Published
- 5 min read
By Allan D - Editor, AI Security Wire
LLM ATT&CK: Anthropic Maps a Year of Real Attacker AI Use
On June 3, Anthropic published something that doesn’t have many precedents in security research: a dataset built from real attacker activity, not penetration tests or academic simulations. The LLM ATT&CK Navigator covers 832 accounts that Anthropic banned for violating its cyber-related usage policies between March 2025 and March 2026. The actions those accounts took, 13,873 of them, are mapped to MITRE ATT&CK version 18. All 14 tactics. 482 unique techniques.
The dataset is available through Anthropic’s Frontier Red Team site. The findings land at an uncomfortable moment for defenders already dealing with a record vulnerability disclosure pace.
The Scale of the Data
Most threat intelligence on AI misuse relies on researchers deliberately probing LLMs to see what they’ll do. This is different. The 832 accounts were real actors pursuing real objectives: building malware, scripting exploits, mapping attack paths, generating phishing content. Anthropic’s team flagged them during normal operations and used the activity to construct what is effectively a one-year snapshot of how attackers actually use AI when they think they’re unsupervised.
832 accounts is a small population compared to the total threat landscape. That said, it is a specific and verified population, which makes the technique mapping more reliable than surveys or researcher estimates. When the data shows 67.3% of actors used AI to help build malicious software, that number reflects observed behaviour, not a self-reported figure from a threat actor survey.
Where AI Is Now Being Deployed
The shift Anthropic highlights is the one that should concern defenders most. A year ago, the pattern was front-loaded: attackers used AI to craft phishing lures, write reconnaissance scripts, and generate convincing social engineering content. These are initial-access techniques.
The new dataset shows a migration toward the middle and back end of the kill chain. AI is increasingly deployed for post-compromise work: navigating network infrastructure, scripting persistence mechanisms, researching privilege escalation paths, and generating lateral movement playbooks for specific target environments. The attack is being assembled with AI assistance at every stage, not just the front door.
This matters because detection strategies built around identifying AI-generated phishing content are addressing last year’s problem. If attackers are now using AI inside the network, the detection surface is different.
The Skill Floor Problem
Anthropic’s data makes a point that is easy to misread. 99% of the 832 actors are rated medium or low risk based on the sophistication of their AI use. Only 1% are high or critical. That sounds reassuring until you look at the trajectory.
The percentage of medium-to-high risk actors rose from 33% to 56% in under a year. That is not the ceiling going up. That is the floor rising. AI is not turning script kiddies into APT-level operators. It is turning them from low-risk nuisances into credible threats capable of completing attack chains they could not have assembled independently. The gap between what a low-skill attacker can accomplish and what a skilled one can accomplish is narrowing, not because skills are transferring, but because AI is substituting for the skills that were previously required.
VoidLink, a malware framework that the Anthropic dataset flags as a notable threat, was assembled by an AI agent in six days. PromptLock, documented in the same dataset, is described as the first AI-powered ransomware to generate cross-platform encryption scripts dynamically through local LLMs. Neither required an experienced developer.
Reinforced by Verizon
Anthropic collaborated with Verizon to feed some of this data into the 2026 Data Breach Investigations Report. The DBIR finding that vulnerability exploitation now accounts for 31% of breaches, the first time it has overtaken stolen credentials in 19 years, is directly connected to AI acceleration.
The median time from CVE publication to first confirmed exploitation is now five days. Organisations patched 26% of vulnerabilities on CISA’s Known Exploited Vulnerabilities catalogue in 2025, down from 38% the year before. The DBIR is essentially the downstream consequence data for what Anthropic’s dataset is measuring upstream: AI compressing the timeline between vulnerability discovery and attacker deployment.
The combination is not subtle. Faster exploitation windows, rising attacker competence across the lower skill tiers, and shifting AI use toward post-compromise activity all point in the same direction for defenders.
What Changes in Practice
Anthropic’s dataset and the Verizon DBIR together support a few specific adjustments to how detection programs are designed.
Post-compromise AI-assisted activity will look different from a human operator doing the same work. It tends to be systematic, verbose in its intermediate steps, and consistent with the specific outputs LLMs generate for privilege escalation research or lateral movement scripting. Detection engineering focused on behavioural anomaly in command execution, process trees, and file creation during post-exploitation should begin accounting for AI-assisted operator patterns.
Phishing detection remains necessary but is no longer sufficient as the primary AI-focused defence. Attacker AI use has moved into the environment.
The Anthropic dataset is published openly through the LLM ATT&CK Navigator. Security teams can pull it directly.
References
- Anthropic: Mapping AI-enabled cyber threats: Insights from the LLM ATT&CK Navigator
- Anthropic: What we learned mapping a year’s worth of AI-enabled cyber threats
- SecurityWeek: Verizon DBIR 2026 — Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector
- Security Boulevard: The AI Governance Gap: Verizon’s 2026 DBIR Shows Attackers Scaling AI While Employees Leak Data Through It
- Vectra: What Anthropic’s Attacker-AI Data Means for Detection
- Help Net Security: Verizon DBIR 2026 — Vulnerability exploitation is the dominant initial access vector
Frequently Asked Questions
- What is the Anthropic LLM ATT&CK Navigator?
- The LLM ATT&CK Navigator is a threat intelligence dataset published by Anthropic's Frontier Red Team on June 3, 2026. It maps 13,873 observed attacker actions from 832 banned accounts to MITRE ATT&CK framework version 18, covering all 14 tactics and 482 unique techniques. The dataset represents a year of real attacker behaviour on the Claude platform, not simulated or red-team data.
- How has attacker use of AI shifted over the past year according to Anthropic?
- A year ago, AI-assisted attacks were concentrated at initial access: phishing, reconnaissance, and credential gathering. The new dataset shows a migration toward post-compromise activity, with threat actors increasingly using AI to navigate inside networks after gaining access, for tasks like lateral movement assistance, privilege escalation research, and scripting for persistence mechanisms. The attacker workflow has matured from using AI to get in to using AI once inside.
- Does the data mean AI has made most attackers significantly more dangerous?
- The picture is more nuanced than the headline risk suggests. Anthropic rates 99% of observed actors as medium or low risk based on technical sophistication and AI use frequency. Only 1% are high or critical risk. What has changed is the distribution: the percentage of medium-to-high risk actors climbed from 33% to 56% in under a year, meaning AI is pulling more low-skill attackers into a higher competence tier. The ceiling has not changed; the floor has risen considerably.