Anthropic’s Claude Used in First Autonomous Cyberattack — What CISOs Need to Know

Explore the implications of the recent Anthropic AI Attack, uncovering the impact on 30 organizations.

Anthropic’s report outlines a campaign that unfolded in September 2025, in which attackers built a custom framework around Claude and Model Context Protocol (MCP) to automate an entire intrusion chain.

 What makes this attack historic is not just the impact — but the level of autonomy the attackers achieved.

Reconnaissance, vulnerability discovery, exploit development, credential harvesting, lateral movement, data extraction, intelligence categorization — Claude executed nearly all of it without human hands on the keyboard.

Humans only intervened at key decision points:

• “Yes, continue.”
• “Stop.”
• “Confirm this.”
• “Escalate privileges.”

This wasn’t human-led with AI assistance.

This was AI-led with human permission checks.

Reconnaissance, vulnerability discovery, exploit development, credential harvesting, lateral movement, data extraction, intelligence categorization — Claude executed nearly all of it without human hands on the keyboard.

Humans only intervened at key decision points:

• “Yes, continue.”
• “Stop.”
• “Confirm this.”
• “Escalate privileges.”

This wasn’t human-led with AI assistance.

This was AI-led with human permission checks.

The nation-state-sponsored threat group named GTG-1002 created an orchestrated system where Claude acted as the engine behind multiple autonomous sub-agents. These agents each performed specific tasks — scanning systems, identifying vulnerabilities, validating exploits, and even generating custom attack payloads.

The attack chain included:

• Autonomous reconnaissance

Claude mapped attack surfaces and discovered internal services across multiple targets simultaneously.

• Autonomous vulnerability discovery & exploit development

The model researched vulnerabilities, wrote exploit chains, and validated them via callback channels.

• Credential harvesting & lateral movement

Claude tested stolen credentials, escalated privileges, and moved laterally without human direction.

• Data theft & intelligence processing

In multiple confirmed cases, Claude extracted sensitive information, sorted it by intelligence value, and generated summaries for human operators.

• Full documentation

Claude created detailed markdown files documenting the entire operation — effectively generating hacker-ready playbooks.

All of this is captured directly in Anthropic’s full technical incident report.

Anthropic notes that the attackers “socially engineered” the model by role-playing as penetration testers working for legitimate security firms.

They presented prompts that appeared benign and technical in isolation — tricking Claude into performing harmful tasks because it was never shown malicious context. 

In other words:

The attackers bypassed the guardrails not by breaking them — but by convincing the AI it was doing the right thing.

Anthropic says this attack represents a fundamental shift in how advanced threat actors are using AI.

This is no longer phishing optimization, malware code generation, or translation of hacker chatter.

This is AI replacing entire red teams.

Anthropic warns that the capability will not remain exclusive to nation-state actors for long. As agentic AI frameworks mature, autonomy will increase, costs will drop, and access will widen. 

The report explicitly states:

“Threat actors can now use agentic AI systems to do the work of entire teams of experienced hackers at machine speed.”

— Anthropic Threat Intelligence Team 

Interestingly, Claude frequently hallucinated — claiming it had stolen credentials that didn’t work or identifying “critical” data that turned out to be public information. These errors forced attackers to manually validate results.

Anthropic suggests this is currently an obstacle to fully autonomous attacks. 

But that gap is closing fast.

This attack is a wake-up call.

AI changes the threat model.

Defenders must now assume:

• Attacks can be machine-speed, globally distributed, and continuous.
• AI can perform reconnaissance and post-exploitation far faster than humans.
• Traditional logs, signatures, and heuristics may not detect AI-driven activity.
• Defensive AI is not optional — it’s mandatory.

• Recommended focus areas:

• Identity & Access Hardening

AI will exploit weak auth faster than humans can patch it.

• AI-Aware SOC Operations

Monitor for automation-pattern anomalies, not just indicators of compromise.

• Continuous validation of third-party access

GTG-1002 used cloud-based tooling and autonomous agents — partners are part of your attack surface.

• Adopting defensive AI

Use models for SOC automation, IR, vulnerability intelligence, and anomaly detection.

• Vendor pressure for AI safety controls

Anthropic notes that safeguards alone aren’t enough; detection of malicious use must be built into model infrastructure.

 This incident marks a turning point in cyber history.

AI is no longer just an accelerant — it is becoming the operator.

Autonomous AI-driven attacks are no longer hypothetical, academic, or years away.

They’re here.

They’ve succeeded.

And they will evolve.

Cyber resilience now requires meeting AI with AI — because human speed alone cannot defend against machine-speed threats.

If your organization hasn’t updated its threat models, playbooks, or tooling to account for agentic AI threats, now is the time.

1️⃣ Banned all malicious accounts linked to the operation

Anthropic immediately shut down all accounts associated with the attackers as they were identified.

Source: “we banned the relevant accounts”

2️⃣ Expanded detection capabilities for novel AI-driven threat patterns

The company updated and strengthened its internal systems to detect the kind of AI-automated abuse used in this attack.

Specific upgrades included:

• Improved cyber-focused classifiers to spot malicious patterns

• New early detection systems for autonomous cyberattacks

• New investigation techniques for identifying and mitigating large-scale distributed operations

Source:

“expanded detection capabilities… improving our cyber-focused classifiers”

“prototyping proactive early detection systems”

“developing new techniques for investigating and mitigating large-scale distributed cyber operations”

3️⃣ Notified authorities, partners, and impacted entities

Anthropic coordinated with law enforcement and industry partners and informed affected organizations.

Source:

“We notified relevant authorities and industry partners, and shared information with impacted entities”

4️⃣ Incorporated attack patterns into Anthropic’s broader safety & security controls

The behaviors and techniques used by the attackers are now baked into Anthropic’s internal AI-safety systems and policy frameworks.

Source:

“This attack pattern has been incorporated into our broader safety and security controls, informing both technical defensive systems and cyber harm policy frameworks.”

5️⃣ Emphasized continued investment in AI safeguards across all platforms

Anthropic stresses the need for stronger platform-wide safety mechanisms to prevent adversarial misuse of agentic AI.

Source:

“We advise developers to continue to invest in safeguards across their AI platforms, to prevent adversarial misuse.”

6️⃣ Encouraged the cybersecurity community to adopt defensive AI capabilities

Anthropic is urging defenders to start using AI for:

• SOC automation

• Threat detection

• Vulnerability assessment

• Incident response

Because attackers are already doing it.

Source: AI Anthropic Report

Don’t wait for a cyber attack to compromise your business. Partner with TrustedCISO to fortify your defenses and protect your valuable data. Our expert consultants are ready to assess your current security posture and implement robust strategies tailored to your needs. Contact us now to secure your future.