Skip to content

AI-Enabled Cyberattacks: MITRE Analysis Reveals Shift to More Complex Techniques

In a nutshell: AI empowers threat actors to conduct more sophisticated post-compromise phases, rendering traditional risk measurements based on technique variety or interface type obsolete.

Anthropic conducted an analysis of 832 banned accounts examining the use of AI in cyberattacks between March 2025 and March 2026 and mapped them to the MITRE ATT&CK framework. The study shows that threat actors are increasingly deploying AI in later, more demanding phases of attack operations, thereby reducing the relevance of traditional risk assessments.

In the detailed investigation, attack scenarios were categorized: 560 of the 832 analyzed accounts (67.3 %) deployed AI for malware development. A significantly smaller group – 54 actors (6.5 %) – used AI for more complex activities such as lateral movement, namely navigation within a compromised network. This shift from preparatory to post-compromise techniques is a central characteristic: the use of AI for account discovery increased by 8.9 %, while AI-enabled phishing attacks as an initial access vector declined by 8.6 %.

The risk classification of threat actors escalated significantly. In the first analysis half-year, 33 % of actors were classified as medium risk or higher by the risk-scoring system. In the second half-year, this proportion rose to 56 % – an increase of approximately 1.7-fold. This demonstrates that AI substantially enhances the operational capabilities of attackers.

For CISOs, the critical finding is that previous indicators for risk assessment – such as the number of techniques employed or the interface type used – are no longer reliable. On average, less skilled actors employed approximately 16 different techniques, while highly skilled attackers employed only about 20. The platform (Claude Code, API, or chat interface) likewise did not correlate with threat potential. Instead, what matters is the phase of the attack chain in which AI is used – actors with higher threat potential concentrate AI deployment on operationally demanding techniques that would require extensive manual monitoring or real-time decision-making.

Share on: