Anthropic analyzed 832 banned accounts over twelve months, mapping their techniques against the MITRE ATT&CK framework to document exactly how malicious actors use AI at every stage of an attack. Published in the Verizon DBIR 2026, the findings reveal a steep rise in medium-to-high-risk actors and a strategic shift away from phishing toward post-compromise techniques.
Key Takeaways
- 67.3% of banned accounts used AI to write malware
- The share of medium-to-high-risk actors jumped from 33% to 56% in six months
- Agentic orchestration behaviors have no existing classification in MITRE ATT&CK
Twelve Months of Malicious Activity Under the Microscope
Between March 2025 and March 2026, Anthropic reviewed 832 accounts banned for malicious activity, mapping their techniques against the MITRE ATT&CK framework to systematically document how those actors used AI across their operations. The research was published in Verizon’s 2026 Data Breach Investigations Report, the most widely cited annual benchmark on real-world breaches and attack patterns.
The value of this dataset lies in its time span. Twelve months of observation produces a trajectory, not a single data point. The question was not whether AI is being used in cyberattacks (that debate is settled) but whether the risk profiles of actors who use it are changing, and how fast.
The trajectory is clear. In the first six months of the study period, 33% of banned actors were classified at medium risk or higher. By the second six months, that figure had climbed to 56%. A 1.7x increase in under a year. AI is not just making attacks easier to launch; it appears to be actively accelerating skill development among intermediate-level threat actors.
The data also shows a persistent skill gap between different types of actors. Less experienced operators used around 16 distinct techniques, while the most advanced used approximately 20. AI compresses that gap without eliminating it. What changes is the speed at which previously limited actors can close it over time.
One methodological finding stands out: the platform used to access AI (Claude Code, direct API, or chat interface) does not correlate with the assessed risk level. What determines how dangerous an actor is comes down to what they do with access, not how they obtained it.
Malware First. Phishing Is Losing Ground.
The single most common malicious use of AI documented across the 832 accounts is malware creation. 560 actors, or 67.3% of the total, used AI to write or improve attack code. That number reflects a normalization: AI-assisted malware generation is no longer a capability limited to sophisticated, well-resourced groups.
A second use case is growing: 54 actors (6.5%) used AI for lateral movement inside compromised networks. Lateral movement means navigating from one machine to another after an initial foothold has been established, escalating access toward higher-value targets. Automating any part of that process is a meaningful capability upgrade for actors who previously had to execute those steps manually.
The dataset also reveals a clear strategic shift in how AI investment is being allocated across the attack chain. AI use in phishing dropped 8.6%, while AI-assisted account discovery rose 8.9%. Attackers are moving their AI resources away from the initial contact phase and toward what happens once access has already been established.
For security teams, this has direct operational consequences. Defenses built around phishing detection become less effective as the AI threat shifts downstream in the attack chain. This is precisely the category of post-compromise risk that Claude Mythos was built to address, deployed across 15 countries to detect vulnerabilities in critical infrastructure before they can be exploited.
In the near term, any organization that measures its cyber exposure primarily through a phishing lens is leaving a significant portion of its attack surface under-monitored. The documented shift is already happening at scale.
Also on Horizon:
- MiniMax M3: Chinese Open-Weight Model Matches Top Proprietary AI
- How Hackers Used Meta AI to Take Over Instagram Accounts
- Trump’s New AI Oversight Order: What Changed
The Classification Gap MITRE ATT&CK Hasn’t Fixed Yet
The most structurally significant finding concerns the limits of MITRE ATT&CK in its current form. A state-sponsored operation documented in November 2025 was mapped across 30 ATT&CK techniques spanning 13 tactics, earning a maximum risk score of 100.
The problem: that same operation had initially been assessed as medium risk. The gap between the initial rating and the final score points to a structural weakness in standard detection approaches. Agentic behaviors are not surfacing early enough through conventional analysis layers.
More fundamentally, agentic orchestration behaviors have no dedicated category in ATT&CK. These are sequences of autonomous actions chained by an AI agent without human input at each step. The research documents these behaviors in real-world operations. The framework has simply not kept pace with how AI-enabled attacks actually unfold on the ground.
The classification gap creates a concrete operational problem. An incident involving agentic orchestration can pass through detection systems without triggering an alert, because no known signature for it exists. Teams building detection logic on top of MITRE ATT&CK have nothing to anchor to for these behaviors. The regulatory environment offers little help: last week’s executive order on AI safety relies on voluntary submissions with no mechanism specifically addressing agentic behaviors.
Over the next six months, the key question is whether the security community moves to update ATT&CK with new agentic categories and how quickly those updates flow into commercial detection tools. The speed at which defenders adapt to this mapped reality will determine whether this research actually changes anything at the operational level.
Follow the story on Horizon.
