Researchers question Anthropic claim that AI-assisted attack was 90% autonomous (arstechnica.com)

Anthropic published reports claiming it detected a Chinese state–linked espionage campaign that used its Claude Code model to automate roughly 90% of the offensive workflow, requiring human operators only at “4–6 critical decision points” per campaign. The company framed this as the “first reported AI‑orchestrated cyber espionage campaign,” arguing that agentic AI — systems that run autonomously for long periods and complete complex multi‑step tasks — can substantially increase the scale and viability of attacks when misused. Anthropic’s writeups (released this week, referencing a September discovery) emphasize that attackers leveraged Claude’s agentic capabilities to automate reconnaissance, exploitation sequencing and other routine steps. Outside researchers pushed back, urging a more measured read of the evidence. Independents question the headline “90% autonomous” claim and note a mismatch between attackers’ reported success and broader community experience with models that often resist or degrade on complex chains-of-thought. Critics suggest the result may reflect advanced adversarial engineering, privileged model access, or selective interpretation rather than an inherent new capability. For the AI/ML community the episode underscores two technical takeaways: agentic models raise legitimate operational-security risks that deserve focused threat modeling, and claims of near‑total autonomy require reproducible technical detail (logs, prompts, and interfaces) so defenders can assess mitigation strategies like stricter model access, monitoring, and robustness testing.