What happened?
Anthropic has published a threat intelligence report, analysing 832 accounts banned for malicious cyber activity between March 2025 and March 2026 and mapping their behaviour against known attacker tactics, techniques, and procedures. In short, malicious actors are using AI in ways that make them more dangerous and cyberattacks are becoming more autonomous.
The findings are significant: these banned actors used AI across the full range of tactics, from initial reconnaissance through to final impact. Most strikingly, the most common use was offensive tooling: 67.3% of the 832 accounts used AI to write malware, and 6.5% used it to assist with lateral movement inside compromised networks. Previously, we had ourselves seen evidence of AI tools used to improve phishing lures, with more creative and better written emails, but in the Anthropic data this use fell by 8.6%, suggesting the threat actor community has moved on to more operationally significant uses.
The report also documents a state-sponsored actor using Model Context Protocol (MCP) servers to convert Claude Code into an autonomous attack platform - a concrete example of AI tooling being weaponised at an operational level.
Two important caveats apply. Anthropic's visibility is limited to misuse of its own models; more sophisticated threat actors may deliberately use open-source models or alternative providers to avoid this monitoring. The data therefore likely understates what the most capable attackers are doing.
So what?
The most consequential finding is not the volume of AI-enabled attacks, but what AI has done to the attacker population itself. Anthropic found evidence consistent with AI providing meaningful capability uplift - enabling threat actors who would previously have been classified as low-sophistication or opportunistic to operate at the technical level of far more capable adversaries. Historically, conducting a true end-to-end attack - from initial access through lateral movement to data theft or destructive impact - required a level of skill that filtered out most of the attacker population. That filter is weakening.
This has a direct and uncomfortable implication: the traditional signals used to assess threat actor risk - number of techniques used, tools deployed, apparent sophistication - no longer reliably indicate how dangerous a given actor is. A threat actor your organisation would previously have dismissed as low risk may now pose a materially higher threat than their profile suggests.
Wider data supports the trend. The Verizon DBIR reports that vulnerability exploitation has overtaken stolen credentials as the leading initial access vector, accounting for 31% of all breaches - up from 20% the prior year. The combination of AI-assisted attack development and rising exploitation activity points to a threat landscape that is simultaneously broader and more technically capable than it was twelve months ago.
The malware-writing capability alone is a direct challenge to older endpoint and detection tooling that was calibrated to known, static malware families. We recommend that attention is given to ensuring that organisations use modern, behavioural security solutions, since AI-generated malware will not have established signatures and may exhibit unusual behaviours.
The MCP finding opens a further front. MCP is a rapidly adopted standard now integrated across many enterprise AI deployments. As organisations deploy AI agents with MCP integrations, they are creating an attack surface that is not yet reflected in most security architectures or threat models - and which, as this report demonstrates, is already being actively targeted.
For CISOs, this has immediate implications for how threat prioritisation is done, how red-team exercises are scoped, and how vendor security assessments weigh attacker sophistication.
This data will also increase the case for scrutiny and oversight of AI models. The Anthropic Fable model includes specific safeguards for cyber security queries, pushing them down to a less capable model when detected. Anthropic also now requires 30 days of data retention for queries sent to the Fable model, so that they can detect misuse and analyse queries.
There is a trade-off here – cyber security capabilities are inherently dual-use, being used by defenders and attackers alike. Our own testing shows that practical effect of the Fable safeguards being so broad is that legitimate security professionals find the model trips its own safeguards on routine work, which would not be useful to an attacker. The greater data requirement may also deter some more privacy-conscious users of the platform.
What should I do?
- Reassess your threat model. The assumption that low-sophistication actors pose limited risk requires revisiting. AI uplift means that attacker classification based on historical indicators of capability may no longer be reliable. Threat prioritisation, red team scoping, and vendor security assessments should all account for the possibility that less capable actors are now operating above their expected technical level.
- Modernise endpoint and detection tooling. Signature-based detection is poorly positioned against AI-generated malware. Prioritise behavioural detection capabilities that can identify anomalous activity regardless of whether the malware matches a known family.
- Inventory and secure your MCP and AI agent integrations. Identify where MCP servers and AI agents with tool-use capabilities have been deployed across your environment. Assess what those agents can access, what actions they can take, and whether the controls governing them are proportionate to that capability. MCP integrations should be included in your threat model as a distinct attack surface.
- Apply heightened scrutiny to vulnerability management. With vulnerability exploitation now the leading initial access vector, the risk cost of delayed patching has increased. Ensure that internet-facing systems and identity infrastructure receive priority attention, and that your patch cadence reflects the current exploitation environment rather than historical norms.
- Stay current with AI security developments. The AI threat landscape is evolving faster than most annual review cycles. Designate responsibility within your security function for monitoring developments in AI-enabled attacks, model misuse reporting, and emerging standards for AI agent security.