How Hackers Use AI in 2026: 7 Lessons From Anthropic's Threat Data

TL;DR

Between March 2025 and March 2026, Anthropic studied 832 accounts it banned for using Claude in cyberattacks, recording 13,873 malicious actions across all 14 MITRE ATT&CK tactics. The headline finding flips a common assumption: the most dangerous attackers were not the most technically skilled. They were the ones who used AI to orchestrate an entire attack with little human input. Most actors used AI in the early stages to build and hide malware, but the share scoring medium risk or higher jumped from 33% to 56% in a single year. If you are starting in cybersecurity, the lesson is to stop collecting tools and start learning the killchain, detection, and how to spot AI-driven orchestration.

The most dangerous attacker Anthropic studied last year was not the most gifted coder in the dataset. The actor that earned the maximum risk score of 100, tracked as GTG-1002, used roughly the same number of techniques as dozens of ordinary, medium-risk actors. What set it apart was not skill. It was that the attacker wired Claude into a setup that let the AI scan, decide, and act on its own.

That is the uncomfortable headline of Anthropic's LLM ATT&CK Navigator report, published in June 2026 and partly folded into the 2026 Verizon Data Breach Investigations Report. For someone trying to break into security, this is good news disguised as a threat. It tells you exactly where the work is going, and which skills will matter most by the time you graduate. Here are seven lessons from the data, and what each one means for your first years in the field.

1. AI already shows up at every stage of an attack

The first thing the data kills is the idea that attackers only use AI for one trick, like writing phishing emails. Across the 832 accounts, Anthropic recorded 13,873 separate actions covering 482 unique techniques and all 14 ATT&CK tactics, from initial reconnaissance to final impact. Every stage of a real attack now has AI somewhere in it.

But the distribution is lopsided, and that detail matters for a beginner. The work clusters heavily in the early, preparatory stages. Defense evasion alone accounts for 16.17% of all observed actions, and resource development for another 13.27%. The late stages, where an attacker is already inside and causing damage, barely register: impact and exfiltration sit at 2.78% each, privilege escalation at 2.36%, and lateral movement at just 0.7%.

The practical takeaway is the ATT&CK framework itself. If attackers and defenders both describe the world in tactics and techniques, that vocabulary is the single most useful thing you can learn early. It turns a scary blur of attacks into a readable map of the attack surface, and it is the language every threat intelligence team already speaks.

2. Most attackers use AI to build tools, not to break in

When you picture an AI-assisted hacker, you probably imagine the AI doing the breaking in. The data says otherwise. The most common thing attackers asked the model for was help building offensive tooling before an attack even starts.

The single largest technique family was Develop Capabilities, used by 574 of the 832 actors, or 69%. Almost all of that was malware development, observed in 560 accounts: custom scripts, DLL injection code, fingerprinting evasion, automated account management. Right behind it were obfuscation of files and information at 64.7%, harvesting data from the local system at 55.9%, and impairing defenses at 54.9%. Defense evasion as a whole appeared in the behaviour of 84.4% of every actor studied. In plain terms, attackers mostly use AI to write malicious code, make it harder to detect, and then pull data out once they are in.

That has a direct consequence for where new defenders should aim. The volume of AI-generated, deliberately obfuscated malware is rising, which puts a premium on detection that does not rely on recognising a known file. This is exactly the territory of endpoint detection and response, behavioural analytics, and the kind of work a SOC analyst does every shift. Signature-based thinking ages badly when the adversary can spin up a fresh, polymorphic variant on demand.

3. The real divide is orchestration, not technical skill

This is the lesson that should reshape how you study. Anthropic built a scoring system called the AI Risk Enablement Score, or ARiES, which rates each actor from 0 to 100 across three dimensions: the threat they pose, the model's contribution to the harm, and the impact. When they looked at who scored highest, the usual markers of a scary attacker did not explain it.

Consider GTG-1002, the actor behind the AI espionage campaign Anthropic disrupted in November 2025. It hit the maximum risk score of 100 and compromised government and critical infrastructure targets. Yet its MITRE profile, about 30 techniques across 13 tactics, was comparable to plenty of merely medium-risk actors. Some low-risk actors used more techniques than that. Technique count could not explain the danger. The difference was the scaffolding: the attacker ran Claude Code on a Kali Linux machine and plugged open-source penetration testing tools into it as Model Context Protocol servers, turning the model into an autonomous operator rather than a code-writing assistant. The AI scanned, found internal systems, harvested credentials, and pivoted across the network, making its own tactical decisions about what to probe next.

These findings point to a landscape where the dividing line between low and high-risk actors is no longer technical skill but orchestration.

For a newcomer, this is liberating and demanding at once. You do not need a decade of exploit development to be relevant. You need to understand how attacks chain together as a sequence, because that sequence, not any single clever payload, is now the unit of risk.

4. Lateral movement is the clearest sign of a high-risk attacker

If orchestration is the abstract marker of danger, lateral movement is the concrete one. It is the stage where an attacker, already inside one machine, moves sideways to reach more valuable systems. In the dataset it is rare: only 54 of 832 actors used AI for it, the lowest share of any tactic. But it is the most predictive signal Anthropic found.

Actors who used AI for lateral movement had an average risk score of 56.4, against an overall mean of 46.8. That gap of nearly 10 points was larger than for any other technique. Exfiltration, discovery, and reconnaissance followed, all sitting above the mean. The pattern is consistent: the highest-risk actors use AI for hands-on, post-compromise work inside a live network, not just for prep.

The techniques that clustered among these top-tier actors are worth memorising as a beginner: remote services over SSH and SMB, valid accounts, OS credential dumping, archiving collected data, and web shell deployment. Each was three to five times more common among the highest-risk actors than in the general population. If you want to work in detection or threat hunting, these are the behaviours that separate a noisy alert from a genuine emergency.

5. AI-enabled attacks are getting riskier, fast

Static snapshots hide trends, so Anthropic split the year in two. The shift between halves is the most alarming number in the whole report, and the most important one for anyone weighing a career move.

In the first six months, roughly 33.5% of actors scored medium risk or higher. In the second six months, that figure was 56.1%. That is a 1.7x increase in under a year, a swing of about 22.6 percentage points. In the first period most actors were low risk; in the second, most were medium risk or above. Tellingly, the growth was not driven by attackers getting more skilled. It came from more low and mid-skill actors using AI for live, in-network operations, including building command and control channels. Account discovery rose 8.9% and automated exfiltration rose 6.2% between the two halves, both signs that the actor has already gotten inside.

Read as a job-market signal, this is unambiguous. The volume of capable-enough attackers is climbing while the cybersecurity skills gap stays wide open. The defenders who can read AI-enabled behaviour are exactly the people organisations will be scrambling to hire over the next few years.

6. The signals we used to trust no longer predict risk

Threat intelligence teams have long leaned on a few shortcuts to size up an attacker: how technically sophisticated they seem, how many techniques they use, and which interface they came through. The report quietly dismantles all three.

When Anthropic measured assessed technical sophistication against the rest of the risk score, the correlation was only r = 0.28. Breadth of technique coverage was barely better at r = 0.27. The median actor used 16 distinct techniques, a number that five years ago would have suggested a well-resourced, mature operation, but today is just average. Interface choice told the same flat story: 80% of actors used Claude Code, so agentic tooling is now the default way in rather than a warning sign. Actors on the chat interface, the API, and coding tools converged on statistically indistinguishable risk profiles.

For a beginner, this is permission to stop being intimidated by the mystique of the elite hacker. What matters is not whether an actor looks sophisticated, but what they actually do hands-on inside a network. That is a far more learnable thing to watch for, and it rewards careful observation over raw genius.

7. Even MITRE ATT&CK has to evolve, and that is your opening

The final lesson is that the map itself is now incomplete. Anthropic mapped all 13,873 observations cleanly onto ATT&CK, yet the behaviours that made the worst actors dangerous, autonomous killchain orchestration, real-time pivot decisions, and AI-directed execution with no human in the loop, do not yet have technique IDs in the framework. The taxonomy that modern threat intelligence depends on has not caught up to how attacks are actually run.

Anthropic is doing something about it on several fronts. It has tuned the classifiers built into Claude and expanded its behavioural probes to catch the indicators that correlate with high ARiES scores. It rolled out real-time cyber safeguards that block prohibited activity at the request level, routes dual-use cases through a Cyber Verification Program, and studies frontier offensive capability internally through Project Glasswing before models reach the public. It is also in active talks with MITRE about adding new categories to ATT&CK for these AI-native behaviours.

When the shared framework everyone relies on has a gap this size, the people who help fill it are the ones who get hired. That gap is an invitation, not a wall.

This is the career opening hiding in a threat report. A field that is rewriting its own vocabulary needs people fluent in both AI and defense. The report is blunt that defenders must now use AI with the same urgency as attackers, share intelligence faster, and shorten the time from finding a vulnerability to patching it. Those are jobs. They did not exist in this shape three years ago, and many of them will be filled by people who are beginners right now. Frameworks like the NIST AI Risk Management Framework and MITRE D3FEND are early attempts to give defenders a shared language, while Anthropic's Claude Mythos Preview shows where AI cyber capability is heading next.

How should a cybersecurity beginner respond?

Read end to end, the report points everyone in the same direction. Attackers are no longer dangerous because of what they know; they are dangerous because of what they can string together with an AI doing the heavy lifting. Defenders will win or lose on the same axis.

So skip the trap of memorising one tool after another. Learn the killchain first, through the lens of MITRE ATT&CK, so every attack reads as a sequence you can interrupt. Get hands-on with detection of the post-compromise behaviours that actually mark high-risk actors: lateral movement, credential access, and web shells. Build genuine AI literacy, because the next generation of defenders will pair human judgement with AI assistance the way attackers already pair human intent with AI execution. And treat threat hunting, threat intelligence, and incident response as the core crafts of the moment, not optional extras.

If that cybersecurity career path sounds like the one you want, it is the one we teach. The Unihackers cybersecurity bootcamp is built around the killchain, live detection, and the AI-aware defense this report describes, so you graduate ready for the field as it is in 2026, not as it was a decade ago. The attackers have already adapted. Your move.

Frequently asked questions

How do hackers use AI in 2026?

Most attackers use AI in the preparatory stages of an attack: building and refining malware, obfuscating code to evade detection, and harvesting data from compromised systems. In Anthropic's study, Develop Capabilities was the most common activity, used by 69% of actors. Far fewer use AI for live, in-network actions like lateral movement, but those who do are the highest-risk actors. The most dangerous use is orchestration, where an AI agent chains multiple attack stages together and makes tactical decisions with little human input.

Are AI-powered cyber attacks actually getting worse?

Yes, by measurable amounts. The share of AI-enabled threat actors scoring medium risk or higher climbed from roughly 33% in the first six months of the study to roughly 56% in the second, a 1.7x increase in under a year. More low and mid-skill actors are now using AI for live operations such as account discovery and automated exfiltration, not just for preparation. The growth is concentrated in the riskiest activities, so the floor for what an average attacker can do is rising.

Do you need advanced coding skills to be a dangerous AI-enabled attacker?

No, and that is the core finding. Assessed technical sophistication correlated with risk at only r = 0.28, and the number of techniques used at r = 0.27. The actor with the maximum risk score of 100 used about 30 techniques, comparable to medium-risk actors. What made it dangerous was the scaffolding it built around the model to run an attack autonomously, not raw skill.

What should a cybersecurity beginner learn from how hackers use AI?

Learn the MITRE ATT&CK framework so you can read attacks as a sequence of stages rather than isolated tools. Focus on detection of post-compromise behaviour like lateral movement, credential dumping, and web shells, because those mark the highest-risk actors. Build AI literacy on both sides, since defenders now need to use AI with the same urgency as attackers. Detection engineering, threat intelligence, and incident response are the skills this shift rewards most.

What is an example of an AI-powered cyberattack?

The clearest documented example is GTG-1002, the actor behind the AI espionage campaign Anthropic disrupted in November 2025. It reached the maximum ARiES risk score of 100 by running Claude Code on a Kali Linux machine with penetration-testing tools wired in as Model Context Protocol servers, so the AI scanned targets, harvested credentials, and moved laterally largely on its own. It shows the defining trait of an AI-powered cyberattack: not one clever payload, but an AI agent orchestrating many attack stages with minimal human input.