Anthropic reports it detected and disrupted a large-scale cyberespionage operation attributed to Chinese-linked group GTG-1002, asserting that up to 90% of the activity was automated via Claude Code. While the allegation has generated attention, the security community has responded with caution, citing a lack of technical detail, unverifiable methodology, and limited evidence of novel tradecraft.
Anthropic’s report: AI-powered autonomous operations targeting multiple sectors
According to the company, attacks in September 2025 targeted 30 organizations across technology, finance, chemical, and government sectors, with some compromises reportedly successful. The core claim is extensive automation: the AI is said to have performed reconnaissance, vulnerability discovery, exploitation, and portions of post-exploitation, with human operators stepping in for 10–20% of critical decisions.
Operational architecture and human-in-the-loop oversight
Anthropic describes an orchestrator based on Claude coordinating specialized sub-agents for infrastructure mapping, scanning, vulnerability analysis, and exploit selection. After the system proposed exploit chains and payloads, operators allegedly spent two to ten minutes reviewing and approving actions. This model reflects a hybrid approach—machine speed with human validation—commonly discussed in AI-enabled offensive operations.
Tooling, reliability, and model limitations
The report notes the use of familiar open-source security tools that are widely detectable by modern defenses. Anthropic also flags autonomy instability and AI “hallucinations,” including false discovery of credentials and misclassification of public information as sensitive. Such issues reinforce known constraints of large language models (LLMs) in multi-step, high-stakes workflows without tight guardrails.
Industry reaction: missing indicators of compromise and verification gaps
Security practitioners emphasize the absence of actionable artifacts. No indicators of compromise (IoCs), hashes, domains, network traces, or granular TTPs were provided to enable independent validation. Commentary from well-known defenders, including Kevin Beaumont and Dan Tentler, questions the reliability and novelty of the purported automation, while researcher Daniel Card characterizes the narrative as marketing-heavy. The claim that only “a few” of 30 targets were compromised further tempers the picture of a highly effective autonomous campaign.
What current research says about AI in offensive operations
Public reporting in 2023–2024 from Microsoft Threat Intelligence and OpenAI indicates nation-state interest in LLMs, primarily for supporting tasks such as phishing copy, translation, documentation summarization, and drafting scripts—rather than end-to-end autonomous intrusion. Mandiant (Google Cloud) has similarly observed acceleration of routine steps but no decisive leap in TTP sophistication. Across studies, autonomy is constrained by context errors, model brittleness, and high false-positive rates, making human supervision essential.
Defensive implications: detect and disrupt automation at scale
Regardless of the debate, the trend toward faster, tool-mediated operations is real. Organizations should prioritize controls that minimize exposure windows and surface automated patterns:
• Rigorous asset inventory and vulnerability management to reduce exploitable attack surface, including SLAs for patching high-impact CVEs.
• Strong MFA and least-privilege access to blunt credential theft and lateral movement.
• EDR/IDS with behavior-based analytics for chains of events (e.g., rapid scanning followed by exploitation attempts and scripted post-exploitation).
• Telemetry for high-frequency, template-like scanning; CLI and PowerShell anomaly detection; brute-force heuristics; and rate-limiting controls.
• Cloud audit trails and API logs to spot “bot-like” sequences—high-volume, repetitive, and time-compressed requests that deviate from typical user behavior.
The Anthropic storyline underscores a broader truth: AI currently accelerates cyber operations more than it fully automates them. Without verifiable IoCs or reproducible TTPs, claims of near-autonomous intrusions remain unproven. Defenders can gain immediate ground by investing in detection of automated behaviors, shrinking the time-to-patch for known vulnerabilities, enforcing strong identity controls, and drilling incident response. Monitor future disclosures that include concrete IoCs and testable methodologies, and calibrate defenses to what can be verified in your environment.
