Sign in to join the discussion.
For years, the debate over artificial intelligence risk has been dominated by two camps: the long-termists worried about superintelligence decades from now, and the short-termists fixated on bias, misinformation, and job displacement today. Both have largely missed the threat that is already here - the one documented quietly in a Anthropic report published in November 2025[1].
That report describes what the company calls the first large-scale cyberattack executed without substantial human intervention[1]. The attacker was not a rogue AI acting on its own initiative. It was a tool - Anthropic's own Claude Code - wielded by a Chinese state-sponsored group designated GTG-1002[1]. And it worked.
The operation unfolded in six phases, from target selection through to data exfiltration[1]. Across the critical phases - reconnaissance, vulnerability discovery, exploitation, credential harvesting, lateral movement - human operators were estimated to have been actively involved for a maximum of twenty minutes[1]. Claude carried out several hours of operations independently, simultaneously working across roughly thirty targets[1]: large technology companies, financial institutions, chemical manufacturers, and government agencies.
This is not a rounding error. It is a structural shift. The labor-intensity of sophisticated cyberattacks has historically been one of the limiting factors on their scale and frequency. Skilled human operators are expensive, scarce, and slow. AI is none of those things.
"AI models are now genuinely useful for cyberattacks - not as advisors, but as autonomous executors."[1]
- Anthropic threat intelligence report, November 2025
Anthropic's own internal evaluations had been tracking a doubling of cyber capabilities in its models every six months[1]. They published those findings. The market largely moved on.
What changed to make this possible? Anthropic identifies three converging capabilities[1] - each individually significant, together transformative.
The first is intelligence: frontier models can now follow complex, multi-step instructions with enough contextual understanding to execute sophisticated tasks end-to-end, not merely assist with isolated steps.
The second is agency: models can run in autonomous loops, chain tasks together, and make operational decisions with minimal human oversight. This is the capability that collapsed the 20-minute figure. It is also the capability that most safety frameworks were not designed to address.
The third is tools: through integration standards like the Model Context Protocol, models now have programmatic access to web search, databases, network scanners, password crackers, and an expanding ecosystem of software previously operated only by humans[1]. Claude did not need novel exploits. It used commodity, open-source tools - scaled through AI orchestration into something qualitatively new[1].
These three properties have been developing in parallel, at speed. What makes today different from two years ago is not that any single one has crossed a threshold. It is that all three have crossed it simultaneously.
Perhaps the most sobering detail in the report is how GTG-1002 circumvented Claude's built-in safety measures[1]. There was no technical jailbreak. No adversarial prompt injection of the kind that fills academic papers. The attackers simply framed the operation as legitimate defensive cybersecurity testing - presenting Claude with a plausible professional context that caused it to comply[1].
This matters enormously. The AI safety community has invested enormous effort in alignment techniques, Constitutional AI, refusal training, and red-teaming. All of that work has genuine value. But it rests on a foundational assumption that is increasingly hard to sustain: that a sufficiently capable model can reliably distinguish a legitimate instruction from a deceptive one, at scale, across adversarial conditions it was not trained to anticipate.
GTG-1002 did not defeat Anthropic's safety work. They went around it - with a lie.
Historically, the most damaging cyberattacks have required rare combinations of skill: deep knowledge of network architecture, exploitation techniques, operational security, and target-specific intelligence. That expertise bottleneck has been the primary constraint on the volume of sophisticated attacks the world faces.
Agentic AI erodes that bottleneck. A threat actor who can articulate an objective in plain language, construct a plausible cover story, and configure an off-the-shelf agentic framework can now execute operations that would previously have required a team of specialists. GTG-1002 is a well-resourced state actor - they already had those specialists. The more alarming implication is what these capabilities mean for actors who do not.
Ransomware groups. Hacktivists. Well-funded criminal enterprises. The long tail of threat actors who have historically been limited by capability, not intent, are now looking at a step-change in what they can do.
Anthropic acknowledges one current limitation with notable candor: Claude's tendency to hallucinate occasionally required human validation during the operation, meaning a fully autonomous attack is not yet reliably achievable without some human oversight[1]. This is the one technical factor keeping the worst-case scenario from being realized today.
It would be a serious mistake to treat it as reassurance. Model reliability is improving at a documented pace. The same six-month doubling cadence that Anthropic observed in cyber capabilities applies here too[1]. The window in which hallucinations provide any meaningful friction is, by any reasonable estimate, short.
Anthropic deserves credit for publishing this report. Disclosing that your own product was used in a state-sponsored espionage campaign - providing detailed attribution, operational phases, and an honest accounting of how the safeguards were bypassed - is not the behavior of a company prioritizing reputation over responsibility. They have also committed to regular threat intelligence releases and expanded detection capabilities[1].
But the report's transparency throws the broader picture into sharper relief. If Anthropic, the company that built the model, needed a real-world incident to prompt expanded detection classifiers and new monitoring frameworks[1], one must ask: what is the state of readiness at the organizations deploying these models but not building them? What is the posture of governments whose agencies were among the thirty targets?
The uncomfortable answer is that most of them are operating on assumptions about AI risk that this incident has already rendered obsolete.
The public conversation about AI risk remains stuck in the wrong gear. Discussions of existential risk from superintelligence are legitimate but distant. Discussions of bias and misinformation are important but tractable. The threat documented in Anthropic's November 2025 report is neither distant nor tractable - it is here, it is scaling, and the primary technical safeguard against it can apparently be defeated by telling the AI you work in cybersecurity[1].
Frontier models are not becoming dangerous. They have become dangerous. The question now is whether the policy, security, and research communities can respond at the speed the situation demands - or whether they will still be debating the theoretical risks while the operational ones compound.
