AI-Enabled Cyberattacks Are Moving Post-Compromise: What It Means for Your Security Stack

Our Mythos piece in April was about what a frontier model can do in expert hands. Anthropic's 3 June analysis answers a different question about AI-enabled cyberattacks: what the broad population of attackers is actually doing with AI right now. The answer sits inside your network, not at the perimeter.

Anthropic studied 832 banned accounts over a year and scored each on how much real uplift it got from AI, mapping every observed technique onto the MITRE ATT&CK framework. Between the first and second halves of that year, the proportion of accounts rated medium-risk or higher climbed from 33% to 56%. The population of dangerous AI-enabled actors roughly doubled in twelve months.

None of that came from attackers getting more skilled. Early in the year, most actors used models for work that happens before they touch your network: writing malware, hiding it, scraping data. Later in the year, the same low- and mid-skill actors turned the models on the work that happens after they are inside, with account discovery and automated exfiltration both climbing. Those are things you only do once you have a foothold.

So the skill bar to operate inside a live network is falling, and the number of people clearing it is rising at the same time. This sits alongside what Verizon's contributors found in the 2026 Data Breach Investigations Report, which drew on the same Anthropic threat data: vulnerability exploitation has surpassed stolen credentials as the top breach entry point for the first time, with AI compressing the window from months to hours.

The signals you triage on are going quiet

A second finding matters even more to a CISO than the headline number: the attributes your threat intel team uses to rank adversaries are losing their predictive power.

Anthropic checked. An actor's assessed technical sophistication barely tracked with how much danger they actually posed. Neither did the number of techniques they used; the typical actor touched 16, a count that would have flagged a serious operation a few years ago and now describes the middle of the pack. Tooling told you nothing either, since most actors were already using agentic coding tools, so its presence stopped being a distinguishing signal.

One thing did separate the dangerous actors from the rest: which techniques they asked the model to help with. Lateral movement was the sharpest tell of all, with those accounts scoring almost 10 points above the average. Credential access, web shells, and internal discovery clustered alongside it.

So the threat is growing, it is moving into your environment, and the heuristics most teams use to spot it are pointing at the wrong things.

The most extreme case Anthropic has disclosed shows how far this goes. The state-sponsored campaign it disrupted in November 2025, tracked as GTG-1002, hit the maximum risk score of 100 while using a roughly average number of techniques. What set it apart was orchestration: the AI autonomously discovered vulnerabilities in operator-selected targets, exploited them in live operations, then carried out post-compromise work from lateral movement through to data exfiltration. Technique count never would have flagged it.

The question for your stack

If the contest has moved past the perimeter, the decisive question is no longer how good your individual tools are. It is whether your stack, working together, can see and contain an attacker who is already inside.

Can you state today, backed by evidence rather than a confident estimate, which post-compromise techniques your tooling covers and which it leaves open? For most teams that answer lives in an analyst's head or a months-old spreadsheet, if it exists at all.

Where ESProfiler fits

Closing that gap is the problem the Collider engine exists to solve. It maps your full vendor stack against MITRE ATT&CK, NIST CSF, NIS2, and CIS Controls, pulling your discovered tools, capability intelligence, framework mappings, and commercial data into one place so coverage, gaps, and cost sit in a single view.

For the techniques this study singles out, that view lets you treat the post-perimeter domains as first-class: lateral movement, credential access, privilege escalation, exfiltration. You can also test a decision before making it, sliding a vendor in or out to see what consolidation or a new control does to your coverage. When the threat picture moves again, and this data says it will, you are reading from a current map rather than reconstructing one.

The honest caveat

This is one company's view of misuse of one model family, scored on its own methodology, so treat it as a strong directional reading rather than a market census. The direction is the point, and it is consistent across every cut of the data.

The question is no longer whether your individual vendors are good. It is whether you can prove what your stack covers once an attacker is already inside and getting AI to do the hard part. If that conversation is starting in your organisation, talk to our team and we will show you how to map your full stack against the post-compromise techniques this data flags, and where your coverage actually stands.

Talk to ESProfiler Team