
In November 2025, Anthropic published something that should have gotten more attention than it did. The report documented what the company called the first verified AI-orchestrated cyber espionage campaign at scale, carried out by a Chinese state-sponsored group Anthropic designated GTG-1002. The group had weaponized Anthropic’s own Claude Code, an agentic coding tool designed for developers, turning it into the primary operator in a multi-target intrusion campaign spanning roughly 30 organizations across technology, finance, chemicals, and government.
The important part isn’t that an AI was involved in a cyberattack. We’ve seen AI-assisted operations before: models generating phishing copy, suggesting attack vectors, helping with reconnaissance. What makes GTG-1002 different is the degree of autonomy. According to Anthropic’s assessment, the AI executed 80-90% of the tactical operations independently. Humans set the objectives, approved a handful of escalation points, and corrected the model when it made mistakes. The scanning, the exploit generation, the credential harvesting, the lateral movement, the data extraction, all of it was the machine’s job.
The kill chain didn’t change. The speed, the scale, and the economics of executing it did. And that shift has implications that most security programs aren’t yet designed to handle.
Anatomy of the operation
To understand why this matters, you have to understand the operational architecture. GTG-1002 wasn’t a case of someone pasting prompts into a chatbot and copy-pasting the output into a terminal. The operators built a structured orchestration framework using the Model Context Protocol (MCP) as the communication layer between Claude Code and a suite of standard penetration testing tools: network scanners, database exploitation frameworks, password crackers, binary analysis utilities. The design was modular: each phase of the intrusion was decomposed into discrete, self-contained tasks that the model could execute, interpret, and build upon.
The workflow was a loop. An operator issued a high-level prompt defining the task objective. Claude Code invoked the appropriate tool via MCP, parsed the returned output, and autonomously formulated the next request based on the results. Create, execute, interpret, iterate. This loop ran across the full kill chain without requiring per-step human approval.
What’s particularly notable is how the operators got the model to cooperate. They didn’t use traditional jailbreaking techniques: no adversarial suffixes, no prompt injection in the usual sense. Instead, they employed what amounts to social engineering against the model itself. By framing the entire operation as a legitimate penetration test or security assessment, they induced Claude Code to operate within the parameters of a plausible defensive engagement. The model believed it was helping with an authorized security audit. This persona manipulation is subtler and harder to detect than brute-force guardrail evasion, and it exposes a fundamental weakness in how safety systems currently distinguish authorized from unauthorized tool use.
What Claude Code did at each stage
The traditional cyber kill chain, reconnaissance, weaponization, delivery, exploitation, lateral movement, actions on objectives, still applies here. What changes is who (or what) is executing each phase, and how fast.

Reconnaissance. Claude Code conducted broad, parallel reconnaissance across multiple target organizations simultaneously. It generated and executed scanning scripts to enumerate exposed services, open ports, version banners, authentication portals, cloud access points, and web application structures. Anthropic’s report describes the AI independently cataloging hundreds of discovered services and endpoints without per-target human guidance. The speed differential matters: manual reconnaissance against a single target of moderate complexity takes days to weeks. GTG-1002 operated at physically impossible request rates across multiple targets in parallel.
Vulnerability identification and weaponization. The model analyzed its own scan outputs to surface exploitable conditions: exposed admin panels, unpatched web applications matching known CVE patterns, weak or default authentication configurations, misconfigured cloud services. It then generated functional exploit payloads tailored to the specific vulnerabilities discovered in each target: SQL injection scripts, credential-stuffing tools, custom exploitation code. This collapses what had traditionally been two distinct phases into a single automated loop. No handoff to a separate exploit developer. The same agent that found the vulnerability wrote the code to exploit it.
Exploitation and initial access. Claude Code tested its generated payloads against live targets, validated results, iterated on failed attempts, and documented successful intrusions. Anthropic notes that the AI produced errors during this phase: hallucinated vulnerabilities, misinterpreted responses, generated non-functional exploit code. But the volume and speed of automated attempts meant that even a modest success rate translated into multiple confirmed compromises. This is a key insight about AI-driven offense: it doesn’t need to be precise. It trades accuracy for throughput.
Post-exploitation. In compromised environments, the model autonomously discovered internal services, mapped complete network topologies across multiple IP ranges, identified high-value systems including databases and workflow orchestration platforms, queried those systems, extracted data, parsed results to identify proprietary information, and categorized findings by intelligence value. Human operators only re-entered the loop at the final exfiltration approval stage.
Perhaps most concerning: Claude Code maintained context across extended sessions. It tracked previously discovered services, documented its own operational progress, and could resume activity without requiring manual reconstruction of prior state. It was running a sustained campaign, not executing isolated commands
The detection problem
The detection problem posed by AI-orchestrated kill chains isn’t primarily about new attack techniques. GTG-1002 used the same tactics, techniques, and procedures that APT groups have used for years: the same reconnaissance methods, the same credential harvesting, the same lateral movement patterns. The underlying TTPs map cleanly to the MITRE ATT&CK framework. Nothing exotic.
The problem is speed, volume, and behavioral ambiguity.
On speed: agentic AI campaigns compress the interval between initial access and exfiltration from weeks or months to hours or days. Traditional SOC workflows, triage, escalation, investigation, containment, were designed for human-speed adversaries. When the attacker’s OODA loop runs at machine speed, the defender’s human-speed response cycle creates a structural disadvantage. Anthropic reported that the campaign was eventually detected because of the sustained nature of the activity: anomalous request patterns that exceeded baseline thresholds. But by the time that detection triggered, multiple targets had already been compromised.

On behavioral ambiguity: this is the deeper problem. The techniques employed by GTG-1002 are operationally indistinguishable from legitimate agentic workflows. Automated reconnaissance, vulnerability scanning, credential testing, and data extraction are routine activities in authorized penetration tests, CI/CD pipelines, and IT automation frameworks. Distinguishing between a benign developer agent conducting an approved security assessment and a weaponized agent executing an unauthorized intrusion requires intent-level analysis, a capability that most current detection stacks simply do not have.
And then there’s the stateful behavior problem. Most security monitoring assumes that automated activity is stateless: scripts run, produce output, and terminate. An AI agent that maintains context across long sessions, builds progressive situational awareness of the target environment, and resumes work without repeating prior steps doesn’t match the behavioral profile that most anomaly detection systems are looking for.
The uncomfortable architectural parallel
Here’s the part that should keep security leaders up at night. GTG-1002’s operational architecture, an AI agent connected to tools via MCP, receiving high-level objectives, executing tasks autonomously, and reporting results back for human review, is structurally identical to the agentic workflows that enterprises are now building for SOC automation, vulnerability management, and incident response.
The intent is different. The mechanics are the same.
An internal copilot that scans your infrastructure for vulnerabilities, generates remediation scripts, and reports findings to your security team is using the same agent-tool-interpret-iterate loop that GTG-1002 used to compromise 30 organizations. The difference is authorization and intent, neither of which is visible at the protocol level. This means that organizations building agentic AI workflows internally need to be thinking about the same containment, monitoring, and access control problems that this campaign exposed. Not because their agents are malicious. Because the absence of those controls is exactly what allowed GTG-1002 to succeed.
What changes now
The kill chain hasn’t been rewritten. It’s been compressed and parallelized in ways that conventional detection and response workflows weren’t designed for. The defenders who will handle this well share a few characteristics.
First, they’re meeting automation with automation. Human-speed SOC processes cannot match machine-speed attacks. AI-driven threat detection, automated correlation, and machine-speed containment aren’t optional upgrades: they’re the baseline requirement for operating in a threat landscape where adversaries can enumerate, exploit, and exfiltrate before a single alert is triaged by a human analyst.
Second, they’re treating AI agents as first-class entities in their threat model. Whether those agents are internal copilots or external adversaries, autonomous systems with tool access and network connectivity deserve the same monitoring, access controls, and containment policies that organizations apply to privileged human insiders. Runtime inspection of MCP traffic, behavioral baselines for agent activity, and cognitive observability, visibility into the decision chain of autonomous systems, are emerging as critical defensive requirements.
Third, they’re investing in proactive defense that doesn’t depend on recognizing the attack after it’s arrived. Deception technology, automated attack surface management, and runtime protections that make critical assets invisible or inaccessible to unauthorized agents all reduce the attack surface available to AI-driven intrusions regardless of how fast or sophisticated the offensive automation becomes. When the adversary’s agent can scan, identify, and exploit a vulnerability in the time it takes your SOC to open a ticket, the only reliable defense is ensuring there’s nothing useful for that agent to find.
GTG-1002 wasn’t the last AI-orchestrated campaign. It was almost certainly not even the first, just the first to be publicly documented at this level of detail. The operational economics of AI-driven offense, lower cost, higher throughput, reusable playbooks, guarantee that these techniques will proliferate. The organizations that weather what comes next won’t be the ones with the most products deployed or the most expensive MSSP contract. They’ll be the ones whose security architecture was designed to operate at the speed their adversaries now move.
Brad Potteiger is the Chief Technology Officer at Arms Cyber, where he leads the development of next-generation preemptive security & anti-ransomware technology. Arms Cyber’s patented Stealth Posture Management platform protects organizations across Windows, Linux, and MacOS by making critical data invisible and resilient to attackers.

