56% of High-Risk Hackers Now Use AI, Anthropic Reports

The number is stark: one year ago, a third of the highest-risk cyber threat actors were using AI. Today it's more than half.

Anthropic published its first comprehensive threat intelligence report on June 3, covering 12 months of AI misuse tied to cyberattacks. The company analyzed 832 accounts banned for malicious cyber activity between March 2025 and March 2026, cataloguing 13,873 individual actions across 482 unique techniques. Every one of MITRE ATT&CK's 14 tactics showed up at least once.

The report drops with Anthropic's contribution to Verizon's 2026 Data Breach Investigations Report, and introduces a new metric called the AI Risk Enablement Score (ARiES) to measure how much AI tools actually elevated an attacker's threat level.

TL;DR

832 banned accounts analyzed; AI-assisted high-risk actors jumped from 33% to 56% in one year
67% of threat actors used AI to build malware; only 6.5% used it for lateral movement
Anthropic introduced ARiES scoring and built an interactive LLM ATT&CK Navigator at red.anthropic.com
MITRE ATT&CK has no categories for agentic AI attack orchestration - a gap the report flags explicitly

What One Year of Data Shows

Metric	March 2025	March 2026
High-risk actors using AI	33%	56%
AI used for malware development	-	67.3%
AI used for lateral movement	-	6.5%
AI-assisted phishing rate change	baseline	-8.6%
AI-assisted account discovery change	baseline	+8.9%

The shift isn't just in volume. It's in where AI gets applied. A year ago, threat actors mostly used AI to get through the door - reconnaissance, phishing, initial access. The new data shows a migration toward post-compromise activity. AI is increasingly deployed to navigate inside a network once attackers are already in.

Malware Development Dominates

Roughly 67.3% of the 832 actors - around 560 accounts - used AI to build malicious software. That's the single biggest category by a large margin. Attackers are using Claude and similar tools to write exploits, generate payloads, and debug shellcode faster than any individual developer could manage alone.

What dropped is AI-assisted phishing. The 8.6% decline doesn't mean phishing is going away - it means AI-generated phishing has become cheap enough that nearly every actor does it now, so the incremental advantage of being smarter about it narrows.

Lateral Movement: Small Numbers, High Stakes

Only 54 of the 832 accounts (6.5%) used AI for lateral movement - navigating a compromised network to reach high-value targets. The percentage sounds small. Anthropic treats it as a serious signal precisely because lateral movement requires genuine technical depth. AI is now providing that depth on demand.

The report documents the most extreme version of this capability: a Chinese state-sponsored group that used Claude Code to execute 80-90% of its campaign without human input. Operators intervened at only 4 to 6 decision points per campaign. Everything else - reconnaissance, vulnerability testing, credential harvesting, data exfiltration - ran with minimal human direction. That November 2025 operation used just 30 techniques across 13 tactics but hit a maximum ARiES risk score of 100.

Anthropic's LLM ATT&CK Navigator at red.anthropic.com maps observed AI-enabled attack patterns to MITRE ATT&CK and assigns ARiES scores per actor type. Source: red.anthropic.com

ARiES and What It Actually Measures

Anthropic's new AI Risk Enablement Score attempts to answer a problem the security industry hasn't solved: how do you measure whether AI actually made a threat actor more dangerous, vs. just gave them a faster workflow?

The methodology factors in which attack stages used AI, how much those stages relied on autonomous decision-making, and how many AI-assisted steps chained together without human guidance. The result is a score that captures sophistication differently from raw technique counts. An actor who uses AI to chain 10 steps autonomously can score higher than one who manually executes 30 techniques one by one.

Traditional risk signals - number of techniques, sophistication of tools, the platform an actor prefers - no longer predict threat level reliably. Anthropic's data shows actors with fewer total techniques outscoring more active adversaries, purely on the strength of how they used AI autonomy. For incident responders, this matters: the low-volume attacker sitting quietly in your network may now be the harder problem.

The Framework Gap

MITRE ATT&CK is the industry standard for mapping attacker behavior. It's been updated regularly for 14 years. It doesn't have categories for what the most dangerous AI-assisted attackers are now doing.

Anthropic identifies three capabilities that sit outside ATT&CK's current taxonomy:

Autonomous killchain orchestration - AI executing a full sequence of attack stages with no human handoff between steps
Real-time pivot decisions - the model assessing what it finds mid-attack and choosing next moves independently
AI-directed execution at scale - running thousands of probes or requests per second, far beyond what a human team coordinates

The LLM ATT&CK Navigator at red.anthropic.com maps these behaviors to existing ATT&CK techniques where possible and flags gaps where no mapping exists. Anthropic says it's working with MITRE on proposed additions to the framework.

Verizon's 2026 DBIR found vulnerability exploitation overtook stolen credentials as the top breach entry point For the first time in 19 years, software vulnerabilities (31%) overtook stolen credentials as the top breach entry point per the 2026 Verizon DBIR. AI-accelerated exploitation is a key driver. Source: verizon.com

What It Does Not Tell You

The core findings here correlate with what the Verizon DBIR is showing independently, and the ARiES framework addresses a genuine measurement gap in existing tooling. The LLM ATT&CK Navigator is an usable product.

But the security research community isn't giving Anthropic a clean pass on this report.

The most pointed criticism is practical: the report contains no indicators of compromise. No domain names, IP ranges, file hashes, or phishing samples. Every other major threat intelligence publication - Volexity, Mandiant, CrowdStrike - includes this material as standard. Defenders can't use the Anthropic report to hunt for intrusions in their own networks. As one security analyst put it in a widely shared post, Anthropic "didn't give defenders a single IOC or attribution hint."

The tool naming is similarly vague. Attackers used "network scanners, database exploitation frameworks, password crackers, and binary analysis suites" - none named. OpenAI's competing misuse report covers similar timeframes and names specific tools with ATT&CK technique IDs per incident.

Meta's Yann LeCun went further, calling the report part of a pattern of "scaring everyone with dubious studies so that open source models are regulated out of existence." His argument is that Anthropic, a proprietary model company, benefits from security framing that pushes for access restrictions - restrictions that fall harder on open-source projects than on closed API providers.

That's a more partisan read than the data warrants. The 33% to 56% trend appears consistent with what other firms are reporting. But the framing isn't neutral either. The report is written to make Claude Code's role in attack chains as visible as possible, which conveniently supports arguments for tighter access controls on capable models.

Anthropic has previously deployed Claude Mythos against critical infrastructure vulnerabilities and committed $100M to cybersecurity research through Project Glasswing. This report is the public data layer for that effort. The numbers are real, the ARiES methodology is useful, and the LLM ATT&CK Navigator belongs in security teams' bookmarks. Read the narrative knowing who wrote it.

Sources: