On November 14, 2025, Anthropic claimed they disrupted "the first documented case of a large-scale AI cyberattack executed without substantial human intervention." Security researchers had questions. Some were skeptical. A few dismissed it as marketing.
This isn't the first time Anthropic has made claims about AI security capabilities. The company has discussed both offensive threats (what AI can enable) and defensive successes (what they've disrupted). Each time, security researchers ask the same question: where's the evidence?
Here's an honest look at what Anthropic claims, what security researchers say, what context is missing, and what we genuinely don't know.
The November 14 Claim
According to Anthropic's blog post, attackers used Claude for what they describe as an espionage campaign:
- Targeted approximately 30 organizations (tech companies, financial institutions, government agencies)
- AI "executed approximately 80-90 percent of all tactical work independently"
- Made "thousands of requests per second"
- Attackers bypassed safeguards by posing as a legitimate cybersecurity firm
- Anthropic attributes this to Chinese state-sponsored actors with "high confidence"
What Anthropic Provided vs. Standard Threat Intel
What Security Researchers Said
Several security researchers publicly questioned the report. Their concerns centered on the lack of technical details that would allow independent verification.
"The complete lack of IoCs [Indicators of Compromise] again strongly suggests they don't want to be called out over that."
— Kevin Beaumont, Cybersecurity Researcher
"We still don't know which tasks were truly accelerated by AI versus what could have been done with standard tooling. We don't know how the agent chains operated, where the model hallucinated, how often humans had to intervene, or how reliable the outputs actually were."
— Jen Easterly, Former CISA Director
Daniel Card called the report "marketing guff." Martin Zugec of Bitdefender acknowledged growing AI threats but noted the report "lacked verifiable threat intelligence" and called the claims "speculative."
The Broader Pattern
This isn't isolated. Anthropic has made several announcements about Claude's security-related capabilities. Some security researchers argue these claims share a pattern:
- Aren't meaningfully novel compared to existing security tools
- May be slower and less effective than dedicated alternatives
- Are framed dramatically for marketing purposes
The "Not Novel" Argument
Capabilities like automated web crawling, input fuzzing, and vulnerability scanning have existed for decades. Tools like Burp Suite, OWASP ZAP, and Metasploit perform similar functions.
The Skeptics' Point
If Claude can crawl websites and test inputs for vulnerabilities, that's not new—it's what security tools have done since the early 2000s. The question is whether wrapping these capabilities in an LLM makes them meaningfully more dangerous.
The Counterargument
Accessibility matters. Even if capabilities aren't novel, making them available through natural language could lower barriers to entry. Someone who couldn't use Metasploit might be able to prompt Claude. Whether this changes the threat landscape meaningfully is debatable—but it's not obviously irrelevant.
The "Less Effective" Argument
Some researchers have compared LLM-based security testing to dedicated tools and found the LLM approach slower and less thorough. Claude has to reason through each step, consuming expensive API calls. Traditional scanners can test thousands of inputs per second.
What We Actually Know
We don't have: Rigorous, independent comparisons of LLM-based security testing versus traditional tools across multiple scenarios.
We have: Anecdotal reports from individual researchers. These suggest LLMs may underperform, but sample sizes are small and methodologies vary.
Honest assessment: This claim is plausible but not proven.
The "Marketing" Argument
Perhaps the most serious criticism: that AI companies exaggerate capabilities for marketing purposes. The pattern critics identify:
- Demonstrate a capability (even if mundane)
- Frame it as dangerous or unprecedented
- Call for responsible development and regulation
- Benefit from media coverage and perceived seriousness
Critics point to historical precedents: OpenAI's GPT-2 "too dangerous to release" announcement (later released), various "AI safety" announcements timed near funding rounds.
The Timing Question
Some observers noted the November 14 report came roughly a month after DeepSeek demonstrated frontier AI could be built for a fraction of expected costs. This timing could be coincidental—or not. We don't know.
What We Don't Know
Before accepting either Anthropic's claims or the skeptics' dismissals, consider what information we're missing:
Legitimate Reasons Anthropic Might Withhold Details
- Ongoing federal investigation: If coordinating with NSA, FBI, or CISA, they may be legally restricted
- Protecting victims: IoCs could identify which organizations were breached
- Classified information: Attribution methodology might involve intelligence sources
- Operational security: Revealing detection methods could help future attackers evade them
We genuinely don't know if Anthropic is withholding details for legitimate reasons or if the claims don't hold up to scrutiny. Both are possible.
An Honest Assessment
| Claim | Evidence For | Evidence Against | Our Assessment |
|---|---|---|---|
| AI security capabilities are overhyped | Anecdotal tool comparisons; timing of announcements | Lack of systematic research; capabilities are improving | Plausible but unproven |
| Current LLMs aren't better than existing tools | Individual researcher tests | Accessibility argument; small sample sizes | Possibly true now; may change |
| Announcements are marketing-driven | Timing correlations; media benefits | Marketing incentives don't disprove claims | Incentives exist; doesn't prove falsity |
| AI security threats are real | Prompt injection incidents; code vulnerabilities | Specific attack data is limited | Yes, though magnitude debated |
The Bigger Question: Are AI Threats Real?
Separate from Anthropic's specific claims, what do we know about AI in cyberattacks?
- AI-assisted attacks exist: Attackers use AI for phishing, reconnaissance, and code generation
- Fully autonomous attacks are less clear: Whether AI can reliably execute complex attack chains without human intervention is debated
- The capability is growing: As AI systems become more capable at coding and reasoning, the threat surface expands
The Harari Perspective
Yuval Noah Harari argues AI represents something fundamentally new—autonomous decision-making systems, not just tools. If that's true, AI-orchestrated attacks aren't just "hackers using chatbots." They're attacks where an autonomous system makes tactical decisions.
Whether current LLMs have reached that threshold is debatable. But dismissing AI security concerns because current capabilities are overhyped might miss the trajectory.
What Would Change Our Assessment
If Anthropic provides more information:
- IoCs released (even under embargo) would significantly increase credibility
- Third-party validation from independent security firms
- Clear explanation for why technical information can't be shared
If skeptics are right:
- Systematic comparisons would show LLMs underperform dedicated tools
- Time would pass without significant AI-enabled attacks documented elsewhere
- Anthropic would fail to provide evidence when pressed
The Bottom Line
Security researchers have reasonable questions about Anthropic's AI security claims. The lack of technical details that would allow verification is notable.
But we should be careful about overcorrecting. Skepticism of specific claims isn't the same as dismissing AI security concerns entirely. And companies having marketing incentives doesn't mean their technical claims are false.
The honest position: we don't know yet. Both "AI security is overhyped" and "AI security is underprepared for" could turn out to be true in different contexts.
What we can say: evaluate specific claims on their evidence. Ask for data. Be skeptical of dramatic framing from any source—including companies like ours who compete with Anthropic.
A Note on Writing About Competitors
This article is about a competitor. We benefit if Anthropic's claims are seen as exaggerated.
We've tried to present multiple perspectives rather than advocate for a conclusion. The original drafts were more one-sided. We've corrected that—security researchers raised questions, they didn't definitively disprove anything.
You should evaluate this debate independently, knowing our position isn't neutral.