In a recent report, Anthropic stated that it had thwarted a large-scale AI cyberattack it described as “highly sophisticated” and “executed without substantial human intervention.” It was almost an inside job. According to Anthropic, the threat actors had weaponised its Claude Code assistant, manipulating the model to carry out a series of small-scale tasks that, when combined, amounted to a crafty attempt at a machine-driven hack.
The incident showcased a new form of AI-enabled attack that organisations need to prepare for in 2026 – one in which a machine intelligence acts as a malign architect, not just an assistant. This would be in keeping with current automation trends within the world of cybercrime. It’s unlikely that attackers are manually spinning up infrastructure when they can use Infrastructure as Code (IaaC) platforms faster than defenders can identify and shut down dodgy domains, accelerating the game of virtual whack-a-mole between cybercriminals and cybersecurity experts. It’s also unlikely that a bad actor is handwriting phishing emails when AI can churn out thousands of convincing messages in seconds.
But while automation is useful to bad actors, it has its limits. Most IaaC platforms will do exactly what you tell them to, which also makes whatever they produce repeatable, predictable and ultimately stoppable. Agentic AI, on the other hand, is much more slippery and, unfortunately, harder to counter.
The threat of AI cyberattacks
Until recently, AI hasn’t been fundamentally changing how attacks occur, but rather lowering the barrier to entry for cybercrime and boosting their efficiency. That pattern began to change this year. In August, CERT Ukraine reported an encounter with Python-based malware that contained no hard-coded instructions, only embedded prompts for an LLM. The malware fed these prompts to the model, which returned system commands tailored to the target, allowing the attack to adapt mid-operation.
A proof-of-concept polymorphic malware released in 2023 called BlackMamba also demonstrated how AI can help malware to mutate, without human intervention, to avoid detection. And, of course, there was the recent Anthropic attack, which put the conversation around AI attacks at the forefront of our minds.
In theory, agentic malware can act alone to adapt to its environment, learn from failed attempts and evade detection. To protect themselves from fully AI-enabled cybersecurity attacks, organisations need to proactively assess the effectiveness of their cybersecurity controls and posture, ensuring current measures are not overfitted to known threats or too ossified to adapt.
Reviewing David Bianco’s ‘Pyramid of Pain’ guide to identifying and countering the behaviour of cybercriminals is a great starting point. At the bottom are static artefacts, such as file signatures or IP addresses, fragile constructions and fairly easy for attackers to swap out. Things at the top are much harder for hackers to disguise or change, including their tools, tactics and procedures.
As adversaries change the simple artefacts near the bottom more easily, defenders must target attacker behaviours higher up the pyramid, which are harder for attackers to change but, historically, have also proven harder to detect.
Kirsty Paine is a field CTO at Splunk
Read more: Regulators don’t fear AI – they’re demanding it
