 techniques, 13 tactics) looks like dozens of medium-risk actors. What distinguished it was scaffolding: Claude Code on a Kali Linux box with open-source pentest tools wired in as MCP servers, run as an autonomous operator that executed commands, exploited services, and made tactical decisions with human input only at key moments.
• Trend direction: second-half actors shifted from building standalone malware (T1587 −12%, phishing −8.6%) toward in-network operational work (Account Discovery +8.9%, Automated Exfiltration +6.2%) — techniques that imply the actor is already inside. Anthropic’s warning: today’s high-risk differentiators become tomorrow’s baseline.
• What Anthropic changed in response: expanded classifiers/probes to flag high-ARiES-correlated behavior and agentic misuse patterns that don’t map to MITRE (multistep autonomous execution, AI-directed pivots, MCP-tool-augmented operations); real-time cyber safeguards on the most capable models that block prohibited requests (ransomware development, mass exfiltration) at request level; and the Cyber Verification Program (CVP) that routes dual-use activity so verified defensive practitioners keep access.

The dataset and the Navigator

832 banned accounts (a subset of all cyber-policy bans in the window — the ones with enough investigative detail to map TTPs), summarized by the Threat Intelligence team, mapped to MITRE ATT&CK V18 (99% Enterprise-matrix observations, plus some Mobile). Each actor receives an ARiES score and lands in a low/medium/high/critical tier. The LLM ATT&CK Navigator (red.anthropic.com/2026/attack-navigator/navigator.html) is the interactive layer: observed AI-enabled misuse patterns over the ATT&CK grid, scored by ARiES — built so defenders can see where model-assisted activity actually concentrates rather than guessing from anecdote.

Notably absent or rare in the dataset: Active Directory exploitation, Kerberos ticket attacks, cloud-infrastructure manipulation (AWS/Azure/GCP), container escape — staples of human-driven attacks that (so far) show little AI involvement.

Why it matters

• It empirically grounds the “orchestration is the threat” thesis the wiki’s agent-security cluster has been converging on: How We Contain Claude (containment side), Zero Trust for AI Agents (design side — “agentic attackers have unlimited patience”), and now the attacker-side data: scaffolding that chains stages autonomously is what separates a risk-score-100 actor from the median.
• It explains product behavior operators will encounter: the request-level cyber-safeguard blocks on capable models, and the CVP path if legitimate defensive work (pentest tooling, malware analysis) trips them.
• The frontier-vs-today pairing is explicit: Claude Mythos Preview shows where AI cyber capability is heading (Glasswing partners finding 10,000+ flaws defensively); this report shows how generally available models are being misused right now — the same capability ledger from the attacker column.
• A reusable methodology pattern: the additive-vs-multiplicative risk-scoring argument (keep partial signals visible; score concern, not success-probability) transfers to any risk rubric where evidence is incomplete — including agent-deployment risk reviews.

Try It

1. Open the interactive Navigator (red.anthropic.com/2026/attack-navigator/navigator.html) and explore which ATT&CK techniques concentrate AI-enabled activity — useful calibration for any security review of agent deployments.
2. If your detection thinking still ranks threats by technique count or actor sophistication, steal the report’s reframe: weight where in the lifecycle AI shows up (post-compromise = high signal) and whether stages are chained autonomously.
3. If defensive security work on Claude models hits a request-level cyber-safeguard block, apply via the Cyber Verification Program (claude.com/form/cyber-use-case).
4. Read the full red-team post for the ARiES construction before borrowing the scoring pattern (red.anthropic.com/2026/attack-navigator).

Related

• How We Contain Claude Across Products — the containment architecture this threat data feeds
• Zero Trust for AI Agents — the design-side framework (“impossible, not tedious”)
• Claude Mythos Preview + Project Glasswing — the defensive/frontier capability counterpart
• Measuring AI Agent Autonomy in Practice — Anthropic’s benign-population autonomy data; this report is the malicious-population mirror
• Security-Guidance Plugin — first-party secure-coding enforcement for Claude Code
• SkillSpector — third-party skill-supply-chain scanning

Open Questions

• Several in-page lists rendered as images and weren’t captured in extraction: the GTG-1002 “main differentiators” list, the top defense-evasion techniques list, the ARiES dimension/scenario breakdowns, and figures 1-5. The interactive Navigator covers most of the technique-level data interactively.
• Whether MITRE formally adopts the proposed cross-cutting agentic categories (autonomous orchestration, AI-directed pivoting, target selection) — Anthropic says discussions are active; no timeline given.
• The Verizon 2026 DBIR contains 11 months of this data with Verizon’s own framing — not yet fetched or compared.