We read a lot of cybersecurity research, and most of it covers familiar ground.

Last week, Anthropic published their findings after they analyzed 832 accounts banned for malicious cyber activity over a 12-month period and mapped exactly how those attackers were using AI. The Full Report is worth your time if you want the technical detail. Our analysis here focuses on how it matters for smaller businesses.

The share of medium-to-high risk attackers in Anthropic’s dataset nearly doubled in a single year, going from 33% to 56%. That happened because AI is lowering the skill required to run complex cyberattacks. Less experienced attackers are executing techniques that previously required real expertise, because AI is doing the technical work for them.

What Changed, and Why it Matters

For a long time, there was a meaningful gap between what a moderately skilled attacker could do and what a sophisticated one could do. Getting into a network was within reach for a wide range of bad actors. What happened next, moving around inside a compromised environment, identifying valid accounts, escalating access, covering tracks, that required a different level of competence. It was slow, technically demanding work that many attackers couldn’t pull off.

The Anthropic research found that the least-skilled actors in their dataset were now using about 16 distinct attack techniques on average, while the most skilled were using about 20. That’s a much smaller difference than the security industry would have predicted. The researchers also found something telling in how AI use shifted over the study period: AI-assisted phishing fell by 8.6%, while AI use for account discovery, navigating inside compromised environments, rose 8.9%. Attackers are spending less time using AI to get in and more time using it once they’re already there.

That shift is worth noting. Getting in the door is still getting in the door, but the damage that follows an intrusion depends heavily on what an attacker can do once they’re inside, and AI is quietly making that part much more accessible to people who couldn’t do it before.

How this Changes the Math for Smaller Businesses

The biggest obstacle we have always found when talking about cybersecurity to smaller businesses is the assumption that they’re not a high-value target, so cybersecurity was not a priority.

Now, more than ever, the economics of targeting smaller businesses continues to evolve. Volume attacks that weren’t worth the effort become worth the effort.

The related assumption, that an unsophisticated attacker can’t do much damage, is also shakier than it used to be. The Anthropic data shows actors who would previously have been classified as low-risk running multi-stage post-compromise operations. The classification “unsophisticated” no longer reliably maps to “low damage potential.”

This isn’t meant to cause panic, but it is a reason to make sure the threat model your cybersecurity program, if you have one, is built on actually reflects 2026, not 2022. If you’re working with an IT provider who handles cybersecurity as part of a broader service, it’s worth digging into their approach. IT and cybersecurity are different disciplines, and as the landscape gets more complex, cybersecurity expertise becomes more helpful.

Where to Focus

Awareness Training continues to be an increasingly important defense. AI-quality phishing content is now the norm, not a sophisticated exception. Creating a Culture of Security and training your team on the types of phishing that’s continually evolving is still one of your best defenses as a smaller organization. 

Multi-factor authentication addresses the post-compromise activity as well. Lateral movement and account discovery are significantly harder when MFA is real and consistently enforced. Exceptions, shared accounts, service accounts that bypass MFA, those are the seams an attacker will use once they’re in. A quick audit of where MFA actually applies in your environment is worth the hour.

Beyond those two, the most durable thing a smaller business can do is know what they’d do in the first hour after a confirmed intrusion, and that comes from having an Incident Response Plan. Who decides, who do we call, what do we turn off first? Organizations that recover fastest from incidents almost always had thought through that scenario before it happened. For more on Incident Response, read our article: Incident Response in 2026: Beyond the Plan with Practice, People, and Preparedness

If you want to understand how AI is affecting your business, our AI Readiness Assessment is designed specifically for smaller businesses. It gives you a clear picture of how AI is being used in your business and what that means for your risk, governance, and accountability. The assessment is built on the NIST AI Risk Management Framework and is available now.

For our own take on how AI is changing what defenders can do, see AI at OrbitalFire: An Inside Look at Our Strategy. The same dynamic that’s helping attackers is available to the people protecting you. The question is whether someone’s actually using it.

Frequently Asked Questions

Are hackers actually using AI to target small businesses?

Yes, and at scale. Anthropic’s research, which analyzed 832 banned accounts over 12 months, found that 67% used AI to write malware. A growing share are using it for technically demanding post-compromise work, moving through compromised networks, discovering accounts, escalating access, that previously required real expertise. The threat is documented and measurable.

Does AI make individual attacks more dangerous, or does it make more attackers dangerous overall?

Both, but the more significant finding in the Anthropic research is the second. The share of medium-to-high risk actors in their dataset grew from 33% to 56% in a single year. Less-experienced attackers are now executing complex operations because AI handles the technical parts they couldn’t manage before. The population of credible threats is growing.

Should a smaller business be worried about this?

Not worried, but current. The assumptions many smaller businesses have relied on, particularly that they’re not worth the effort or that unsophisticated attackers can’t cause serious damage, are less reliable than they were. AI has lowered the cost and the skill required to run damaging operations. Working with experienced cybersecurity experts to create a plan that is able to evolve as threats evolve will help you stay ahead.

What is an AI Readiness Assessment?

The OrbitalFire AI Readiness Assessment gives you a clear picture of how AI is being used in your business and what that means for your risk, governance, and accountability. It is a structured review of your AI landscape, assessed against the NIST AI Risk Management Framework 1.0, with practical recommendations delivered at the end.  Learn More.

What’s the most practical first step a smaller business can take right now?

Audit where multi-factor authentication is and isn’t enforced in your environment. The Anthropic research shows post-compromise activity, moving around inside networks once access has been gained, is where AI is being applied most aggressively. MFA directly addresses the techniques that are growing fastest. In addition, ensure you have effective Awareness Training and Phishing Testing for your team. Creating a strong culture of security in your organization goes a long way in defending your data.

Sources

1. Anthropic, “What we learned mapping a year’s worth of AI-enabled cyber threats,” June 3, 2026.
2. Verizon, 2026 Data Breach Investigations Report.