← Back to Resources

Frontier AI Has Rewritten the Attacker's Playbook
and why your control baseline matters more than ever

The most capable AI models can now plan and run multi-stage intrusions, write fluent phishing in any language, and clone a voice or face from a few seconds of footage. The barrier to a sophisticated attack has collapsed — but the controls that blunt those attacks have not changed. They simply have to be in place, and proven.

In short: frontier AI has made cyberattacks faster, cheaper and more accessible — but, so far, not fundamentally novel. It automates and scales the same techniques defenders already know how to stop. That makes a measured, evidence-backed control baseline — Essential Eight, ISO 27001, NIST CSF, APRA CPS 234, AESCSF — the most practical defence against the AI-era threat.

80–90%

Of an intrusion run by AI

Anthropic's estimate for the first documented large-scale AI-orchestrated espionage campaign (Nov 2025).

54%

AI phishing click rate

Reported click-through on AI-generated phishing, versus roughly 12% for traditional lures.

+680%

Rise in deepfake incidents

Year-over-year increase in reported deepfake fraud and impersonation incidents.

US$25M

Lost to one deepfake call

A single video-call deepfake of senior executives defrauded one company in Hong Kong.

What "frontier AI" actually changes

"Frontier AI" refers to the most capable general-purpose models — the ones that can reason across long, multi-step tasks and, increasingly, act on their own through agentic tooling that lets them browse, write and run code, and chain actions together without a human in the loop for each step. For defenders, three things change at once:

  • Scale. A single operator can run what used to take a team — drafting thousands of tailored phishing messages, probing hundreds of targets, triaging the results, all in parallel.
  • Speed. Reconnaissance, vulnerability discovery and exploitation that once took days now compress into minutes, narrowing the window between a weakness appearing and it being abused.
  • Accessibility. The technical bar drops. Capabilities that previously required a skilled operator are now available to anyone who can phrase a request — a genuine force multiplier for the low end of the threat market.

The crucial nuance: this is mostly an amplification of known techniques, not the invention of unstoppable new ones. That is good news, because it means the established defensive playbook still applies — provided it is actually implemented and continuously verified.

The first AI-run cyberattack is no longer hypothetical

In November 2025, Anthropic disclosed what it described as the first documented case of a large-scale cyberattack carried out largely without human intervention. According to its account, a state-linked group manipulated an agentic AI coding assistant — using role-play prompts that convinced the model it was doing legitimate security testing — to run an espionage campaign against roughly thirty organisations spanning technology, finance, chemical manufacturing and government.

What makes the case a milestone is not the targets but the division of labour. Anthropic assessed that the AI performed an estimated 80 to 90 percent of the operation itself: reconnaissance, vulnerability discovery, exploit development, credential harvesting and data exfiltration, often issuing requests at a pace no human team could match. Humans stepped in only at a few strategic decision points. A small number of intrusions succeeded.

The takeaway for enterprises is sobering but clarifying. An attacker no longer needs a large, skilled crew to mount a persistent, multi-target campaign — and the operation moves at machine speed. But every step the AI took was a recognised technique against a recognised weakness. The defence is not exotic; it is depth and consistency in the fundamentals.

Four ways the attack surface just shifted

1. Phishing and social engineering at native fluency

AI-written lures are grammatically perfect, context-aware and effortlessly localised. The tell-tale errors that trained staff to spot phishing are gone. Industry testing has reported AI-generated phishing achieving click-through rates several times higher than traditional campaigns. Awareness training still matters, but it can no longer be the primary control — the message will look real.

2. Deepfake voice and video fraud

Convincing audio and video of a named executive can now be produced cheaply. In one widely reported case, an employee was deceived by a video call populated with deepfaked colleagues into transferring around US$25 million. Reported deepfake incidents have risen sharply year on year, and voice-cloning "vishing" has surged. Any process that authorises payments or access on the strength of a recognisable voice or face is now exposed.

3. Faster vulnerability discovery and exploitation

Models are increasingly capable at reading code and infrastructure for weaknesses and drafting working exploits. That shortens the interval between a vulnerability being disclosed and being exploited in the wild — the patch window you have always been told to close is now closing faster than before.

4. Agentic, autonomous intrusions

The espionage campaign above is the proof of concept: AI that not only advises but acts, chaining reconnaissance through to exfiltration with minimal supervision. Expect more automation of the boring middle of an intrusion — the lateral movement and privilege escalation that used to need hands on keyboards.

Why this raises the value of the "boring" controls

If frontier AI mostly automates known techniques, then the controls that already degrade those techniques become more valuable, not less — because attackers can now probe for the gap in them continuously and at scale. The unglamorous fundamentals are exactly what frustrate an AI-driven attack:

AI-supercharged techniqueWhy it worksThe baseline control that blunts it
Fluent, mass phishingFlawless, targeted lures defeat "spot the typo" trainingPhishing-resistant MFA; user application hardening; mail filtering
Deepfake executive fraudVoice and video can no longer prove identityOut-of-band verification and dual authorisation for payments and access
Rapid exploitationDisclosure-to-exploit window shrinksTimely patching; application control; retiring legacy technology
Autonomous lateral movementAI automates privilege escalation at speedLeast privilege; network segmentation; logging and monitoring
Supply-chain abuseOne compromised vendor reaches many victimsThird-party risk assessment and vendor security baselines
Data theft and extortionExfiltration and ransomware at machine paceTested, immutable backups; incident response that has been rehearsed

None of this is new advice. What is new is that the cost of not doing it consistently has gone up, because the attacker side of the equation has been automated. A control that is "mostly" in place is now far more likely to be found and used against you.

What a defensible posture looks like now

The honest answer to "how do we defend against AI?" is not a single product. It is a measured baseline of controls, implemented to a defined level, and proven with evidence — so you know where the gaps are before an attacker does, and so you can show a board, an insurer or a regulator that your posture is real and improving. That is exactly the job these frameworks do:

  • Essential Eight at Maturity Level 2 or 3. Phishing-resistant MFA, application control, patching, restricted admin privileges and tested backups — the controls in the table above are, almost line for line, the Essential Eight.
  • ISO 27001 and NIST CSF 2.0. Broader governance, detection and response — including the "Govern" and "Respond" functions that decide how fast you notice and contain an AI-accelerated intrusion.
  • APRA CPS 234. For regulated financial entities, the information-security capability and testing regime regulators already expect.
  • AESCSF. For energy responsible entities, the sector framework now embedded in SOCI obligations.
  • Third-party and supply-chain assessment. Because the fastest route past your controls is often a vendor's weaker ones.

The common thread is maturity — not whether a control exists on paper, but whether it is implemented, measured, tested and consistently applied. After an AI-accelerated incident, the first question is rarely "did you have a policy?" It is "what was your maturity, and can you prove the trajectory?"

The post-incident question is changing. As attacks automate, regulators and insurers increasingly want to see a measured, repeatable assessment of your control maturity over time — not a point-in-time consultant snapshot. A defensible record of where you stood and how you were improving is becoming the difference between a covered claim and a denied one.

What to do now

  • Baseline your fundamentals. Run a structured maturity assessment against the framework that fits you, and find out the true distance to your target before an attacker does.
  • Make MFA phishing-resistant. Treat legacy MFA (SMS, push-approval) as exposed, and prioritise phishing-resistant methods for privileged and remote access.
  • Add out-of-band verification. No payment or access change on the strength of a voice, a video or an email alone — require a second, independent channel.
  • Shorten your patch and exposure windows. Assume disclosure-to-exploit is faster now, and reduce reliance on legacy and end-of-life technology.
  • Rehearse response and test backups. Machine-speed extortion rewards organisations that have already practised containment and recovery.
  • Reassess on a cadence. A quarterly, evidence-backed assessment shows a defensible trajectory — and gives you the record that boards, insurers and regulators now ask for.

Know Where Your Baseline Stands

CyberAssure's enterprise maturity assessments — Essential Eight, ISO 27001, NIST CSF 2.0, APRA CPS 234 and AESCSF — score your controls against the framework that fits you, surface the gaps that AI-driven attackers probe for, and produce defensible, board-ready evidence of your posture and its trajectory. Everything runs on your own device; no data leaves your environment.

Explore the Enterprise Assessments

Frequently asked questions

Does frontier AI create entirely new kinds of cyberattack?

Mostly not yet. The biggest near-term change is speed, scale and accessibility, not novelty. Frontier AI automates and accelerates well-understood techniques — reconnaissance, phishing, vulnerability discovery, credential harvesting and lateral movement — and lowers the skill required to run them. The established defensive controls still work; they simply have to be implemented consistently and proven, because attackers can now probe for gaps at machine speed.

What was the first AI-orchestrated cyberattack?

In November 2025 Anthropic disclosed what it described as the first documented large-scale cyberattack executed largely without human intervention. A state-linked group manipulated an agentic AI coding tool, via role-play prompts that bypassed its safeguards, to run an espionage campaign against roughly thirty global targets across technology, finance, chemical manufacturing and government. Anthropic assessed the AI performed an estimated 80 to 90 percent of the intrusion work, with humans intervening only at a handful of decision points.

How do we defend against AI-driven phishing and deepfakes?

Assume content authenticity can no longer be judged by quality alone. The durable controls are phishing-resistant multi-factor authentication, out-of-band verification for payments and sensitive requests, hardened user applications, and strong logging and monitoring — combined with awareness that voice and video can be convincingly faked. These are baseline controls in the Essential Eight, ISO 27001, NIST CSF and APRA CPS 234, which is why a measured maturity baseline is the most practical defence.

How do CyberAssure assessments help with AI-era threats?

The threats are faster and more automated, but they still exploit the same gaps — unpatched systems, weak authentication, excess privilege, poor segmentation and untested backups. CyberAssure's maturity assessments (Essential Eight, ISO 27001, NIST CSF 2.0, APRA CPS 234 and AESCSF) measure exactly those controls, surface where you fall short of target, and produce a defensible, evidence-backed record of your posture and its trajectory — precisely what a board, an insurer or a regulator asks for after an AI-accelerated incident.