The Emergence of Autonomous Cyber Attacks: Analysis and Implications
This memo provides an analysis of the Anthropic’s November 2025 Threat Report “Disrupting the first reported AI-orchestrated cyber espionage campaign”
In November 2025, Anthropic reported detecting and disrupting one of the first cyber espionage campaigns to use an AI agent to autonomously execute operations in the wild. Although the impact of the actual operation is unknown, the use of AI to autonomously conduct offensive operations is a notable development with several key implications:
Progress in Autonomous Cyber Operations: This appears to be the first publicly known example of AI systems autonomously conducting multi-step attacks against well-defended targets in the wild. This would be a significant step, as recent evaluations of frontier models found limited autonomous attack capabilities, and other researchers have demonstrated multi-stage capabilities only in cyber range exercises, not against real-world targets. This escalates beyond AI-enabled operations where humans direct attacks with AI assistance.
Scaling Nation-State Operations: Autonomous offensive AI agents could enable nation-states to conduct continuous operations across multiple targets at an increased tempo, particularly concerning given that actors like Salt Typhoon and Volt Typhoon have already compromised critical infrastructure.
Enabling Less Sophisticated Actors: These autonomous capabilities are likely to proliferate and enable less sophisticated actors to conduct more operations at faster speeds. This may shift advantages toward attackers until defensive capabilities are deployed at scale. However, frequently targeted entities that lack resources, such as hospitals and schools, may struggle to keep pace in this elevated offensive environment.
Autonomous Cyber Operations: What Happened?
Offensive cyber operations can be broken down into distinct attack stages, each with its own steps. Executing these steps is time-intensive, with human operators spending hours or days to complete operations. Some stages create more significant bottlenecks than others, constraining the overall pace of campaigns.
In this campaign the threat actors leveraged Anthropic's software coding agent, Claude Code to create a semi-autonomous cyber offensive agent. These agents, with minimal human direction and oversight, executed the labor-intensive steps of the attack, enabling the threat actors to operate at greater speed and scale.
With the agent conducting between 80 and 90% of the offensive operation, humans shifted from operators to supervisors, setting strategic direction by selecting targets, reviewing agent findings, and approving further actions.
Claude Code alone cannot conduct autonomous cyber operations. To overcome this, threat actors developed custom scaffolding that helped Claude conduct complex multi-stage attacks and use offensive security tools. This scaffolding also allowed the attackers to bypass the safeguard designed to prevent this misuse.
The threat actors also built their offensive agent by only using commercially available AI models, open-source tools and protocols, and custom scaffolding.
Recommendations
Understand the Risk: As the autonomous capabilities rapidly advance, policymakers and defenders need better tools to understand risks that inform decisions. This requires investment in measurement science and robust cyber evaluations of AI models, done by developers, government agencies, and third party evaluators. Evaluations must also attempt to create real-world conditions. This means testing models that have been integrated with offensive scaffolding in real world scenarios.
Secure Critical Infrastructure: If autonomous cyber operations proliferate, ensuring the security of critical infrastructure and other high value targets will be important. This will require both the public and private sectors to take action. Policymakers should ensure that fundamental cybersecurity laws and programs, such as CISA 2015 and the State and Local Cyber Grant, are maintained. Policymakers should also fund research and development that supports the defensive use of AI, such as DARPA's AIxCyber Challenge.
Promote Differential Access: Policymakers should support and incentivize developers to implement differential access strategies that promote defender access to advanced AI capabilities. This includes prioritizing access for strategic defenders such as software developers, cybersecurity firms, and critical infrastructure operators whose security impacts broader societal resilience.