When Anthropic disclosed earlier this month what it characterized as the first large-scale AI-orchestrated cyberattack—in which a Chinese state-sponsored threat actor used jailbroken Claude Code to target roughly 30 global enterprises with minimal human intervention—the announcement triggered immediate skepticism. The backlash underscores a tension in data breach postmortems: balancing transparency about emerging risks with the standards security practitioners actually need to detect, investigate, and defend against the attacks they face.
"Anthropic basically spent the whole piece highlighting how their AI can be leveraged for intrusion activity, but didn't give defenders a single IOC [indicator of compromise] or attribution hint," cybersecurity advisor and founder of DefendPoint Consulting, Kostas T. commented on X.
Offensive security specialist djnn added to the sentiment. "The primary goal of a Threat-Intelligence report such as this one would be to inform other parties of a new type of attack, and artefacts they might use to discover the attack on their network. This is typically done by sharing domain names linked with the campaign, MD5 or SHA512 hashes you could look for on Virus Exchange websites such as VirusTotal, or other markers that would help you verify that your networks are safe," djnn wrote.
These complaints echoed across the online threat intelligence community: the Anthropic report lacks the technical indicators, TTPs (tactics, techniques, and procedures), and verifiable details that security operations teams depend on to hunt for attackers, validate detection systems, and understand genuine exposure.
The absence stings all the more, particularly because Anthropic claimed an unusually high level of attacker autonomy—80-90% of the campaign executed by AI, with only 4 to 6 critical human decision points per operation. Yet the company simultaneously disclosed that Claude "frequently overstated findings and occasionally fabricated data during autonomous operations, claiming to have obtained credentials that didn't work or identifying critical discoveries that proved to be publicly available information." This raises the question: if the AI hallucinated credentials and misidentified public data as novel intelligence, how much confidence should defenders place in the assertion that 80-90% of an operation was genuinely autonomous, rather than the product of AI confabulation requiring human remediation?
Still, not everyone was as critical. "Anthropic deserves major kudos for writing about and providing such detail on this attack," wrote Allie Mellen, principal analyst at Forrester on LinkedIn. They provided insights that no other vendors have visibility into, aside from LLM vendors. A perspective that will help the industry better prepare for these attacks. Anthropic should be lauded for it," Mellen added.
"I've heard a lot of complaints about the limited technical specifics in the report. I get it. I'd love some security-focused intel, including IOCs, the exact prompts, and the tools used. But it isn't that type of report. It's giving us something equally important, just different: details on the architecture and methods for delivering an attack like this in the wild, for the first time.
"It doesn't diminish the findings of the report or the inflection point this brings: automated and scaled aspects of attacks, MCP enabling it, and minimal human intervention. Though in the future I'd love to see some MITRE ATT&CK TTPs :)," Mellen concluded
"In general, I'm in favor of transparency when it is used for the greater good. Which means sometimes some details need to be held back," Diana Kelley, CISO at Noma Security, told CYBR.SEC.Media. "To me, this looks very much like transparency to educate others. What I always like to see, though, are clear details on what companies can do to protect themselves. The report had a security impacts section, but didn't close with a clear set of recommendations on how to detect/prevent," she said.
Joel Scambray, SVP technical assurance services at NCC Group, added that the Anthropic article "nicely illustrates how GenAI services can identify and disrupt malicious cybersecurity activity that uses their services. This is surely not the first or last time adversaries will have used AI to facilitate and enhance their attacks. These platforms are uniquely positioned to see and potentially stop these campaigns and should be reaching out to cybersecurity threat intelligence and related experts to understand better and position themselves for this brave new role," Scambray said.
Naomi Buckwalter, AI security strategist at Contrast Security, told CYBR.SEC.Media that there are additional elements she'd like to see in such postmortems that would make them more actionable for defenders. "If Anthropic could open-source the data related to usage information of threat actors, that would be massively helpful to defenders. I can understand why they would want to keep information close to the vest, but it certainly doesn't help to pick and choose which information or threat patterns to showcase in their monthly reports. Let the security community have the data, to do with it what they wish," Buckwalter said.
Insights Practitioners Actually Need
Security professionals across SOCs, threat intelligence teams, and vendor organizations broadly agree on the elements that separate proper threat disclosure from potential marketing efforts. Actionable intelligence requires specificity: Which systems were compromised? What indicators can our SIEM systems actually watch for? How does this threat actor's behavior differ from known campaigns?
For defenders, these aren't "nice to haves"—they're operational necessities. Tactical threat intelligence directly feeds into detection engineering, vulnerability prioritization, and incident response planning. A SOC analyst can respond effectively to an alert only if threat intelligence provides context: Do known threat actors use this technique? What's the historical success rate? What mitigations are most effective? Vague threat warnings produce alert fatigue and defensive waste, while specific technical details enable precise countermeasures.
Forrester's guidance for defenders emphasizes this practical imperative. The framework for AI-enabled security—Forrester's AEGIS model—focuses on "securing intent," constraining agent authority with ephemeral identities and temporary permissions, and implementing detection systems tuned to adversary behavior. None of those defenses can be built without the granular technical intelligence that Anthropic's disclosure didn't provide.
That's precisely why many found the postmortem less helpful than it could have been. "It doesn't change my day-to-day focus," added Buckwalter. "And it certainly doesn't change what I can control. Attackers may be using AI to automate attacks, but the attacks themselves are not new. The rate of attacks is simply higher than in the past. As a defender, I combat this by using AI myself."
Dave Shackleford, founder and CEO of Voodoo Security, said that, based on his conversations with security professionals since the Anthropic disclosure, organizations aren't making significant changes to their AI security approaches in response to the news. However, he has noticed a few themes emerge. Defenders are grappling with whether they should now treat AI engines as part of the threat surface, and whether they should rely on AI providers to tell them when threat actors are targeting them, and/or using them to generate malicious code or other campaign artifacts.
"Overall, most feel this [Anthropic's postmortem] is helpful. "Many CISOs and their teams are just starting to embrace AI, and want to know more about how the AI engines are being attacked, whether by prompt injection, model theft, and so forth. And how attackers, such as the generation of malicious code and malware, the development of social engineering campaigns, among others, are leveraging them. There is no precedent for how much information the providers offer, but the feeling is the more the better," he said.
"I'd like to see more[information], personally," he added. "If you're using a specific AI agent or service, how could this affect you, and what should you look for? Additionally, are there indicators of attackers using AI agents that you should be looking for or investigating? Truthfully, I think we have another 1-2 years before AI use is widespread enough for that to happen," he concluded.
What (Specifically) Would Make Such Announcements More Valuable
For security practitioners and defenders, more actionable vendor threat disclosure would include:
Specific technical indicators Include File hashes, command-and-control infrastructure, email addresses, domains, registry keys, and other artifacts that defenders can search for in their environments. These should be verifiable through public repositories like VirusTotal.
MITRE ATT&CK mappings: Explicit connection of observed attacker behavior to the framework that guides detection engineering and response planning. This transforms generic threat descriptions into structured intelligence that SOC teams can operationalize.
Confirmed victim impact: Statements or acknowledgments from affected organizations (even anonymized) confirming the scope of successful compromises, what data was exfiltrated, and remediation status. Attribution gains credibility when victims confirm the damage.
Government or third-party corroboration: Especially for nation-state attribution, statements from law enforcement, intelligence agencies, or independent security researchers validating the claims strengthen confidence. The diplomatic weight of accusing a specific country demands evidential rigor.
Defensive recommendations mapped to actual techniques: Not generic guidance but specific tactics for the exact threat described. For AI-orchestrated attacks, this means specifics on detecting autonomous agent behavior, monitoring for jailbreak attempts, and building resilience against attackers using AI for reconnaissance.
Timeline and detection methodology: How did you discover this? What indicators alerted your systems? What was the investigation process? This helps other defenders understand what signals to watch for in their own environments.
Anthropic's disclosure lacked these elements, which explains the professional criticism despite the story's potential significance. The announcement is marketing for Anthropic, but it also provides strategic threat context for security executives. For SOC teams and threat hunters trying to defend their infrastructure, it offered little operationally sound intelligence.
In reality, as Mellen pointed out, most organizations will be breached not because of sophisticated AI-driven attacks, but because they failed to keep up with essential cybersecurity hygiene, such as slip-ups around patching, authentication, and basic controls that are successfully exploited in day-to-day attacks.
Anthropic could have enhanced this report by including fingerprints or indicators of this attack style, along with recommendations for how defense teams could respond to this kind of behavior. I suspect, however, that the answer would be to continue the same defensive operations that resist traditional threat actors with little unique advice for AI-powered attacks.
David Brauchler, technical director and head of AI and ML security at NCC Group, essentially agreed and told CYBR.SEC.Media that, while Anthropic could have enhanced this report by including fingerprints or indicators of this style of attack, including recommendations for how defense teams could respond to this kind of behavior. I suspect, however, that the answer would be to continue the same defensive operations that resist traditional threat actors with little unique advice for AI-powered attacks."
That's not to say defenders shouldn't be on the lookout for new tactics, techniques, and procedures using AI, Brauchler added. "But the most prominent new risks that AI has proven to execute on as a threat actor include deepfakes, spam, and scaled phishing campaigns. Additionally, the use of AI features in customer-facing applications often introduces new vulnerabilities that threat actors can exploit. The automated threat actor attack class is interesting, but simply hasn't proven in this report to exceed ordinary attacker capabilities in either depth or scale," Brauchler said.
