What Anthropic's MITRE ATT&CK Report Means for Teams Running AI Agents

Anthropic just published a year of threat intel on AI-enabled attacks. It covers March 2025 to March 2026. They banned 832 accounts for malicious cyber activity and mapped what those accounts did to MITRE ATT&CK, the same framework enterprise security teams use to describe attacker behavior. They co-released it with Verizon's 2026 DBIR.

If you run AI agents in production, this is primary-source data. Not a vendor scare deck. Here is what actually matters for the people building and shipping agents.

The attack work moved past writing code

The headline number: 560 of those 832 accounts, about 67 percent, used Claude for malware writing. That is the expected one. Models are good at code, including bad code.

The number that should change how you think is smaller. 54 accounts, about 6.5 percent, used Claude for lateral movement. That is a kill-chain stage that used to be hand-driven. Lateral movement is what an attacker does after they are already inside, hunting for the next box to compromise. Account discovery went up 8.9 percent. AI-assisted phishing actually dropped 8.6 percent.

Read that shift plainly. The work moved away from initial access and toward post-compromise. Attackers are not just generating payloads. They are using AI to make real-time decisions deeper inside systems they already breached.

For you, the takeaway is direct. Your input filter is not the main event. Your agent's blast radius is. The question is not only "can a bad prompt get in." It is "if this agent is compromised or coerced, how far can it reach and how long does it run before anyone notices."

The risk mix is getting worse, not just bigger

Anthropic split the year into two six-month windows. Medium-or-higher-risk actors went from 33 percent of cases to 56 percent. The pool is not just growing. It is concentrating toward serious operators.

One more finding worth sitting with. Technique count and platform type stopped predicting how dangerous an actor is. The high-risk ones do not spray a hundred techniques. They put AI on the operationally hard stuff and skip the easy parts. So "we saw a lot of weird activity" is no longer a clean severity signal. Volume tells you less than it used to.

MITRE ATT&CK does not yet cover agentic orchestration

Here is the part that matters most if you ship agents. Anthropic says the attackers are chaining ATT&CK stages with minimal human input. Autonomous orchestration. And they say it directly: MITRE ATT&CK does not yet capture agentic orchestration. The framework that underwrites enterprise security operations is being outgrown by the threat. Anthropic is working with MITRE to evolve it.

If you build agents, sit with that. The standard model of how attacks work was written for human-paced kill chains. Your own agents already run faster than that model assumes. So do the malicious ones. You are operating in a place the reference frameworks have not fully described yet.

What enterprises running agents should take from this

Three concrete moves.

First, treat agentic orchestration as its own threat category, not a footnote on your existing controls. An agent that can call tools, read data, and act in a loop is not a chatbot with extra steps. The thing that makes it useful, autonomy across many steps, is the thing that makes a compromise expensive.

Second, get value from inference-time safeguards. Anthropic detects malware development and exfiltration patterns at the model layer. If you build on a frontier API, you inherit that floor for free. That is a real reason to keep production agent work on a monitored frontier model instead of an uncensored local model where no one is watching the traffic.

Third, and this is the one most builders skip: cap the blast radius at runtime. The expensive failure with an agent is rarely a single bad call. It is an agent that runs unattended for hours, burning tokens, hitting APIs, doing the wrong thing at machine speed while you sleep. Lateral movement, in attacker terms. Runaway spend, in yours. Same shape.

The cheapest control you can install today

You cannot stop a nation-state actor with a config file. That is not the goal. The goal is limiting how much a compromised or misbehaving agent can cost you before you notice.

That means hard limits at runtime. A budget cap so a loop cannot burn your whole month in a night. A token cap per task. A rate limit so one agent cannot hammer an API into a five-figure bill. These are boring controls. They are also the ones that actually save you, because they work whether the cause is an attacker, a bad prompt, or your own buggy code.

That is exactly what AgentGuard does: runtime budget, token, and rate limits for AI agents, in a few lines. If you run agents in production, put a ceiling on them before you need one. Start here: https://bmdpat.com/tools/agentguard