📊 Full opportunity report: The Frameworks Can’t See the Thing That Matters: A Year of AI-Enabled Cyber Threats on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
A year-long analysis reveals AI is significantly increasing the sophistication and danger of cyberattacks. Traditional methods for assessing threat levels are no longer reliable as AI democratizes complex attack techniques.
New research from Anthropic indicates that AI is transforming cyberattack capabilities, making malicious actors more dangerous and complicating threat assessment for security teams. The study, based on an analysis of 832 banned accounts, shows that AI is enabling less skilled attackers to perform complex, previously skill-dependent techniques, challenging long-standing security frameworks.
Anthropic’s report examined 832 accounts banned for malicious activity between March 2025 and March 2026, revealing that 67.3% used AI to prepare for attacks, primarily for malware creation. More notably, 6.5% employed AI for lateral movement within networks, a technique once limited to highly skilled actors. Over the year, the proportion of actors engaging in medium or higher risk activities increased from 33% to 56%, indicating a rapid escalation in threat sophistication.
The analysis shows a shift of AI use from initial access techniques, such as phishing, to post-compromise activities like account discovery and lateral movement. This trend suggests attackers are leveraging AI to deepen their infiltration, even with less technical expertise. Consequently, the traditional markers of threat level—technique variety and tool sophistication—are losing their predictive power, as AI automates complex tasks across skill levels.
The frameworks can’t see the thing that matters
For decades, danger meant which techniques an attacker commands. A year of real AI-enabled attacks — 832 banned accounts mapped onto MITRE ATT&CK — shows that signal breaking, just as a new, harder-to-see one takes over.
A year of real misuse, mapped to the standard taxonomy
A window, not a census — these are the cases with enough detail to assess techniques thoroughly. Inside it, the risk level climbed fast.
WHAT WAS STUDIED
THE RISK CLIMB · MEDIUM-OR-HIGHER ACTORS
Python Scripting for Cybersecurity: Linux Edition: Volume 2 – Log Analysis, Network Visibility, and Threat Detection with Hands-On Python Projects
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
“More techniques” stopped meaning “more dangerous”
The old heuristic: count the techniques, judge the tooling. AI dissolved it — because the model supplies the techniques either way. Watch the old signal fail, then watch what it misses.
Risk score vs. technique count
Two ways to read the same attacker. One is going blind. Press play.
OSINT 2.0: AI-Powered Open-Source Intelligence for Beginners (OSINT 2.0 — Artificial Intelligence for Open-Source Intelligence and Cyber Investigations Book 1)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Deeper into the attack — and into less-skilled hands
Across the year, AI use drifted from getting in toward acting once already inside — the operationally demanding stages that used to require an expert.
The attack lifecycle · where AI is now applied
The center of gravity moved right — toward post-compromise work.
Network Intrusion Detection
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
From “what they know” to “what they’ve built”
The report sorts the signals into three tiers — one dead, one fading, one durable.
Technique count & tooling
16 vs. 20 between novice and expert; platform doesn’t correlate. The model supplies the techniques either way.
Where in the lifecycle AI is applied
Concentrating on operationally demanding, post-compromise stages is a better signal — but it’s eroding as the whole population heads there.
The scaffolding around the model
Architectures that let the model chain stages and run with minimal human input. Not what they know — whether they’ve built a system that lets AI run the attack.
Threat Intelligence & Incident Response Handbook: Detect, Investigate, and Contain Cyber Attacks Using Modern SOC Analysis, Threat Hunting, and Security Monitoring Techniques
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Fixing the map before the territory moves again
A taxonomy that can’t name the most dangerous behavior on the field will quietly mislead the people relying on it. The response runs in two directions.
Fed back into the models
The findings informed safeguards on the most capable models, built to detect & block some of what was observed:
- Blocking malware development
- Blocking mass data exfiltration
- Putting tools in defenders’ hands first (Project Glasswing)
Taking it to the source
Following the Verizon work, Anthropic says it’s in discussions with MITRE about how ATT&CK might evolve:
- A vocabulary for agentic orchestration
- Naming the scaffolding that makes a model an operator
- An interactive technique visualization on the Red blog
Reading it in proportion
- The 832 cases are a detailed subset, not the full population — the precise percentages are directional, not definitive.
- “More autonomous” is not “fully autonomous” — even the standout case needed human input at key moments, which is itself a place for defenders to intervene.
- This is one vendor’s window — the company with visibility into misuse of its own model, publishing what it found. The right thing to do with the data, and worth remembering as you read it.
Implications of AI Democratizing Advanced Attack Techniques
This development fundamentally alters how threat actors are evaluated, as the link between technical skill and attack complexity weakens. Security teams can no longer rely solely on the number of techniques or tools used to gauge danger. The proliferation of AI-assisted techniques means even less skilled actors can carry out high-impact attacks, increasing the overall threat landscape and complicating defense strategies.
Moreover, the shift toward post-compromise activities indicates attackers are focusing on deepening their network access, making detection and mitigation more challenging. This trend underscores the need for new threat assessment models that account for AI-enabled capabilities rather than traditional heuristic measures.
Evolving Cyberattack Tactics and the Role of AI
Historically, cybersecurity threat assessments relied on counting techniques and analyzing tools to gauge attacker sophistication. The MITRE ATT&CK framework has served as a standard for mapping tactics and techniques. However, recent developments show AI’s role in automating complex tasks that once required high skill, blurring the lines between novice and expert attackers. The trend emerged gradually but accelerated in 2025, with AI increasingly integrated into attack preparations and execution.
Previous reports, including Verizon’s 2026 Data Breach Investigations Report, highlighted the growing threat landscape, but the Anthropic study provides a focused view on how AI specifically amplifies attack capabilities. The findings point to a paradigm shift, where threat assessment must evolve to address AI-facilitated techniques that are accessible to a broader range of actors.
“AI is effectively lowering the barrier to executing sophisticated cyberattacks, making threat assessment more complex than ever.”
— Thorsten Meyer, AI security researcher
Unclear Impact on Future Threat Detection Strategies
It remains uncertain how cybersecurity defenses will adapt to these changes. While the report indicates that traditional markers of threat level are ineffective, it is not yet clear what new indicators or frameworks will effectively identify AI-enabled threats. The pace of technological evolution and attacker adaptation continues to outstrip existing detection methods, leaving gaps in current security paradigms.
Next Steps for Cybersecurity in an AI-Driven Threat Landscape
Security organizations will need to develop new threat assessment models that incorporate AI capabilities and focus on attack behaviors rather than techniques alone. Further research is expected to explore AI’s role in automated attack planning and execution, along with the development of detection tools tailored to AI-augmented threats. Policymakers and industry leaders are also likely to prioritize regulations and standards to address these emerging risks.
Key Questions
How is AI changing the way cyberattacks are carried out?
AI automates complex attack activities, such as lateral movement and account discovery, making it easier for less skilled actors to execute sophisticated attacks.
Can traditional threat assessment methods still be effective?
According to recent research, traditional methods relying on technique count and tool analysis are becoming less reliable as AI enables attackers to perform complex tasks regardless of skill level.
What should security teams do to adapt?
They need to develop new frameworks that focus on attack behaviors and AI-driven activity patterns, rather than just techniques or tools used.
Is this trend expected to continue?
Yes, as AI technology advances and becomes more accessible, it is likely that attackers will increasingly rely on AI to deepen their infiltration and evade detection.
Source: ThorstenMeyerAI.com
