LLM ATT&CK Navigator \ red.anthropic.com
red.anthropic.com
Mapping AI-enabled cyber threats: Insights from the LLM ATT&CK Navigator
June 3, 2026
Kyla Guru, Alex Moix, and<br>Jacob Klein
We’ve spent the past year investigating how threat actors are weaponizing AI to conduct cyber<br>operations. Today, we’re sharing a new analysis that maps these real-world attacks onto the MITRE ATT&CK® framework, a database of tactics and<br>techniques used by cyberattackers. Doing so reveals patterns that challenge traditional assumptions<br>about cybersecurity—for example, the level of risk a threat actor poses can be assessed via metrics<br>like technical sophistication or breadth of techniques. We partnered with Verizon to include some of<br>these results in the 2026<br>Verizon Data Breach Investigation Report (DBIR), and are publishing this report to offer a<br>longer-form analysis of trends we are seeing in AI-enabled cyber operations.[1]
Open the interactive Navigator in a new tab.
Key findings
For this study, we analyzed 832 accounts associated with malicious cyber activity over the course of one<br>year, from March 2025 to March 2026. Anthropic banned these accounts from<br>using Claude for violating our Usage Policy. The accounts<br>in this analysis are just a subset of those we investigated and banned during this time period; we selected<br>them because we had enough detail about their malicious activities to map their techniques onto the MITRE<br>ATT&CK framework.
The 832 accounts in our analysis used AI models for all 14 tactics and 482 unique sub-techniques across the<br>framework, from initial reconnaissance through final impact.[2] We also developed a risk-scoring<br>framework (described later in this post) to assess how much AI assistance helped these actors plan their<br>attacks. Most strikingly, we found that the percentage of actors labeled as being medium risk or higher<br>jumped from 33% to 56% between the first and second halves of the year. This suggests that AI is helping<br>attackers conduct increasingly sophisticated cyber operations with greater ease.
There are three key findings from our analysis:
The number of actors using AI for cyber operations is growing, and<br>their actions carry higher risk. As mentioned above, the<br>percentage of medium- or high-risk actors increased by a factor of about 1.7 in under a year, from 33%<br>in the first half of our study window to 56% in the second. That growth is concentrated in actors using<br>AI for some of the most harmful activities, including lateral movement, credential dumping, and web<br>shells — that carry the highest per-actor risk weight in our scoring, rather than the commodity<br>build-and-obfuscate work that dominates the rest of the population. Traditionally, only the most<br>technically sophisticated actors could operate across the entire killchain, or the sequential stages of<br>a cyberattack. But our analysis found that this is no longer the case. The platform through which they<br>access the model (such as an API or an agentic coding platform like Claude Code) also has no bearing on<br>how high-risk their actions are. What does distinguish the highest-risk actors is which<br>techniques they’re asking the model for.
Agentic scaffolding will make it possible for cyberattacks to be far<br>more autonomous. As AI-enabled cyber techniques become more common among this population,<br>it will become harder to differentiate an actor’s risk level based on what they are asking a model to<br>do. Instead, the differentiator will become the scaffolding—the surrounding code, architecture, and<br>tooling that makes AI models more capable—that actors build around the model so they can chain<br>together attack stages autonomously. This was starkly apparent in the cyber espionage campaign we<br>disrupted in November 2025, which had a maximum risk score of 100 yet only used a number of techniques<br>comparable to medium-risk actors. That attack was distinct not because of the number of techniques it<br>employed but because of how the attackers used an AI agent to orchestrate them.
The MITRE ATT&CK framework doesn’t yet cover the autonomous<br>actions that make these actors so dangerous. Autonomous killchain orchestration, real-time<br>pivot decisions, and AI-directed execution with no human intervention don’t yet have ID numbers in the<br>ATT&CK framework. Our report included 13,873 observations of malicious activity, all of which<br>mapped to categories laid out in the framework—but the behaviors that distinguish the highest-risk<br>actors, and determine the speed and scale of their operations, don’t yet have such IDs. The taxonomy<br>that modern threat intelligence relies on needs to grow to capture them.
While Claude Mythos Preview demonstrates where<br>frontier AI cyber capabilities are heading—models able to find and exploit vulnerabilities at a level<br>approaching the most skilled human researchers—this report tells us how threat actors are misusing<br>generally available models today. It also serves as a guide to how threat actors are likely to misuse<br>increasingly...