As AI transforms the nature and techniques behind cyberattacks, how well will the technologies and frameworks used by the security community hold up?
A new report attempts to answer that question. We examine 832 accounts banned for malicious cyber activity between March 2025 and March 2026 and map them to MITER ATT&CK, a long-standing database of tactics and techniques used by cyber attackers. Some of these findings are published in Verizon’s 2026 Data Breach Investigation Report (DBIR), and a more detailed analysis is shared here. These 832 cases represent a fraction of the total number of accounts banned during this period, but they represent enough detail to thoroughly assess the attacker’s methods.
Our analysis yielded three main conclusions:
- Malicious actors are using AI in ways that make it more dangerous. More specifically, threat actors are using AI in later, more complex stages of cyber operations.
- Cyber-attacks are becoming more autonomous, and the fact that many parts of an attack can be chained together using AI means that old ways of distinguishing between high- and low-risk attackers are no longer effective.
- The MITER ATT&CK framework does not fully capture the tools and activities that make AI-powered attackers so dangerous.
Below is a summary of each conclusion. You can read a longer analysis on the Frontier Red Team blog.
How AI makes attackers more dangerous
The most common AI-enabled activity in our database was related to preparing for cyberattacks, such as creating malware (560 of the 832 accounts surveyed (67.3%) used AI for this purpose). A small number of adversaries use AI for more complex activities. For example, 54 out of 832 (6.5%) attackers used AI to aid in “lateral movement,” moving deeper into compromised networks.
We found evidence consistent with AI being used to increase the threat level of attackers. During the first six months of analysis, the risk scoring system classified 33% of actors as medium risk or higher. But by the second six months, that share had jumped to 56%, an increase of about 1.7 times.
Over the period we studied, the use of AI by adversaries has shifted from techniques to gain initial access to systems to activities performed after access. internal system. For example, the use of AI in account detection (identifying valid accounts in a compromised environment) increased by 8.9%, while AI-assisted phishing (a common technique for gaining access to systems) decreased by 8.6%. This suggests that attackers are increasingly applying AI deeper into the attack lifecycle.
This type of “post-compromise” technique was previously limited to attackers with the technical knowledge to perform it. Our research shows that AI can now perform these activities on behalf of less sophisticated actors.
Why is it difficult to assess an attacker’s threat level?
How do security teams assess the risk level of cyber attackers? Traditionally, they have used information such as the number of different techniques they employ and the tools and interfaces they use. However, our analysis shows that these signals no longer accurately depict the risk level of a particular threat actor.
As AI can now perform highly technical tasks on behalf of attackers, there is little correlation between an attacker’s skill and the number of techniques they use. The least skilled attackers in the dataset used about 16 different techniques on average, while the most skilled attackers used about 20 techniques. Similarly, the specific platform used (crude code, API, or chat interface) also did not correlate with the attacker’s risk level.
what often helpful Where in the attack lifecycle you apply AI is critical to differentiating high-risk attackers. For example, we are focusing the use of AI on more operationally demanding techniques such as account discovery, lateral movement, and privilege escalation (those that require significant time, monitoring, or real-time decision-making to execute), rather than just the task of providing initial access to a system.
But even that signal is already fading. As discussed in the previous section, these operational techniques are exactly where the broader public is heading as more attackers are classified as high risk. A more persistent differentiator is the type of scaffolding that attackers build around the model. High-risk attackers design architectures that allow their models to chain together the separate stages of a cyberattack and execute the attack with minimal human input.
Why we need to change our security framework
Many of the behaviors that distinguish the most risky attackers are not yet included as attacker techniques in the MITER ATT&CK framework, such as using AI to sequence each step in the attack chain, deciding what to do next in real time, and executing without human intervention.
Consider the state-sponsored cyber espionage operation we disrupted in November 2025. In that case, malicious actors manipulated Claude code to attempt to compromise targets around the world with little human intervention. Mapping this against the MITER ATT&CK framework reveals that the attacker used 30 techniques across 13 tactics, which was on par with many medium-risk attackers in the dataset. Clearly, focusing on the number of techniques used by this attacker underestimates how dangerous they actually were (in contrast, applying a risk scoring technique to this attack would yield a maximum risk score of 100).
In this attack, the model acted as an autonomous agent, executing commands, exploiting vulnerabilities, stealing credentials, and making tactical decisions, with human input required only at critical moments. There are no ATT&CK IDs for this type of agent orchestration, but these are exactly the behaviors we expect to see more of as AI agent capabilities improve.
Looking to the future
The results of this analysis helped inform the safeguards we built into the model. For example, we developed and deployed cyber safeguards on our most capable models to detect and block some of the activities revealed here, such as malware development and mass data exfiltration. Following our work with Verizon, we are also in discussions with MITER about how the ATT&CK framework can evolve to include the AI-enabled behaviors we observed.
The frontier model is rapidly changing the tools at the disposal of both attackers and defenders. We are committed to helping defenders stay ahead of these evolving tactics and being the first to put the most powerful tools in their hands. We will continue to share what we learn from Project Glasswing, datasets like the one we collected here, and other cybersecurity efforts.
Red’s blog post shares an interactive visualization of techniques used by attackers to help defenders get ahead of AI-powered threats.
