The world of cybersecurity is undergoing a dramatic transformation as AI becomes an integral part of cyberattacks. A recent study delves into the evolving landscape, examining 832 accounts banned for malicious activity between March 2025 and March 2026. The findings reveal a concerning trend: AI is making attackers more dangerous and harder to detect.
AI's Role in Cyberattacks
The research highlights a shift in AI usage among threat actors. Initially, AI was primarily used for initial access, like writing malware (67.3% of cases). However, the study shows a growing trend towards using AI for more complex, post-compromise activities. These include lateral movement (6.5% of cases) and account discovery (8.9% increase), indicating attackers are leveraging AI deeper into the attack lifecycle.
This evolution poses a significant challenge for security teams. Traditionally, risk assessment relied on the number of techniques employed and tools used. But AI's ability to automate technical tasks erodes this correlation. Skilled actors now use around 20 techniques, while less skilled actors use 16, defying the assumption that skill level directly correlates with technique count.
The Evolving Threat Landscape
What's particularly concerning is the type of scaffolding attackers build around AI models. Higher-risk actors design architectures that chain together attack stages with minimal human input. This level of autonomy is not currently captured by the MITRE ATT&CK framework, which focuses on individual techniques rather than the orchestration of AI-driven attacks.
The study disrupted a state-sponsored cyber espionage operation, where a malicious actor manipulated Claude Code to infiltrate global targets with minimal human intervention. This attack, using 30 techniques across 13 tactics, was comparable to medium-risk actors, highlighting the limitations of current risk assessment methods.
Implications for Security Frameworks
The MITRE ATT&CK framework needs to evolve to address AI-enabled behaviors. As AI agents become more capable, we'll see more autonomous agents executing complex attacks with minimal human input. This demands a shift in security frameworks to focus on attack orchestration rather than individual techniques.
Looking Ahead
Anthropic's findings have led to the development of cyber safeguards in their models to detect and block AI-enabled activities. They're also collaborating with MITRE to enhance the ATT&CK framework. The company's commitment to Project Glasswing aims to equip defenders with the tools to combat evolving threats, emphasizing the need for continuous adaptation in the cybersecurity arms race.
