📊 Full opportunity report: The Frameworks Can’t See the Thing That Matters: A Year of AI-Enabled Cyber Threats on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
A year-long analysis shows AI is making cyber attackers more dangerous and harder to identify using traditional threat metrics. Attackers now leverage AI for complex tasks, blurring the line between skilled and unskilled actors, posing new security challenges.
A recent analysis by Anthropic reveals that AI is fundamentally changing the landscape of cyber threats in 2026, enabling less skilled actors to carry out more complex and dangerous attacks. The report shows traditional methods of threat assessment, which rely on the number of techniques and tools used by attackers, are no longer effective in distinguishing high-risk actors. This shift has significant implications for cybersecurity strategies worldwide.
Anthropic examined 832 accounts banned for malicious activity from March 2025 to March 2026, mapping their techniques onto the MITRE ATT&CK framework. The findings show that the majority of AI use was for preparing attacks, such as malware creation (67.3%), but increasingly for post-breach activities like lateral movement (6.5%). Over the year, there was a notable rise in attackers employing AI for deeper network penetration, with the proportion of medium or higher risk actors increasing from 33% to 56%.
Importantly, the report indicates that AI now enables less skilled actors to perform tasks previously requiring expertise, such as account discovery and lateral movement. The use of AI for account discovery grew by nearly 9%, while AI-assisted phishing decreased slightly. These trends suggest a democratization of attack capabilities, making threats more widespread and less predictable.
The frameworks can’t see the thing that matters
For decades, danger meant which techniques an attacker commands. A year of real AI-enabled attacks — 832 banned accounts mapped onto MITRE ATT&CK — shows that signal breaking, just as a new, harder-to-see one takes over.
A year of real misuse, mapped to the standard taxonomy
A window, not a census — these are the cases with enough detail to assess techniques thoroughly. Inside it, the risk level climbed fast.
WHAT WAS STUDIED
THE RISK CLIMB · MEDIUM-OR-HIGHER ACTORS
Artificial Intelligence for Cybersecurity: How AI Detects Cyber Threats, Prevents Hacking, and Protects Your Data, Identity, and Smart Devices (AI Cybersecurity Mastery Series)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
“More techniques” stopped meaning “more dangerous”
The old heuristic: count the techniques, judge the tooling. AI dissolved it — because the model supplies the techniques either way. Watch the old signal fail, then watch what it misses.
Risk score vs. technique count
Two ways to read the same attacker. One is going blind. Press play.
cybersecurity threat assessment software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Deeper into the attack — and into less-skilled hands
Across the year, AI use drifted from getting in toward acting once already inside — the operationally demanding stages that used to require an expert.
The attack lifecycle · where AI is now applied
The center of gravity moved right — toward post-compromise work.
network intrusion detection system
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
From “what they know” to “what they’ve built”
The report sorts the signals into three tiers — one dead, one fading, one durable.
Technique count & tooling
16 vs. 20 between novice and expert; platform doesn’t correlate. The model supplies the techniques either way.
Where in the lifecycle AI is applied
Concentrating on operationally demanding, post-compromise stages is a better signal — but it’s eroding as the whole population heads there.
The scaffolding around the model
Architectures that let the model chain stages and run with minimal human input. Not what they know — whether they’ve built a system that lets AI run the attack.
malware analysis tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Fixing the map before the territory moves again
A taxonomy that can’t name the most dangerous behavior on the field will quietly mislead the people relying on it. The response runs in two directions.
Fed back into the models
The findings informed safeguards on the most capable models, built to detect & block some of what was observed:
- Blocking malware development
- Blocking mass data exfiltration
- Putting tools in defenders’ hands first (Project Glasswing)
Taking it to the source
Following the Verizon work, Anthropic says it’s in discussions with MITRE about how ATT&CK might evolve:
- A vocabulary for agentic orchestration
- Naming the scaffolding that makes a model an operator
- An interactive technique visualization on the Red blog
Reading it in proportion
- The 832 cases are a detailed subset, not the full population — the precise percentages are directional, not definitive.
- “More autonomous” is not “fully autonomous” — even the standout case needed human input at key moments, which is itself a place for defenders to intervene.
- This is one vendor’s window — the company with visibility into misuse of its own model, publishing what it found. The right thing to do with the data, and worth remembering as you read it.
Impact of AI on Threat Actor Capabilities
This development shifts the cybersecurity paradigm by making it more difficult to identify high-risk actors based on traditional indicators like technique count or tool sophistication. Attackers with minimal technical skill can now execute complex operations, increasing the threat landscape’s unpredictability. This democratization of offensive capabilities demands a reevaluation of threat assessment models and defense strategies.
Changing Cyber Threat Landscape in 2026
Historically, cybersecurity defenses have relied on the assumption that more techniques and sophisticated tools indicate a more dangerous attacker. Threat intelligence frameworks like MITRE ATT&CK have helped classify and predict threat actor behavior based on these metrics. However, recent developments show AI’s role in enabling even low-skilled actors to perform advanced operations, challenging these assumptions.
Over the past year, cybercriminals have increasingly integrated AI into their workflows, shifting focus from initial access tactics like phishing to post-breach activities that require more technical skill. This evolution reflects broader trends in AI’s accessibility and capability, which are reshaping the threat landscape faster than existing defenses can adapt.
“AI enables less skilled actors to perform complex, high-impact activities, effectively democratizing cyberattack capabilities.”
— Anthropic’s research team
Unclear Extent of AI Adoption and Future Trends
While the report provides a substantial window into current AI-enabled threats, it is unclear how widespread these practices are beyond the studied accounts. The full scale of AI’s role in future cyberattacks remains uncertain, as does the pace of technological evolution among threat actors.
Next Steps for Cyber Defense in an AI-Driven Era
Security agencies and organizations will need to develop new threat assessment tools that account for AI-enabled tactics. Ongoing research and monitoring are essential to understand evolving attack patterns. Additionally, collaboration between AI developers and cybersecurity experts will be crucial to counteract the democratization of advanced attack capabilities.
Key Questions
How has AI changed the way attackers operate in 2026?
AI has enabled attackers with minimal technical skill to perform complex tasks like lateral movement and account discovery, previously limited to highly skilled hackers.
Why are traditional threat assessment methods no longer effective?
Because AI allows even low-skilled actors to execute advanced techniques, the correlation between technique count or tool sophistication and threat level has broken down.
What does this mean for cybersecurity defenses?
Defenders must develop new models that focus on behavioral signals and operational context rather than just technique diversity or tool usage.
Is this trend likely to accelerate?
Given AI’s rapid development and accessibility, it is probable that these capabilities will become more widespread and sophisticated, increasing the challenge for security teams.
Source: ThorstenMeyerAI.com
