Anthropic analyzes 832 misused accounts, warns AI autonomy strains legacy defenses
On June 3, 2026, Anthropic published an analysis mapping the activity of 832 accounts it banned for misusing Claude onto the industry-standard MITRE ATT&CK framework, warning that AI is making attackers more dangerous and that growing autonomy is undermining traditional risk-assessment methods.
The report covers a subset of accounts banned between March 2025 and March 2026 for which sufficient detail was available, as detailed on the official blog. The findings also contributed in part to Verizon's 2026 DBIR (Data Breach Investigations Report).
On the numbers, AI was used for malware creation in 560 accounts (67.3%), the largest category, while 54 accounts (6.5%) involved lateral movement inside networks after an intrusion. The share of cases rated medium risk or higher rose from 33% in the first six months to 56% in the latter six, roughly a 1.7-fold increase. AI is increasingly being used in the later, more complex post-compromise stages of the attack lifecycle: initial-access phishing actually declined (-8.6%) while post-compromise activity such as account discovery rose (+8.9%). Nearly 80% of banned accounts used the agentic tool Claude Code.
Notably, the correlation between attacker skill and the number of techniques used is weakening. According to the report, even low-skill attackers averaged 16 techniques, while high-skill ones used about 20 — a narrowing gap. With AI enabling multi-step chaining, Anthropic says the longstanding distinction between "low-skill versus high-skill" is losing relevance. The company introduced its own risk-scoring metric, ARiES, which additively combines threat, vulnerability, and impact; the maximum score of 100 was recorded in a November 2025 case.
Anthropic further argued that the MITRE ATT&CK framework itself does not adequately capture autonomous orchestration by AI agents — real-time judgment with minimal human intervention. The company is in discussions with MITRE about extending ATT&CK, and its threat-intelligence Project Glasswing has expanded to more than 150 organizations across over 15 countries. An interactive visualization is available on the Frontier Red Team's dedicated page.
Anthropic has long been active in AI safety and threat intelligence. An August 2025 report disclosed large-scale data extortion using Claude Code dubbed "vibe hacking," and in November 2025 it issued the first report of an AI-orchestrated espionage campaign attributed to a Chinese state-sponsored group (assessed as GTG-1002), detailing a case targeting some 30 organizations in which 80–90% of the attack ran autonomously. This latest report stands out for systematically analyzing such individual cases at the scale of a year's worth of 832 accounts. Competitors such as OpenAI also publish threat reports, but Anthropic's combination of real platform data with MITRE mapping — and its willingness to probe the framework's own limits — is distinctive.
Reaction on X was largely analytical and positive, with experts noting the "skill gap has nearly disappeared," that "legacy technique counts and platforms make risk assessment harder," and that "scaffolding (the architecture around the AI) is key" (example post, example post). Some anticipated effects on the cybersecurity market, such as increased defensive investment. Security outlets including Industrial Cyber and Forrester covered it as an "inflection point" for autonomous AI attacks.