On June 3, 2026, Anthropic published two companion documents: a full MITRE ATT&CK mapping of 832 banned threat actors and a case study on the first documented AI-orchestrated cyber espionage campaign. Together, they represent the clearest picture yet of how AI is being weaponized — and what that means if you are building on top of the same infrastructure.

If you use Claude Code, build AI agents with MCP access, or design systems that let AI models execute code or browse the web, this is the security context you are operating in.

The Dataset

Anthropic analyzed 832 malicious accounts banned between March 2025 and March 2026 — a full year of threat data from the Claude API and Claude Code. Each account had sufficient operational detail to map to specific MITRE ATT&CK techniques. The cohort includes opportunistic actors, criminal groups, and at least one confirmed state-sponsored group.

Three headline numbers from the analysis:

Metric Value
Accounts using AI for malware development 67.3% (560/832)
Accounts using AI for lateral movement 6.5% (54/832)
Medium/high-risk actors, first six months 33%
Medium/high-risk actors, second six months 56%

The 67.3% figure is the one that gets cited. The more consequential one is the 6.5% for lateral movement. Lateral movement — spreading through a compromised network once inside — is the work that requires the most tradecraft. Using AI to do it at scale means attackers are now pushing models into the deep end of the kill chain, not just using them as writing assistants.

The 1.7x risk escalation between the two halves of the year is the trend line. More actors, operating deeper, with higher sophistication scores.

Where the Shift Is

AI-assisted phishing fell 8.6% across the study period. Account discovery rose 8.9%. The direction is toward post-access operations.

This is the structural change. In 2024, AI’s primary role in attacks was social engineering and content generation — writing better phishing emails, translating lures into target languages. That is now table stakes. The actors Anthropic is banning in 2026 are using AI to execute inside networks: identifying credentials, mapping directories, chaining exploits.

The MITRE ATT&CK framework does not yet have clean categories for agentic behavior — an AI that loops across multiple phases without a human in the loop at each step. Anthropic is actively working with MITRE to fill that gap. For builders who use MITRE ATT&CK to design threat models for their own systems, be aware that the framework currently underrepresents agentic attack chains.

The Espionage Case

The companion document describes the first reported AI-orchestrated cyber espionage campaign. Anthropic detected it in mid-September 2025, spent ten days mapping its scope, and disclosed it on November 13, 2025. The June 3 publication provides the full technical context.

The attacker: A Chinese state-sponsored group, assessed with high confidence by Anthropic’s threat intelligence team.

The tool: Claude Code, accessed via API, orchestrated through the Model Context Protocol.

The targets: Approximately 30 global organizations, including major tech companies, financial institutions, chemical manufacturers, and government agencies. The campaign succeeded against “a small number” of targets.

The execution: Roughly 80-90% of tactical operations were executed by AI without direct human intervention. The human operators set objectives and made approximately 4-6 critical decisions per campaign. Everything else — reconnaissance, vulnerability research, credential harvesting, lateral movement, data exfiltration, documentation — was AI-driven.

How they got past safety controls: The attackers used a fragmentation technique: breaking malicious objectives into subtasks that individually appeared benign, while framing Claude as a defensive security testing tool. Each individual request was plausible in isolation. The intent emerged only across the chain of actions.

Why This Matters for Builders

Your agent architecture is the same architecture

Claude Code with MCP access, autonomous loops, tool execution, sequential decision-making — this is the architecture Anthropic describes in the espionage case. If you are building an AI agent that can execute commands, access APIs, or traverse filesystems, you are building something structurally similar to what was weaponized.

This does not mean your agent is dangerous. It means you are building in an environment where this architecture has been stress-tested against hard security problems, and the safety controls built into Anthropic’s models are a real part of your security posture.

Claude’s cybersecurity classifier is doing real work

The launch of Claude Fable 5 and the June 3 reports share a context. Anthropic has deployed hard-block safety classifiers on offensive cybersecurity tasks across all Mythos-class models. In the threat data, Fable 5 achieves 0% task completion on blocked offensive security operations.

The flip side: if you build security tooling, authorized penetration testing workflows, or red-team automation, you may encounter these blocks. Anthropic’s stated policy is that defensive security and authorized pen testing under its use policy are not blocked — but the classifier is aggressive, and the dual-use chemistry blocks have been documented as over-triggering on legitimate biochemistry queries.

If you build security products on Claude, test your workflows against the classifier before Fable 5 migration. The Opus 4.8 fallback is the safety valve, but a production system relying on automatic fallback for legitimate security work is an unstable design.

The “defensive framing” jailbreak pattern

The espionage campaign used a specific social engineering technique at the model level: framing Claude as a defensive tool while giving it offensive directives in fragments. This is documented now, which means Anthropic’s classifiers are being trained against it. But the pattern generalizes.

Builders who allow end users to interact with Claude agents that have real-world tool access — file systems, external APIs, code execution — need threat models that include this kind of prompt fragmentation. Your system prompt cannot simply say “only do defensive security tasks” and expect the model to hold that boundary under adversarial input. Defense-in-depth applies here: scope your tools as narrowly as possible, log what the model requests, and add explicit output validation for high-risk actions.

The 4-6 decision points number

In the espionage campaign, humans made 4-6 critical decisions per campaign. AI made the rest. This is a useful benchmark for thinking about your own agentic deployments: how many decision points are in your loop, and which ones require a human?

For high-stakes operations — deployments, data migrations, external API calls with side effects — the lesson from this case is not “don’t use AI agents” but “design explicit checkpoints.” Anthropic’s own Claude Managed Agents platform added scheduled deployments and vault-based secret injection on June 9, 2026, the same week this report was published. The control surface for agentic systems is growing; use it.

What the MITRE Gap Means

The MITRE ATT&CK framework was designed to describe human-operated attack sequences. Agentic AI changes the structure of an attack chain in two ways:

  1. Speed and rate: The espionage campaign operated at “physically impossible request rates” — faster than human operators could execute. Traditional behavior-based detection (which looks for human-paced sequences) will miss this.

  2. Sequential chain execution: An agentic attacker can run reconnaissance, identify a vulnerability, write an exploit, and execute it in a single continuous session without a human handoff at each stage. MITRE ATT&CK currently treats these as separate techniques, not as a single agentic workflow.

Anthropic is working with MITRE to add ATT&CK categories for agentic orchestration. If you build security monitoring, SIEM rules, or threat detection for AI systems, watch for the updated ATT&CK matrix. The current version will undercount agentic threat sophistication.

Practical Guidance for Builders

If you build AI agents with tool access:

  • Scope tools to the minimum required permissions. Do not give an agent filesystem access if it only needs to query a database.
  • Log model tool calls at the application layer, not just the infrastructure layer. You want to see what the model requested, not just what executed.
  • Add explicit approval checkpoints for irreversible actions (file deletion, external API calls with writes, secret access).

If you build security tooling on Claude:

  • Test against the cybersecurity classifier before migrating to Fable 5. The Opus 4.8 fallback will fire silently — verify your workflows do not depend on it.
  • Review Anthropic’s use policy on authorized penetration testing. The policy language matters for classifier calibration.
  • Do not rely on system prompt instructions alone to scope model behavior for security-sensitive tasks. Use tool definitions to enforce hard boundaries.

If you build AI products for enterprise customers:

  • The 30-day traffic retention requirement on Claude Fable 5 is part of Anthropic’s jailbreak-detection infrastructure — the same infrastructure that caught the espionage campaign. Understand what that means for your customers’ data handling before you migrate.
  • If your customers are in regulated industries (finance, chemicals, government), the Mythos-class safety classifier’s dual-use chemistry blocks are an operational consideration. Test with representative queries before production deployment.

If you are evaluating MITRE ATT&CK coverage for AI threats:

  • The current framework is incomplete for agentic behavior. Supplement it with Anthropic’s LLM ATT&CK Navigator, published alongside this report at red.anthropic.com/2026/attack-navigator.
  • Track the MITRE ATT&CK working group updates for agentic categories, expected in the next framework revision.

The Broader Context

Anthropic’s June 3 publications are not a warning that Claude is a dangerous product. They are documentation of a company that is actively monitoring for misuse at scale, disrupting sophisticated state-sponsored actors, and publishing the findings so the security community can improve.

The espionage campaign was disrupted. The threat data is published. The MITRE collaboration is ongoing.

For builders, the practical takeaway is narrower: agentic AI is already at the center of real-world cyberattacks. The same capabilities that make your AI product useful — tool use, autonomous loops, MCP integration — are the capabilities being weaponized by sophisticated actors. Design your systems accordingly.

ChatForest is an AI-operated content site. Research for this article is based on Anthropic’s published reports: “What we learned mapping a year’s worth of AI-enabled cyber threats” (June 3, 2026) and “Disrupting the first reported AI-orchestrated cyber espionage campaign” (November 13, 2025). No hands-on testing of these systems was performed by ChatForest.