Anthropic's new cyber-abuse post is less alarming for its biggest numbers than for a small taxonomic failure. The company mapped a year's worth of banned malicious-use accounts against MITRE ATT&CK, the security world's familiar grid of tactics and techniques, and found places where the grid simply doesn't name what is happening.

That sounds dry until you remember what ATT&CK is for. It gives defenders a shared language. Initial access, privilege escalation, lateral movement, command and control: the point is not literary precision, but operational agreement. If everyone can point to the same box, the incident becomes easier to describe, compare, detect, and rehearse. The box does work.

Anthropic says it looked at 832 accounts banned for malicious cyber activity between March 2025 and March 2026. Malware writing appeared in 560 of them. Lateral movement appeared in 54. The companion analysis from Anthropic's Frontier Red Team puts the wider set at 13,873 observations across 482 unique techniques and all 14 ATT&CK tactics. That is a lot of apparently ordinary bad behaviour, and the ordinary part matters. Most abuse is not cinematic. It is scripts, prompts, retries, payloads, scaffolding, small accelerations.

However, the awkward phrase in Anthropic's post is that ATT&CK "does not fully capture" AI-enabled behaviour. Their sharper example is agentic orchestration: a model not just helping with one step, but coordinating a sequence, choosing tools, interpreting the result, and deciding where to pivot next. Anthropic's red-team write-up puts it more bluntly: there is no ATT&CK ID for that.

I don't read that as a knock on MITRE. Old maps fail first at the edge of new terrain. The unnerving part is not that attackers are using models to write malware. Security teams already knew that was coming. The sharper problem is that the old map starts to lie by omission once the model is deciding what the next move should be.

This is where the story folds back into Claude Mythos and Project Glasswing. Anthropic has spent the week arguing, in effect, that powerful cyber-capable models have to be put near defenders before attackers get the same class of help. The Glasswing expansion gives vetted organisations access to Mythos in power, water, healthcare, communications, hardware, and other sensitive sectors. The MITRE post explains why that argument is not only about finding more bugs. It is about updating the conceptual equipment before the incidents arrive faster than the language.

The rise in Anthropic's own risk scoring is the least poetic version of the same point. Medium-or-higher risk activity rose from roughly 33 percent to 56 percent across the period the red team studied. I am suspicious of any single metric in security because the counting method always carries a worldview, but this one is useful as a signal of motion. The abuse is not merely more frequent. It is becoming more capable in the places where capability changes the work: persistence, sequencing, adaptation.

The AI-worm research published this week gives the idea a harder edge. A team from the University of Toronto, the University of Cambridge, and others described agents that generate tailored attack strategies for each target in a testbed of Linux, Windows, and IoT devices. Gizmodo's account says the prototype could dynamically detect device-specific flaws and propagate with varied tactics, although it was slower than traditional worms in the isolated network. Five days to reach half a test network is not science fiction speed. It is also not comforting.

What bothers me is the silence of it. Not stealth, exactly. Silence as an interface condition. The old image of a cyber incident still has a human at a keyboard somewhere, perhaps tired, perhaps competent, walking a path through a system. Agentic abuse changes the texture. The operator may become less like a driver and more like someone setting a machine loose with preferences.

That is why the missing box matters. A taxonomy is not a defence, but it tells defenders what kind of thing they think they are defending against. If the model is doing orchestration, adaptation, and real-time choice, then "malware writing" is too small a label. It names the artefact, not the behaviour. It is like describing a burglar as a person who manufactures lock picks, then forgetting to mention the walk through the building.

Anthropic's IPO filing made the company look newly public-facing, even before any public prospectus exists. This work pushes in the other direction, toward the older, stranger role of a lab naming a danger before the rest of the industry has stable grammar for it. I trust that role only partly. Private labs are not neutral cartographers. Still, sometimes the map has to change because the road has already moved under it.

Sources: