AI/ML Update

#cybersecurity #llm #ai #machinelearning

What Anthropic’s AI-Enabled Cyber Threat Report Says About Agentic Attacks

Security teams usually think about AI in cybercrime as a phishing accelerator or a content generator for spam. Anthropic’s recent report, What we learned mapping a year’s worth of AI-enabled cyber threats, points to something more operational: AI is increasingly being used to coordinate multi-step intrusion work, especially after an attacker has already gained access.

The report is worth reading because it does not just describe isolated misuse. It maps a year of activity and shows where AI changes the shape of an attack chain. That distinction matters. If AI only helps draft messages, then conventional anti-phishing controls still do most of the work. If AI helps with reconnaissance, privilege escalation, lateral movement, and exfiltration, then the defender has to treat the model as part of the attacker’s control plane.

What Anthropic measured

Anthropic says it reviewed a year of AI-enabled cyber activity and mapped 832 banned accounts to the MITRE ATT&CK framework. That framing is useful because MITRE ATT&CK breaks attacks into tactics such as initial access, execution, persistence, discovery, lateral movement, and exfiltration. In other words, it lets us ask not just “was AI involved?” but “where in the kill chain did it matter?”

The report’s main claim is that AI use is shifting away from simple assistance and toward more autonomous orchestration. In the early part of the observed period, a larger share of AI use clustered around basic preparation tasks such as malware or lure generation. Later, the report says the proportion of medium- to high-risk actors rose, which suggests that attackers were combining models with other automation to do more than produce text.

That matters because cyber operations are not single tasks. A human operator normally has to chain together reconnaissance, target selection, exploit validation, credential handling, and post-compromise actions. AI reduces the friction between those steps.

The real change is not “better phishing”

The obvious use of generative models in cybercrime is language: more believable phishing messages, more polished social engineering, and faster translation. But the report argues that the more interesting shift is post-compromise.

Once an attacker is inside a system, they need to decide what to do next. That often means reading logs, searching files, enumerating services, looking for privileged accounts, and deciding which host to pivot to. These are repetitive, partially structured tasks that models handle reasonably well when they are wrapped in tools.

That is the core reason agentic systems matter in offensive security. A model does not need to exploit a machine by itself. It only needs to help an operator decide the next step, call the right utility, parse the output, and continue. If you connect a model to a shell, a browser, a ticketing system, or a cloud console, it becomes an orchestration layer.

This is why the Anthropic report is more interesting than a generic “AI helped hackers” story. It suggests that the cost of running a multi-stage intrusion is dropping, not because every step is magically automated, but because the handoffs between steps are becoming cheaper.

Why MITRE ATT&CK still helps, and where it falls short

Mapping activity to MITRE ATT&CK is still a good move because it gives defenders a common vocabulary. A blue team can compare incidents, identify recurring techniques, and prioritize controls. But the report also points out a limitation: ATT&CK is technique-centric, while agentic attacks are workflow-centric.

A workflow is more than the sum of its techniques. Two actors might both use the same 30 techniques, but one does so manually and another uses AI to chain them with little supervision. Those two cases do not present the same operational risk.

That is the harder problem for defenders. Traditional scoring tends to ask how many tactics were used or how sophisticated the operator seems. Agentic attacks break that intuition. A low-skill actor with good model access may create a more dangerous incident than a skilled human who acts slowly and leaves more traces.

The right response is not to throw away ATT&CK. It is to complement it with telemetry about orchestration: tool-call patterns, unusual request frequency, repeated parsing of internal systems, and model-mediated command sequences that do not match normal administrator behavior.

Defensive implications for real teams

If AI is becoming part of the attacker workflow, defenders need to look for the workflow itself.

A few practical changes follow:

Log the tool layer, not just the final action. If a model is calling APIs, shells, or internal services, those calls are often more informative than the final payload.
Watch for bursty decision loops. Human operators tend to work in slower, bursty sessions. Agentic systems often produce tighter iteration cycles.
Separate discovery from execution. Read-only reconnaissance should not share the same privileges as actions that modify state.
Require checkpoints for sensitive transitions. Moving from reconnaissance to credential use, or from enumeration to exfiltration, should trigger an extra review step.
Treat model access as a security boundary. If a model can reach internal systems, that access needs the same attention you would give a privileged service account.

Those recommendations are not new in principle. They mirror established least-privilege and segmentation practices. What changes is that a model can now sit inside the loop and scale the number of decisions an attacker can make per minute.

Why Project Glasswing matters

Anthropic’s Expanding Project Glasswing is the defensive counterpart to the threat report. The initiative is meant to help trusted organizations find and remediate vulnerabilities using model-assisted workflows before the same capabilities spread more widely.

That symmetry is important. If a model can assist with exploit discovery, then defenders need access to similar capability for patching, triage, and verification. The project’s public framing also reflects a broader trend in applied AI security: model capability is no longer a pure product question. It is a deployment question, a disclosure question, and a workflow question.

A separate write-up on Anthropic’s first reported AI-orchestrated cyber espionage campaign is also useful background: Disrupting the first reported AI-orchestrated cyber espionage campaign. It illustrates the same pattern at the incident level: models can be inserted into a campaign as a planning and execution layer, not just as a text generator.

The technical takeaway

The lesson from Anthropic’s report is not that AI has made every attack more sophisticated. It is that AI lowers the coordination cost of multi-step attacks. That means defenders should stop thinking only in terms of content moderation and start thinking in terms of operational telemetry.

If a model can help an attacker move from one stage of the intrusion to the next, then the most useful signals are the transitions: what triggered a tool call, what output was parsed, what decision was made, and whether the next step was consistent with normal human operator behavior.

That is a more concrete way to think about AI in security. It moves the discussion away from generic concern and toward measurable control points.