Beyond Autonomous Attacks: The Reality of AI-Enabled Cyber Threats

On April 7, 2026, Anthropic announced Claude Mythos, a general-purpose language model with frontier cybersecurity capabilities. The model autonomously identified and exploited zero-day vulnerabilities in every major operating system and web browser. It chained together multiple vulnerabilities into sophisticated exploit sequences, wrote a browser exploit, and autonomously developed a remote code execution exploit.  

The announcement signals the acceleration of an era in which artificial intelligence (AI) can autonomously discover and weaponize vulnerabilities. Anthropic is not alone. Similar announcements from leading AI companies about models capable of autonomous cyber operations have fueled speculation about the future of AI-driven cyberattacks. These fears are understandable, but misplaced. The urgent problem of AI-enabled cyberattacks is far more mundane: generative AI is making existing attack methods faster, cheaper, and more accessible. Currently, defenders who fixate on hypothetical AI-powered zero-days while neglecting this status quo risk preparing for the wrong fight. 

What AI Is Actually Doing: Speed, Trust, and Democratization 

The global scale of AI-enabled cybercrime is alarming at first glance. CrowdStrike reports an 89 percent increase in attacks by AI-enabled adversaries from 2024 to 2025. But the figure needs context. Most of these attacks relied on existing tactics, techniques and procedures (TTPs), rather than creating fundamentally new methods of attack. As of now, the core contribution of AI to the cyberthreat landscape today is not innovation but efficiency. Generative AI adds speed, volume, and noise to operations that threat actors were already conducting.  

This is most visible in the early stages of an operation, during reconnaissance and delivery. An AI model's ability to rapidly aggregate and analyze open-source intelligence allows threat actors to identify targets, map organizational structures, and surface vulnerabilities faster than humans. In one case, Microsoft Threat Intelligence has observed North Korean threat actors using large language models (LLMs) to research publicly disclosed vulnerabilities and profile high-value targets, enabling them to understand technical details and identify attack vectors more efficiently. In a broader pattern, attackers now begin scanning for newly discovered vulnerabilities within minutes of a Common Vulnerabilities and Exposures (CVE) announcement, often before security teams have finished reading the advisory. This speed may not change the tactics of an operation, but it does change how defenders need to respond within a compressed timeline. 

Regarding delivery, what generative AI provides for access mechanisms such as phishing is not innovation, but execution. AI can produce grammatically correct, contextual messages at scale with minimal operator input, and the products have reached a point where Microsoft has found that targets are 4.5 times more likely to click on AI-generated phishing emails than traditionally crafted counterparts. Tools advertised on dark web forums now claim to support full phishing campaign workflows, and leaked internal chats from the ransomware group Black Basta show members routinely discussing the use of ChatGPT for drafting phishing messages for targets. 

Crucially, none of this constitutes an innovation in what attacks look like. It constitutes a transformation in how fast and how cheaply they can be operationalized. 

The Threat Actor Beneficiaries: Mid-Tier Actors Gain the Most 

While AI is used by diverse actors, the impact of AI across the threat actor ecosystem is uneven, and understanding who benefits is essential for calibrating the policy response. 

Nation-state adversaries conducting espionage, such as Russia and China, have adopted generative AI to enhance reconnaissance, create phishing content, and conduct influence operations. However, their use of AI only represents refinements to capabilities that the actors already possessed. The Russian threat actor Fancy Bear aka APT28 stands out in their deployment of LAMEHUG, a novel malware family incorporating AI. The malware embedded AI directly into its reconnaissance and intelligence collection through predefined prompts, potentially to evade detection; but ultimately, Crowdstrike assessed that LAMEHUG did not demonstrate a meaningful increase in effectiveness or sophistication. At a nation-state level, what is significant now is understanding that these actors are experimenting with AI-enabled techniques for operation acceleration.  

Cybercrime actors have incorporated AI tools for script and image generation and basic malware development. The ransomware group FunkSec openly acknowledged that portions of its code and tooling were developed with AI, and tools like the Xanthorox AI offer subscribers the ability to generate malicious code with deployment instructions for as little as $300. However, these outputs often contain significant errors and fall short of their promises. AI-generated code still requires human expertise to be operationally effective, and less skilled operators frequently lack the ability to recognize mistakes in model outputs. 

The actors who benefit most sit in the middle of this capability spectrum. CrowdStrike assesses that moderately resourced threat actors aiming for disruption and financial incentives, such as the cybercrime group Akira (aka Punk Spider) who have hit over 250 organizations globally, or nation-state actors, such as North Korea, are "highly likely to benefit the most from using AI in their operations." These groups possess enough technical literacy to validate and deploy AI-generated outputs but previously lacked the resources to operate at the speed, scale, and sophistication that generative AI now enables. The result is a compression of the gap between mid-tier and elite operators, which may not cause revolution in what is possible, but expand who is able to execute these attacks. 

The North Korea Jasper Sleet Case: AI Across the Kill Chain 

North Korea's Jasper Sleet, aka Famous Chollima, offers the most intensive case study of integrated AI use in the nation’s remote IT worker schemes. The operators incorporated ChatGPT, Gemini, and other AI tools into employment operations to obtain remote positions at western technology firms under false identities. 

For Jasper Sleet, AI is embedded at every stage. They use AI image manipulation to create fake personas, deepfake technology to mask identities during video interviews, AI-enhanced messaging applications to manage multiple accounts, and coding assistants to help perform legitimate job functions across three or four concurrent positions. OpenAI has confirmed that the operatives used their LLMs for employment-related questions, coding assignments, and interview preparation. The result is a scalable intelligence and revenue-generation operation that exploits remote hiring workflows. As seen with the success of the operations, netting approximately $2.02 billion in cryptocurrency in 2025, the most impactful AI-enabled operations don’t originate from novel capabilities but from integration of AI into well-established tradecraft at scale. 

What AI Is Not Doing, Yet 

Amid this operational acceleration, it is equally important to identify the claims that current evidence does not support. Three myths deserve particular scrutiny. 

AI is not generating novel malware or zero-day exploits at scale. While cases like Check Point Research's VoidLink, a sophisticated malware framework authored predominantly through AI-driven development, demonstrate that AI can accelerate the work of capable developers, these remain outliers. Most AI-assisted malware development produces inconsistent code that requires human refinement. The FunkLocker and RALord ransomware variants, for example, share encryption flaws specific to templates generated by WormGPT, reflecting the limitations of automated code generation without oversight. 

AI has not fundamentally altered the core TTPs of the cybercrime threat landscape. Ransomware is not new. Social engineering is not new. Credential theft is not new. The shift is that the operator time required to execute these operations at scale is dropping. This is a meaningful change, but it is a change in timelines, not in type. 

Autonomous AI-driven cyberattacks remain largely aspirational. Anthropic's November 2025 disclosure of a cyber espionage campaign in which an AI agent reportedly conducted the majority of tasks across the operation, from reconnaissance through data exfiltration, was a genuinely significant development. But it remains one of the first confirmed cases of its kind, not a widespread operational reality, and was likely carried out by a Chinese state-sponsored group rather than a less-resourced actor. The more representative picture comes from the 2025–2026 breach of nine Mexican government agencies, in which a single capable operator used Claude Code and ChatGPT to compress exploit iteration, automate reconnaissance across hundreds of servers, and punch well above what they could have without AI. Crucially, the shift from refusal of Claude Code to conduct reconnaissance to jailbraking and live execution took only 40 minutes, further compressing the timeline for defenders. However, in achieving such an impact, the operator still directed every stage of the intrusion themselves. The emergence of autonomous AI agents capable of executing full-scale attacks signals a potential turning point, but the key word is "potential." For now, human operators remain central to directing and validating AI outputs. 

That being said, Anthropic's Mythos may present the next step in what is technically possible for AI-enabled cyber offense and defense. During testing, Mythos Preview achieved a 72.4 percent success rate at developing working exploits, and the model identified thousands of high and critical severity zero-day vulnerabilities across open and closed source software. The implication is that as frontier models continue to improve exponentially, offensive cyber capabilities will improve in kind, and not only from Anthropic. However, Anthropic has chosen not to make Mythos Preview generally available, and the model’s capabilities remain behind a select group of companies’ walls through Project Glasswing. The gap between what is technically achievable in a lab and what is deployed by threat actors remains significant, for now. 

Attribution Gets Harder 

One underappreciated consequence of AI adoption by threat actors is its effect on attribution. Use of AI can alter the information that analysts rely on to identify threat actors by homogenizing code patterns, erasing linguistic indicators, and diversifying operational timelines. If an AI written phishing email is indistinguishable from a handcrafted one, and the majority of code is AI generated rather than written by a developer with identifiable habits, the forensic fingerprints that underpin attribution can disappear. 

This is a problem with significant policy implications. While deterrence in cyberspace is difficult at best, attribution is still a key priority by governments to deter bad actors in cyberspace. If AI makes it logistically harder to link intrusions to specific actors, it weakens the entire structure of cyber accountability, from indictments and sanctions to diplomatic consequences. 

Implications for Defenders 

The practical implications of this assessment point toward several priorities for cyber defenders. First, defenders should expect shorter lead times across the board. Faster reconnaissance, more convincing social engineering, and quicker iteration cycles mean that the window between vulnerability disclosure and exploitation is shrinking. Rapid patching, with defender AI incorporation, is no longer a best practice. It is an operational necessity to counter cyberattacks at the speed of AI. Frontier AI models such as Mythos and other cyber capabilities are dual use — they can help defenders and attackers. So it will be key for cybersecurity practitioners and AI companies to implement changes that tip the benefits of AI tools towards defenders as much as possible. 

Second, identity controls matter. 82 percent of intrusions detected in 2025 did not use malware and according to Palo Alto Networks, identity weaknesses played a material role in almost 90% of its investigations. A significant number of operations succeed through stolen or leaked valid credentials, and as AI enables actors use deepfake techniques and synthetic identities across multiple targets at much greater speed, investments in user education, zero-trust architecture, identity protection, multifactor authentication, and behavioral analytics for credential abuse will continue to be essential. 

Third, defenders should respond to AI-enabled vulnerability discovery by doubling down on defense in depth, a cybersecurity strategy that uses layered security controls. If models like Mythos can find many small vulnerabilities, the realistic goal will no longer be to patch every vulnerability before it is found. Rather, it will be to ensure that any single vulnerability, when found, cannot become a full compromise. For Mythos, many highest-impact exploits the model produced were chains, and each link in that chain is an opportunity for defenders to uncover attackers. That means enforcing strict network segmentation so that initial access does not yield lateral movement, applying least-privilege access controls to protect against compromised accounts, maintaining comprehensive logging and behavioral detection capabilities, and shortening patch cycles for known CVEs. This builds a layered security model where defenders should assume any one control will fail, and build the next one to contain the damage. 

Finally, policymakers should resist the temptation to craft policy around speculative worst-case scenarios. The policy-relevant threat for the time being is not an autonomous AI agent launching a zero-day exploit against critical infrastructure. It is the steady erosion of defender advantages as AI compresses the cost and time required to mount effective attacks using pre-existing methods. The appropriate response may center instead on strengthening fundamentals, identity hygiene, and detection and response capabilities, rather than chasing futuristic threats. 

Conclusion 

AI is reshaping the cyberthreat landscape, but more incrementally than the headlines suggest. The shift is not in what attackers can build from scratch, but in how fast they can now accelerate and execute existing TTPs. Fears of fully autonomous AI cyberattacks, while grounded in real technological possibilities, risk diverting attention from the acceleration that is already underway. Defenders and policymakers who internalize this distinction will be better positioned to allocate resources where they matter most – shoring up public-private partnerships for cyber defense – and to avoid chasing hypotheticals while the realities of AI use in the cyber domain accelerate.