DECEPTION CHECK
Threat Research · AI and Cyber

We Went Looking for AI Attackers in Our Honeypots

An AI maker and a honeypot network are watching the same shift from opposite ends of the internet. Here is what we actually caught, and how it squares with Anthropic's new data.

Deception Check Threat Research · July 1, 2026

In June 2026, Anthropic published the LLM ATT&CK Navigator, mapping 13,873 observations of AI misuse from 832 banned accounts onto MITRE ATT&CK. It is the clearest public look yet at how attackers are actually using AI. We read it from an unusual position: we run a fleet of honeypots that watches the same adversaries from the other side, at the moment they reach an exposed system. So we asked a simple question. Does what we see match what they see?

The short version

Mostly yes, and the differences are illuminating. Anthropic sees the prompt, what attackers ask a model to do, and it skews heavily to preparation: building and hiding tools. We see the action, what attackers do at the door, and it is dominated by credential attacks. Those are two ends of one pipeline. Both datasets agree on the big picture: today AI is mostly a preparation multiplier, and the autonomous, in-network AI attacker is the rare leading edge, not the norm. And we did find that leading edge in our own data. Of 8,887 attackers in a two-week window, our classifier flagged 5 as agentic and 3 as AI-assisted, with a recognizable behavioral fingerprint.

8,887 attackers, 8 classed AI-driven
The AI attacker is real, and rare. Two weeks of fleet data, April 2026.

Two vantage points on the same threat

The most useful way to read our data next to Anthropic's is as two windows onto one attack lifecycle. Anthropic can see what a person types into a model. We can see what eventually arrives at a target. Line them up and they are close to mirror images.

Anthropic vs honeypot tactic distribution
Anthropic's top tactic is Defense Evasion and Resource Development, building and obfuscating tools. Ours is overwhelmingly Credential Access. Taxonomies differ, so read the shape.

Anthropic's single largest category is defense evasion (84% of actors touched it), and the top technique is malware development (69% of actors). Credential access sits near the bottom of their list at 6%. Our distribution is the inverse: 73% of what we observe is credential access, brute force at the door, and the build-and-obfuscate stages are invisible to us, because you cannot watch someone write malware from a honeypot login. This is not a contradiction. Attackers use AI to build and obfuscate payloads, which Anthropic sees, then commodity automation sprays credentials and delivers those payloads to exposed systems, which we see. The 1,885 malware samples our control honeypots captured in a single window are the obfuscated output of that build stage arriving at its destination.

Who actually shows up

Before the AI question, the honest baseline: the internet's background traffic is still overwhelmingly dumb. Our Bestiary classifier sorts every source IP into archetypes by behavior. In the April run, 88% were nuisance scanners, and the next largest groups were commodity botnets, scanners, and credential-spray bots. The AI classes are the two smallest meaningful tiers on the board.

Attacker classification distribution
8,887 attackers classified over 6.98 million events. The AI classes (amber) are the rarest, just above a lone RAT operator. Log scale.

The ones that looked like AI

Now the interesting part. The sessions our classifier flagged as agentic or AI-assisted share a distinctive style: a broad, clean, typo-free system enumeration, run at machine pace, with graceful fallbacks when a command returns nothing. One source on Hetzner cloud ran 27 distinct commands inside a single second.

Example enumeration burst
A single second of activity from one flagged source. No human types this fast, and the defensive fallbacks are the tell of generated or agent-driven code.

Two things make this more than a fast script. First, the style: every command is wrapped in 2>/dev/null, and when one returns nothing the session emits a tidy fallback like echo 'No GPU info' or echo unknown. That defensive, edge-case-handling pattern is exactly what generated or agent-driven recon looks like, not the blunt one-liner of a Mirai bot.

The strongest signal: one playbook, many clouds The same enumeration template appeared from Microsoft Azure (four separate addresses), DigitalOcean, Oracle Cloud, Hetzner, Alibaba, China Unicom, and Viettel. One Azure host ran the very same playbook but paced at two to four second human-like intervals instead of a one-second burst, the agentic-versus-AI-assisted distinction visible in a single dataset. One clean playbook recurring across many unrelated addresses on rented cloud compute is the fingerprint of an automated framework or an agent harness, not coincidental humans. And the origin matters: these arrive from cloud VMs, not the residential and IoT ranges that dominate the dumb traffic, because that is where you run a tool or an agent.

The honest part

We hold ourselves to what the data can support, so three caveats travel with this finding, and they happen to be the most interesting result of all.

First, behavioral classification is not proof of AI. We cannot see the attacker's prompt. We infer from speed, cleanliness, breadth, and the reuse of one template across many hosts. Second, the heuristic over-reaches. Fast, clean cryptominer recon scripts (uname, nvidia-smi, curl ipinfo.io/org, crontab -r, kill the competition) trip the same thresholds. Our classifier suppresses those by checking the cryptominer, botnet, and key-injector rules first, which is why the disciplined count is 5 plus 3, not dozens. Third, the scale is tiny: even counting generously, AI-consistent actors are well under one in a thousand of what we see.

Here is why those caveats matter: they are the same wall Anthropic hit from the other side. Anthropic found that an actor's technical skill, interface, and even technique count are weak predictors of how much AI actually helped them. The thing that distinguishes the highest-risk actors is orchestration, the scaffolding that chains techniques into an autonomous operation. We reached the identical conclusion from network data: you cannot find the AI attacker by speed or command count, because a clean script looks the same. The real tell is orchestration and the reuse of a generated playbook. Two independent vantage points, the same lesson.

The dividing line is no longer technical skill. It is orchestration. And orchestration is exactly what raw event counts cannot see.

What this means for defenders

If the differentiator is orchestration rather than skill or volume, then the way you catch the AI-driven attacker is not a bigger pile of alerts. It is dwell and adaptation.

The deeper lesson

The headlines about AI and cybercrime tend to collapse two very different realities. From Anthropic's vantage, AI is already woven through the preparation stage of most attacks. From ours, the thing actually knocking on the door is still, overwhelmingly, the same commodity botnet it was five years ago, with a tiny but unmistakable population of automated, agent-like operators beginning to appear. Both are true. Holding both at once is how you plan well: harden against the bots today, and instrument for the agents tomorrow. The way you will know the agents have arrived is not a louder alarm. It is a quieter, cleaner, faster pattern that no human could have typed.

We did not find an army of AI hackers. We found eight, hiding in a crowd of nine thousand, and a clear method for finding the next ones.


Sources

About Deception Check

Deception Check operates a global fleet of LLM-backed honeypots that study how attackers behave the moment they reach an exposed system. We turn that behavior into early-warning detection for the operational technology, healthcare, and enterprise environments that conventional tools struggle to protect. This briefing is for educational purposes and references open, citable sources throughout.

© 2026 Deception Check.