Anthropic Red Team · LLM ATT&CK Navigator

The dividing line is no longer skill, but orchestration

The red team spent a year on one question: how are threat actors actually weaponizing AI? Mapping 832 banned malicious accounts onto MITRE ATT&CK punctured an old assumption in security — that a threat actor's danger can be read off their technical sophistication or the breadth of techniques they use. The data says: it can't.

Old axis / fails technical sophistication × breadth of techniques r = 0.28 r = 0.27

↓ Skill, interface choice, and technique count all proved to be weak predictors

New axis / true agentic orchestration (scaffolding)

33% → 56%

Share of medium-or-higher-risk actors, up ~1.7× in under a year — without these actors becoming any more skilled. AI is handing the ability to run an entire killchain, once reserved for the most sophisticated attackers, to low- and mid-skill operators.

Source: Anthropic red-team blog, "Mapping AI-enabled cyber threats: Insights from the LLM ATT&CK Navigator" (red.anthropic.com, 2026-06-03; Kyla Guru / Alex Moix / Jacob Klein). A faithful restatement of the original; key judgments preserved verbatim.

A decoder ring · for non-security readers

First, four terms worth pinning down

This piece is full of jargon — T1587, lateral movement, correlation coefficients. No security background needed: learn these four and the rest reads clearly.

Read this first · four terms

What is MITRE ATT&CK?

An industry-standard "dictionary of attacker techniques." Security teams break real attacks into standardized "techniques," each with an ID, a name, and real-world examples, so everyone speaks the same language. What this report does is map AI-related attack behavior onto that dictionary, technique by technique.

Tactic, technique, and the T codes?

Two layers. A tactic is the goal ("what they're trying to achieve") — there are 14, e.g. "credential access," "lateral movement." A technique is the how, each with a T-prefixed ID (like T1003); a dotted one (T1587.001) is a finer sub-technique. Read a T code as the ID number of one specific move.

What is a killchain?

The sequential stages of a full attack: recon → break in → grab credentials → move laterally across the internal network → steal data or cause damage. Running the whole chain solo was traditionally a mark of elite attackers — and this report's core point is that AI is making it easy.

How do you read the r values?

A correlation coefficient measures how tightly two things move together, on a 0–1 scale: closer to 1 = tightly linked, closer to 0 = barely related. So r = 0.28 means technical sophistication and risk are only weakly linked — the basis of the counterintuitive finding. (Spearman ρ is the same idea applied to rankings.)

Definitions here and throughout are drawn from MITRE ATT&CK® and general security references, added to aid non-expert readers — they are not part of the red team's original text.

The dataset · Three key findings

A year of real-world data, three key findings

This isn't a closed-door exercise. Some of the results were folded into the 2026 Verizon DBIR (Data Breach Investigation Report), the security industry's annual benchmark. The sample is accounts Anthropic banned between March 2025 and March 2026 for violating the cyber parts of its Usage Policy, mapped onto the version of MITRE ATT&CK that was live at the time (V18).

832

banned accounts (with enough detail to map)

13,873

observations of malicious activity

482

unique techniques

tactics (full coverage)

Each actor was scored 0–100 with a new method, ARiES (AI Risk Enablement Score). Data is anonymized.

More actors are using AI for cyber operations, and their actions carry higher risk

The medium-or-higher-risk share rose ~1.7× in under a year, concentrated in lateral movement, credential dumping, and web shells — the techniques carrying the highest per-actor risk weight. Traditionally only the most sophisticated actors could operate across the entire killchain; that's no longer true. And the platform used to access the model (API or Claude Code) has no bearing on risk. What distinguishes the highest-risk actors is which techniques they ask the model for.

Agentic scaffolding will make cyberattacks far more autonomous

As AI-assisted techniques become common, "what they ask the model to do" stops differentiating risk. The differentiator becomes scaffolding — the surrounding code, architecture, and tooling actors build around the model so they can chain attack stages autonomously. The November 2025 espionage campaign made this stark: it hit a max risk score of 100 yet used a technique count comparable to medium-risk actors.

MITRE ATT&CK doesn't yet cover the autonomous actions that make these actors dangerous

Autonomous killchain orchestration, real-time pivot decisions, and AI-directed execution with no human intervention have no IDs in the framework. All 13,873 observations mapped to existing categories, but the behaviors that distinguish the highest-risk actors — and set the speed and scale of their operations — don't yet have IDs. The taxonomy needs to grow to capture them.

the dividing line between low and high-risk actors is no longer technical skill but orchestration.

— the core reframe of the report

The ARiES risk score

The ARiES score, and why it adds instead of multiplies

ARiES is a composite of three signals: the actor's threat profile, the model's contribution to the requested harm, and the observed or potential impact. It draws on an account's activity across Claude.ai, Claude Code, and the API, combined with safety classifiers and threat-intelligence indicators. The higher the score, the higher-risk the AI-enabled actor.

ThreatIntent & sophistication

VulnerabilityModel capacity & interface

ImpactReal-world consequence

three components summed = 0–100 · binned into low / medium / high / critical

Threat evaluates intent clarity, technical sophistication, threat-intel signals, and evasion tactics (sophistication is graded by Claude from the actor's prompts and tool usage). Vulnerability assesses the model's capacity to enable the harm and the interface risk — programmatic interfaces (API) and agentic coding tools like Claude Code score highest, given their potential to automate actions. Impact captures real-world effects via safety-classifier scores and investigators' assessment.

Why it deliberately uses addition, not multiplication

Traditional cyber risk is Threat × Vulnerability × Impact, reflecting whether a hypothetical attack would succeed. The flaw: if any factor is zero, the whole score collapses to zero. But the question the red team wants to answer is different — which AI-involved actors and techniques warrant the most attention from defenders?

Traditional · multiply

Threat × Vulnerability × Impact

Any factor at zero collapses the whole, because a missing ingredient means the attack won't succeed. It answers "will the attack land?"

Misses: a novice who inadvertently produces a wormable exploit (intent ≈ 0); an actor who builds working malware with no identified victim yet (impact ≈ 0) — both score "no risk" under multiplication, yet both are exactly what detection should catch early.

ARiES · add

Threat + Vulnerability + Impact

Preserves each dimension's signal independently, so partial attack-enablement patterns stay visible even when one dimension is absent or unclear.

Tradeoff: the score is not a prediction of whether an attack succeeds; it's a measure of how concerning an AI-involved misuse case is.

How threat actors use AI today

What actors actually use AI for today

Across the 13,873 observations, the three things actors most often ask AI for are clear: build pre-engagement offensive tooling, make it harder to detect, and harvest data from compromised systems. The most common technique family is T1587 (Develop Capabilities — 574/832 accounts, of which malware development is 560). Defense evasion is the single largest tactic category, present in 84.4% of accounts.

Tactic · Defense EvasionDefense evasion (largest category)

84.4%

T1587 · Develop CapabilitiesBuild tooling / malware

69%

T1027 · Obfuscated FilesEvade signature detection

64.7%

T1005 · Data from Local SystemHarvest local data

55.9%

T1562 · Impair DefensesDisable endpoint security

54.9%

T1055 · Process InjectionDLL injection / process hollowing

30.3%

A clear pattern: heavy up front, light once inside the network

Once actually inside a target network — adapting to a live environment — actors rarely use the LLM for real-time decisions. The later-stage tactics together account for just 8.7% of all observations, less than defense evasion alone. This pattern held steady all year.

Pre-engagement

Heavy

Build tooling, obfuscate, harvest local data. Develop Capabilities 69%, defense evasion 84.4%

On-target

Medium

Discovery & collection rose in H2: Account Discovery +8.9%, Automated Exfiltration +6.2%

Live ops

Light

Lateral movement only 6.5%, priv-esc + impact 22.5%, remote services <12 accounts. Late-stage tactics total just 8.7%

More AI involvementLess AI involvement (yet this is exactly where the danger is)

A subtle H2 shift: less standalone malware (Develop Capabilities −12%, Phishing −8.6%), more help with specific operational phases — more accounts using the model for work that implies they're already inside the network.

Attack actions · in plain language

The attack-action glossary

So what do those T codes actually mean as actions? Here's every attack term in the piece, in plain language. Lost on one? Come back here.

ObfuscationT1027

Encrypt, encode, or disguise malicious code/files so antivirus can't recognize them by signature. One of the most common things actors get AI to help with.

Impair DefensesT1562

Disable, bypass, or tamper with the antivirus / endpoint security tools on the target machine to clear the way for what comes next.

Process InjectionT1055

Run malicious code inside a legitimate program's memory, hiding behind its shell and possibly escalating privileges. DLL injection and process hollowing are this family.

Credential DumpingT1003

Pull account passwords (plaintext or hashes) out of OS caches or memory, then reuse them to log into other machines. It's the fuel for lateral movement.

Lateral MovementTA0008

Once inside one machine, use stolen credentials to hop deeper through the internal network, machine by machine. Here, it's the single strongest marker of a high-risk actor.

Web ShellT1505.003

A backdoor web script planted on a compromised web server, letting the attacker control it over HTTP at will — a persistent gateway into the network.

Remote Services / Valid AccountsT1021 / T1078

Use legitimate (stolen) accounts to log in over SSH/RDP/SMB and operate like a normal admin — hardest to catch precisely because it "looks like a real user."

Archive Collected DataT1560

Compress, package, and encrypt the data to be stolen so it can be exfiltrated in one quiet batch. GTG-1002 staged tens of thousands of records this way.

SSRFServer-Side Request Forgery

Trick an internet-facing server into making requests to internal systems only it can reach — borrowing the server's hand to reach inside. GTG-1002 used it to pivot from the public internet into the internal cloud.

C2 / RATCommand & Control / Remote Access Trojan

C2 is the remote-control channel and infrastructure an attacker uses to direct compromised machines; a RAT is malware giving the attacker full remote control of a machine.

MCPModel Context Protocol

An open protocol that lets an AI model call external tools and data sources. GTG-1002 wired pentest tools in as MCP servers so Claude could act directly, not just advise.

AWS Secrets Managercloud secrets store

An AWS service that stores keys, tokens, and database passwords. Once inside the cloud, pulling credentials from here lets an attacker keep moving.

Who the high-risk actors are

Lateral movement is the single strongest marker of a high-risk actor

Lateral movement is rare in the dataset, yet highly correlated with the top ARiES scores. The highest-risk actors are the ones most likely to use the model for post-compromise, hands-on-keyboard work — remote services, credential dumping, web shell deployment, internal discovery. Going from "using AI to prepare" to "using AI to act inside a live network" is the key marker of high AI enablement.

How much higher do lateral-movement actors score?

The 54 actors using lateral movement
average risk score

56.4

Full-sample mean

46.8

Nearly 10 points higher — no other technique comes close in predictive power. The techniques most used by the highest-risk actors — T1021 (Remote Services SSH/SMB), T1078.003 (Valid Accounts), T1003 (OS Credential Dumping), T1560 (Archive Collected Data), T1505.003 (Web Shell) — appear 3 to 5× more often among them than in the overall population.

The counterintuitive finding: the metrics threat-intel relies on are weak predictors

The attributes threat-intelligence teams typically lean on — assessed skill, interface choice, number of techniques — are all weak predictors of how much uplift AI gives an actor.

Technical sophistication

0.28

r (after removal)

Remove it entirely and the top six actors stay in identical rank order (Spearman ρ = 0.96 across all 832). The high-risk tail isn't an artifact of this component.

Breadth of techniques

0.27

r (weak positive)

Most actors use a smattering — median 16 techniques — a breadth that five years ago might have signaled a well-resourced, mature operation.

Interface choice

80%

of actors used Claude Code

Agentic tooling is the default mode of access, not a distinguishing one. Conversational, API, and agentic-tool actors converge on indistinguishable risk profiles.

The takeaway: the actors who get the most uplift from AI aren't necessarily more sophisticated, don't necessarily use coding tools, and don't necessarily span the killchain — they simply use Claude for more hands-on techniques. On the current trajectory, these operational techniques will become tomorrow's baseline, and a new way to measure the riskiest actors will be needed.

The age of AI agents · GTG-1002

A max score of 100 — not from more techniques, but from AI orchestrating them

The red team analyzed the actor behind the November 2025 AI-enabled espionage campaign, labeled GTG-1002, which compromised government and critical-infrastructure targets across multiple countries. Technique count or tactic type alone can't explain why it's the highest-risk actor observed to date — its profile resembles dozens of medium-risk accounts.

Max risk score

AI espionage campaign · disclosed Nov 2025 · multi-country government & critical infrastructure

Claude Code wielded as an autonomous operator, not a coding advisor

100

max score; yet a technique profile comparable to medium-risk actors

Technique profile

30 techniques / 13 tactics

median actor is 16; several low-risk actors exceed 30 too

yet scored

ARiES

100

highest to date

What explains the score is the increasingly agentic components. GTG-1002 ran Claude Code on a Kali Linux machine and integrated open-source penetration testing tools as MCP (Model Context Protocol) servers — effectively turning the AI into an autonomous attack platform rather than a code-writing assistant. The AI didn't just suggest commands; it executed them and reasoned about attack environments autonomously.

A killchain the AI chained together itself

Recon Autonomously scanned and mapped dozens of internet-facing services

→

Exploit / entry Exploited an SSRF in a public web server to proxy commands into the internal cloud

→

Cred access Harvested SSH keys; service-account tokens from cloud metadata & AWS Secrets Manager

→

Lateral movement Used harvested creds to move across the victim's cloud environment

→

Exfiltration Staged & compressed tens of thousands of records; final curl pull was human-directed

Discovery → credential access → lateral movement are exactly the operational phases that were rare in the dataset. Technique IDs involved: T1021.004 (Remote Services: SSH), T1210 (Exploitation of Remote Services), T1560 (Archive Collected Data).

Autonomous execution within stages

Orchestrated dozens of MCP tool operations autonomously, discovering internal admin portals, databases, logging servers, and temporal workflow systems once inside. The AI made tactical "what to probe next" decisions without waiting for operator input.

Live exploitation & pivoting

Within the scaffolding, the AI exploited SSRF, harvested credentials, and moved laterally — the post-compromise, hands-on phases that were rare in the dataset.

Human intent, AI execution

The human set strategic direction; the AI handled tactical implementation, adapting on its own to unanticipated infrastructure (container image signing workflows, service-account identities). The final curl-to-attacker step was human-directed — the operator kept the consequential decisions.

Scaffolding = turning the AI from assistant into attack platform

Open-source pentest tools wired in as a set of MCP servers, with Claude Code scheduling, reasoning, and deciding in the middle. A technique-frequency table can't capture this dimension — and it's the one the red team expects to matter most as agentic tooling matures.

A new era for MITRE ATT&CK

The framework can't keep up — so how do defenses?

The most dangerous actors now use AI to orchestrate attacks, not just build the tools that enable them, and the framework investigators rely on hasn't caught up. ATT&CK captures individual techniques, but the behaviors that distinguish the highest-risk actors — agentic orchestration of an entire killchain, autonomous target selection — aren't in the taxonomy.

What it captures vs. what it can't

All 13,873 observations mapped to the framework — yet the behaviors that distinguish high risk have no ID

● Has an ID

Individual techniques (T1587 / T1027 …)

14 tactics

482 unique techniques

✕ No ID yet

Autonomous killchain orchestration

Real-time pivot decisions

AI-directed execution, no human

Autonomous target selection

The red team's proposed next step: add cross-cutting categories to ATT&CK that help investigators identify the agentic, autonomous, decision-making behaviors that chain multiple techniques together. The findings are also reshaping Anthropic's own safeguards — four of them:

01 · Detection

Catch orchestration, not noise

The highest-risk actors often look ordinary; the difference is how they orchestrate the AI. Anthropic is expanding classifiers and probes to catch techniques correlated with high ARiES scores, and developing signals for agentic patterns that don't map cleanly to MITRE (multistep autonomous execution, AI-directed pivots, MCP tool-augmented operations).

02 · Real-time block

Request-level blocking + CVP

On the most capable models, prohibited activity (ransomware development, mass data exfiltration) is detected and blocked at the request level. Higher-risk dual-use activity is routed through the Cyber Verification Program (CVP) so defensive practitioners can keep working.

03 · Project Glasswing

Study the strongest model before release

Through Glasswing, Anthropic studies its most capable model's offensive cyber capability before wider release — to understand where AI cyber capability is heading before threat actors can use it, and design safeguards ahead of time.

04 · MITRE & Verizon

Evolve the framework + share intel

Following the Verizon DBIR collaboration, Anthropic is in active talks with MITRE on how ATT&CK can evolve to capture AI-native operational behaviors, and continues to share indicators, TTPs, and findings with government and industry partners.

capable AI systems will benefit defenders more than attackers in the long run: finding bugs before new code ships, and making the systems societies depend on more secure.

— the closing note is optimistic: the transition will be hard, but if industry, government, and civil society treat the moment with the urgency it warrants, defenders come out ahead. The conditions: defenders must use AI with the same sophistication as attackers, share intel across organizations, shorten time-to-patch, and the industry must become far less tolerant of insecure code.