Threat
Ilya Kabanov

Anthropic scores how much AI uplifts real-world attackers

TL;DR: 832 accounts banned. 84.4% used AI for defense evasion and 69% for capability development. Agentic scaffolding is the real risk multiplier, and MITRE ATT&CK has no IDs for autonomous execution.

In the last year, Anthropic banned 832 accounts for malicious cyber activity. They analyzed 13,873 malicious actions from those accounts and mapped them onto MITRE ATT&CK.

They also built ARiES, an AI Risk Enablement Score to rate how much AI uplifted each actor's operations. It rates each actor from 0 to 100 across three judged components: Threat, worth up to 35 points for intent, sophistication, and evasion; Vulnerability, up to 35 points for how much the model can enable the requested harm and the risk of the interface used; and Impact, up to 30 points for actual or potential real-world consequences.

Top 25 ATT&CK techniques by observation count across 832 banned accounts. Source: Anthropic.
Top 25 ATT&CK techniques by observation count across 832 banned accounts. Source: Anthropic.

Highlights:

  • Usage patterns across the 832 accounts: 69% used AI for capability development, mostly malware. 84.4% for defense evasion. Only 6.5% for lateral movement. Top techniques: Develop Capabilities T1587, Obfuscation T1027, Data from Local System T1005.
  • Threat actors are using AI for increasingly more harmful actions. The share of actors scoring medium risk or higher on ARiES rose 1.7x in the second half of the year.
  • Agentic scaffolding is the real multiplier. GTG-1002 hit the maximum ARiES of 100 by autonomously orchestrating attack stages.
  • MITRE ATT&CK has gaps. It does not capture autonomous killchain execution, real-time pivoting, or AI-directed ops without a human in the loop.
Tactics by mean actor risk score; lateral movement actors rank highest. Source: Anthropic.
Tactics by mean actor risk score; lateral movement actors rank highest. Source: Anthropic.

My take:

  1. Great progressive transparency from Anthropic. It's clear that threat actors keep using frontier models to enable their operations. This continues a thread we have tracked, as Google confirmed adversaries have operationalized AI and CrowdStrike reported an 89% rise in AI-enabled attacks.
  2. The traditional threat actor assessment based on skills is becoming largely inaccurate. AI is lifting up everyone in the game. We saw the same dynamic when AI made attacks 10x cheaper, lowering the barrier so low-skill actors can afford targets that were previously uneconomical.
  3. Defense evasion and resource development top the chart, meaning that any externally facing vulnerabilities or misconfigurations you have will be found very soon.

Sources:

  1. The LLM ATT&CK Navigator (Anthropic, 2026)
  2. Interactive LLM ATT&CK Navigator