📊 Full opportunity report: The Frameworks Can’t See the Thing That Matters: A Year of AI-Enabled Cyber Threats on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
A year-long analysis shows AI is increasingly used by cybercriminals to enhance attack capabilities, blurring the lines between skilled and amateur threat actors. Traditional threat metrics are losing their predictive power.
New research from Anthropic indicates that AI is significantly increasing the danger posed by cyberattackers, with malicious actors leveraging AI to perform complex tasks that previously required expert skills. This development challenges longstanding methods of threat assessment, which rely on the number of techniques and tools an attacker employs.
Anthropic examined 832 accounts banned for malicious activity between March 2025 and March 2026, mapping their techniques onto the MITRE ATT&CK framework. The findings show that 67.3% of these accounts used AI primarily to prepare for attacks, such as malware creation. More notably, AI’s role in post-infiltration activities like lateral movement increased over the year, with a rise from 33% to 56% of actors classified as medium risk or higher. The use of AI for account discovery grew by 8.9%, while AI-assisted phishing decreased by 8.6%, indicating a shift toward deeper, post-compromise activities.Crucially, the report states that the traditional indicators of threat level—such as the number of techniques used or the platform employed—no longer reliably distinguish between high- and low-risk actors. Both novice and skilled attackers now appear similar in their technical approach, as AI supplies many of the techniques regardless of the attacker’s expertise. Instead, the most significant risk marker is where in the attack lifecycle the AI is applied: higher-risk actors focus AI on operationally demanding techniques like lateral movement and privilege escalation, but even this signal is becoming less reliable as AI democratizes access to advanced attack methods.
The frameworks can’t see the thing that matters
For decades, danger meant which techniques an attacker commands. A year of real AI-enabled attacks — 832 banned accounts mapped onto MITRE ATT&CK — shows that signal breaking, just as a new, harder-to-see one takes over.
A year of real misuse, mapped to the standard taxonomy
A window, not a census — these are the cases with enough detail to assess techniques thoroughly. Inside it, the risk level climbed fast.
WHAT WAS STUDIED
THE RISK CLIMB · MEDIUM-OR-HIGHER ACTORS
Python Scripting for Cybersecurity: Linux Edition: Volume 2 – Log Analysis, Network Visibility, and Threat Detection with Hands-On Python Projects
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
“More techniques” stopped meaning “more dangerous”
The old heuristic: count the techniques, judge the tooling. AI dissolved it — because the model supplies the techniques either way. Watch the old signal fail, then watch what it misses.
Risk score vs. technique count
Two ways to read the same attacker. One is going blind. Press play.
AI-Powered Cybersecurity: AI Tools for Enterprise Security | AI for Network Security | AI Risk Management | AI in Cyber Policies | Cyber Threat Management AI | ML in Fraud Prevention
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Deeper into the attack — and into less-skilled hands
Across the year, AI use drifted from getting in toward acting once already inside — the operationally demanding stages that used to require an expert.
The attack lifecycle · where AI is now applied
The center of gravity moved right — toward post-compromise work.
The Practice of Network Security Monitoring: Understanding Incident Detection and Response
Used Book in Good Condition
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
From “what they know” to “what they’ve built”
The report sorts the signals into three tiers — one dead, one fading, one durable.
Technique count & tooling
16 vs. 20 between novice and expert; platform doesn’t correlate. The model supplies the techniques either way.
Where in the lifecycle AI is applied
Concentrating on operationally demanding, post-compromise stages is a better signal — but it’s eroding as the whole population heads there.
The scaffolding around the model
Architectures that let the model chain stages and run with minimal human input. Not what they know — whether they’ve built a system that lets AI run the attack.
cyber attack simulation kits
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Fixing the map before the territory moves again
A taxonomy that can’t name the most dangerous behavior on the field will quietly mislead the people relying on it. The response runs in two directions.
Fed back into the models
The findings informed safeguards on the most capable models, built to detect & block some of what was observed:
- Blocking malware development
- Blocking mass data exfiltration
- Putting tools in defenders’ hands first (Project Glasswing)
Taking it to the source
Following the Verizon work, Anthropic says it’s in discussions with MITRE about how ATT&CK might evolve:
- A vocabulary for agentic orchestration
- Naming the scaffolding that makes a model an operator
- An interactive technique visualization on the Red blog
Reading it in proportion
- The 832 cases are a detailed subset, not the full population — the precise percentages are directional, not definitive.
- “More autonomous” is not “fully autonomous” — even the standout case needed human input at key moments, which is itself a place for defenders to intervene.
- This is one vendor’s window — the company with visibility into misuse of its own model, publishing what it found. The right thing to do with the data, and worth remembering as you read it.
Implications of AI’s Role in Cyber Threat Evolution
This shift fundamentally alters threat assessment, as traditional heuristics—like technique diversity and tool sophistication—are losing their predictive value. The democratization of advanced attack capabilities means even less skilled actors can carry out dangerous operations, increasing the overall threat landscape. Security teams must reevaluate how they identify and prioritize threats, as the old markers of danger no longer apply reliably.
Background on AI’s Impact on Cybersecurity Threats
For decades, cybersecurity experts assessed threat actors based on their technical sophistication, including the number of techniques used and the complexity of their tools. The advent of AI, particularly large language models, has begun to change this paradigm. Previous models assumed that only highly skilled actors could perform advanced operations like lateral movement or privilege escalation. However, recent data from Anthropic suggests AI now enables less experienced actors to perform these tasks, blurring the lines of threat classification established over years.
This trend has been evolving over the past year, with attackers increasingly integrating AI into their workflows. The shift is reflected in the rising use of AI for post-infiltration activities, marking a significant change from earlier patterns focused on gaining initial access.
“Our analysis indicates a significant shift toward post-compromise activities driven by AI, which now plays a central role in the threat landscape.”
— Anthropic’s research team
Unconfirmed Aspects of AI’s Long-Term Impact on Threats
While the report provides strong evidence of AI’s growing role in cyber threats, it remains unclear how widespread or sustained these trends will be beyond the analyzed period. The full extent to which AI will enable less skilled actors to execute highly sophisticated attacks at scale is still uncertain, as is the future evolution of attacker strategies and defenses.
Future Steps for Cybersecurity Defense Strategies
Security professionals will need to develop new threat detection methods that do not rely solely on technique counts or platform signals. Monitoring where AI is applied within attack workflows and understanding the evolving tactics of AI-empowered attackers will be critical. Further research and real-time intelligence sharing are expected to shape adaptive defense measures in the coming months.
Key Questions
How is AI changing the way cyberattackers operate?
AI is enabling attackers to perform complex tasks, such as lateral movement and account discovery, with less skill and technical knowledge, making threats more widespread and harder to detect using traditional methods.
Why are traditional threat indicators no longer reliable?
Because AI supplies many of the techniques attackers use, the number of techniques and the platform they use no longer correlate with threat level, blurring distinctions between skilled and unskilled actors.
What should cybersecurity teams do in response?
Teams should focus on monitoring where and how AI is used in attack workflows, develop new detection heuristics, and stay informed about evolving attacker tactics involving AI.
Is this trend likely to accelerate?
Given current developments, it is probable that AI’s role in cyber threats will increase, but the pace and scope of this acceleration remain uncertain and depend on technological and strategic factors.
Source: ThorstenMeyerAI.com
