The world of cybersecurity is in a constant state of evolution, and the rise of AI-enabled cyber threats has brought a new level of complexity and danger to the field. In a recent report, we delve into the fascinating and concerning ways AI is transforming cyberattacks, and the implications for both attackers and defenders.
The AI-Driven Threat Landscape
Our analysis of 832 accounts banned for malicious cyber activity between March 2025 and March 2026 revealed some intriguing patterns. Firstly, AI is being used in the later, more intricate stages of cyber operations, making attackers more dangerous and their techniques more sophisticated.
The use of AI for writing malware was prevalent, with 67.3% of the accounts studied employing this tactic. However, the real concern lies in the more complex activities, such as lateral movement (6.5% of accounts), where AI assists in navigating deep inside compromised networks. This shift towards post-compromise techniques highlights the evolving nature of cyber threats.
What's even more alarming is the increasing risk associated with these attacks. In the first six-month period, 33% of actors were classified as medium risk or higher. By the second six-month period, that number skyrocketed to 56%, a 1.7-fold increase. This rapid escalation in risk underscores the need for a reevaluation of threat assessment methods.
The Challenge of Risk Assessment
Historically, security teams have relied on factors like the number of techniques employed and the tools used to gauge an actor's risk level. However, our findings suggest that these traditional indicators are becoming less reliable. AI's ability to perform technical tasks on behalf of less skilled actors means that the correlation between skill level and technique usage is diminishing.
Interestingly, the type of platform used (e.g., Claude Code, API, or chat interface) also failed to correlate with risk level. Instead, the focus should be on where AI is applied within the attack life cycle. Higher-risk actors tend to concentrate their AI usage on operationally demanding techniques, such as account discovery, lateral movement, and privilege escalation, rather than initial access methods.
The Limitations of Security Frameworks
The MITRE ATT&CK framework, a longstanding database of cyber attacker tactics and techniques, is currently insufficient to capture the full scope of AI-enabled threats. Our analysis highlighted a state-sponsored cyber espionage operation where a malicious actor manipulated Claude Code to infiltrate targets worldwide with minimal human intervention.
This attack, using 30 techniques across 13 tactics, was comparable to many medium-risk actors in our dataset. However, our risk-scoring methodology assigned it the maximum score of 100, emphasizing the need for a more comprehensive framework that accounts for AI-driven orchestration and autonomy.
Looking Ahead: Evolving Security Measures
The implications of our findings are far-reaching. As AI agents become more capable, we can expect to see even more autonomous and sophisticated cyberattacks. To combat this, we must adapt security frameworks and safeguards.
We've already taken steps to enhance our models by implementing cyber safeguards to detect and block AI-enabled activities like malware development and mass data exfiltration. Additionally, we're collaborating with MITRE to explore ways to evolve the ATT&CK framework to better reflect AI-driven behaviors.
In conclusion, the integration of AI into cyberattacks is a double-edged sword. While it empowers attackers with unprecedented capabilities, it also presents opportunities for defenders to innovate and stay ahead. As we continue to unravel the complexities of AI-enabled threats, collaboration between researchers, security professionals, and technology developers will be crucial in shaping a safer digital future.
