AI shifts cyber risk from skill to speed

Anthropic’s review of 832 banned accounts tied to malicious cyber activity found a sharp rise in AI-enabled risk without a matching increase in attacker sophistication. The share of actors rated medium-risk or higher rose from roughly 33% to 56% in under a year, a 1.7x jump, while technical sophistication showed weak correlation with risk (r = 0.28) and technique breadth was similarly limited (r = 0.27).

Most observed activity still maps to familiar MITRE ATT&CK techniques. Anthropic logged 13,873 observations across 482 sub-techniques within 14 tactics, and the most common family was T1587.001 (Malware Development), used by 560 of 832 actors. Existing behavioral detections can still catch many artifacts and actions, but AI increases volume, variety, and obfuscation speed.

The bigger concern is post-compromise orchestration. Lateral movement appeared in just 0.7% of observations, but the 54 actors using AI for it averaged a risk score about 10 points above the mean. Anthropic’s GTG-1002 case showed an AI agent connected to offensive tooling, scanning, exploiting an SSRF flaw, harvesting credentials, and deciding pivots with limited human input.

Detection strategies need to move beyond static technique coverage toward tempo, sequence-aware behavior, orchestration interfaces, and faster vulnerability remediation. The same AI capabilities can also help defenders triage and patch faster, but the advantage depends on shrinking the gap between attacker automation and defensive adaptation.