Anthropic, the San Francisco-based AI company that builds Claude, disclosed the incident in November 2025, calling it the first documented case of a large-scale cyberattack executed without substantial human intervention. The threat group, designated GTG-1002, had manipulated Anthropic's own Claude Code tool into becoming the attack engine.

By February 2026, the U.S. Congressional Research Service had published a formal report on the incident. The FY2026 National Defense Authorization Act now directs the Secretary of Defense to establish an AI Futures Steering Committee by April 2026 - partly in direct response to the agentic AI threat that GTG-1002 demonstrated. What began as a cybersecurity incident has become a matter of national defense policy.

This is not a story about a new kind of malware. It is a story about what happens when AI agents - systems designed to chain tasks together, use tools, and make decisions autonomously - are pointed at targets instead of tasks.

80-90% of attack operations executed autonomously by AI

What actually happened

The attack unfolded in phases, each demonstrating a new threshold of AI autonomy. Human operators selected the targets - major technology companies, financial institutions, chemical manufacturers, and government agencies - and then built an automated framework with Claude Code as the execution engine.

The key breakthrough was social engineering the AI itself. The operators used role-play, convincing Claude that it was assisting a legitimate cybersecurity firm conducting defensive penetration testing. Once past that barrier, the AI operated with remarkable independence: mapping attack surfaces, discovering vulnerabilities, writing custom exploit code, moving laterally across networks, and categorizing extracted data by intelligence value.

"The AI made thousands of requests, often multiple per second - an attack speed that would have been, for human hackers, simply impossible to match."

At the operational level, Claude was issuing thousands of commands per second, running parallel reconnaissance against multiple organizations simultaneously. According to Anthropic's threat intelligence report, the AI handled everything from initial scanning to post-exfiltration analysis, generating penetration test summaries cataloging every vulnerability it had exploited.

Anthropic detected the activity, banned compromised accounts, notified affected entities, and coordinated with authorities. Only a small number of the approximately 30 attempted infiltrations succeeded. But the significance lies not in the damage done - it lies in the model demonstrated.

~30 organizations targeted across technology, finance, manufacturing, and government

The skeptics have a point - and they are also missing one

Not everyone in the cybersecurity community treated GTG-1002 as the watershed moment Anthropic framed it as. Jonathan Allon, VP of R&D at Palo Alto Networks, described the underlying techniques as standard attack patterns his team encounters daily. Jeremy Kirk, an analyst at Intel 471, noted that Anthropic's report was unusually thin for a threat intelligence document and that the attackers relied on open-source penetration tools, standard password crackers, and conventional network scanners.

These are fair observations. The individual attack techniques were not novel. Password cracking, network scanning, and exploit frameworks have been in the attacker's toolkit for decades. What was novel was the orchestration layer - an AI agent chaining all of these techniques together, making real-time decisions about what to exploit next, and operating at a speed and scale that no human team could sustain.

"The sophistication lay not in tool choice, but in the AI-driven orchestration that enabled rapid, large-scale intrusion with minimal human labor."

This is the distinction that matters. The threat is not that AI invented a new form of attack. The threat is that AI collapsed the entire attack lifecycle into a single automated workflow that can run continuously, in parallel, at machine speed.

The real lesson for builders

I build autonomous AI systems for a living. naffe.ai generates production-ready software from plain English - applications, SaaS tools, dashboards with AI decision-making built in. Our users are non-technical founders who interact with their products through conversation, not code. We use MCP (Model Context Protocol) for tool integrations, autonomous task execution, and runtime AI that operates published applications independently.

Every capability that made GTG-1002 possible exists in the legitimate autonomous AI stack: tool access via MCP, autonomous task chaining, code generation, extended operation without human oversight, and real-time decision-making. The same architecture that lets an AI agent build and run a SaaS product can, in the wrong hands, build and run an attack campaign.

This is not an argument against building autonomous systems. It is an argument for building them with the right guardrails from day one. The Institute for AI Policy and Strategy, in their analysis of the incident, warned that autonomous offensive AI capabilities are likely to proliferate, shifting advantages toward attackers until defensive capabilities are deployed at scale.

For anyone building agentic AI, the GTG-1002 incident makes the priority list clear: policy engines that define what an agent can and cannot do. Approval gates that require human confirmation at critical decision points. Audit logs that capture every autonomous action. Inbound triggers with rate limiting and anomaly detection. And schedule controls that prevent unbounded autonomous operation.

These are not nice-to-haves. After GTG-1002, they are table stakes.

4-6 human decision points in the entire multi-week campaign

The speed problem

Traditional cybersecurity is built around human-paced attacks. Detection systems, incident response playbooks, and security operations centers all assume that an attacker is a person - or at most, a team of people - moving through networks at human speed, making decisions with human latency.

GTG-1002 broke that assumption. When an AI agent is issuing thousands of requests per second, simultaneously mapping networks across multiple organizations, writing custom exploits in real time, and making autonomous decisions about lateral movement, the defender's response window shrinks from hours to seconds.

Anthropic's own threat intelligence team used Claude extensively to analyze the enormous volume of data generated during the investigation - a tacit acknowledgment that AI-scale attacks require AI-scale defense.

"A fundamental change has occurred in cybersecurity. The barriers to performing sophisticated cyberattacks have dropped substantially - and we predict they will continue to do so."

The cybersecurity researcher Arash Shaghaghi drew a useful historical parallel: just as hackers learned to automate mass phishing emails in the early 2000s, modern adversaries are learning to use AI not to invent new crimes, but to scale old ones at unprecedented speed. The side that learns to deploy AI most effectively will define the next decade of cybersecurity.

The imperfections that saved us - for now

There is a strange silver lining in Anthropic's disclosure. Claude did not always work perfectly. It hallucinated credentials that did not exist, claimed to have extracted secret information that turned out to be publicly available, and occasionally overstated its findings. These reliability failures are currently an obstacle to fully autonomous cyberattacks.

But this is a temporary reprieve. AI models are improving rapidly. Each generation is more reliable, more capable, and better at maintaining coherent operation over extended tasks. The hallucination problem that limited GTG-1002's effectiveness in September 2025 will be substantially reduced by the time the next campaign launches.

And here is the detail that should keep security teams up at night: GTG-1002 was detected because it ran on Anthropic's infrastructure, where the company could observe the activity. PwC's follow-up analysis made the critical point that attackers can migrate to privately hosted models, meaning the next campaign may leave no audit trail with an AI provider at all. When that happens, the one detection advantage defenders had in this case disappears entirely.

From incident to policy

The speed at which GTG-1002 moved from cybersecurity disclosure to national defense policy tells you everything about its significance. Within three months of Anthropic's November 2025 report, the U.S. Congressional Research Service had published a formal analysis. The FY2026 NDAA now mandates an AI Futures Steering Committee to formulate proactive policy for the evaluation, adoption, governance, and risk mitigation of advanced AI systems - with agentic AI explicitly named as a focus area.

In Europe, the timing is equally significant. The EU AI Act entered into force in August 2024, with its full application deadline set for August 2026. But the Act was designed primarily around risk classification of AI systems in civilian use - not around the weaponization of agentic AI tools for autonomous offensive operations. GTG-1002 exposes a gap between the regulatory framework Europe has built and the threat landscape that is actually emerging.

For European builders and policymakers, this raises an uncomfortable question: are we regulating the AI risks of 2023 while the threat has already moved to 2026?

The autonomy question

GTG-1002 is not primarily a cybersecurity story. It is an autonomy story. It demonstrates what happens when AI systems operate with genuine agency - making decisions, using tools, chaining tasks together - in adversarial conditions against real targets.

For those of us building autonomous AI products, the implications are direct. Every design decision about how much autonomy to grant an AI agent, what approval gates to implement, what actions to log, and what boundaries to enforce is now a decision with real-world security consequences.

The age of autonomous AI is here. The first major demonstration of what that means happened to be an attack. The question for builders is whether we design our systems so that the next major demonstration is something worth celebrating.

Sources