An AI maker and a honeypot network are watching the same shift from opposite ends of the internet. Here is what we actually caught, and how it squares with Anthropic's new data.
In June 2026, Anthropic published the LLM ATT&CK Navigator, mapping 13,873 observations of AI misuse from 832 banned accounts onto MITRE ATT&CK. It is the clearest public look yet at how attackers are actually using AI. We read it from an unusual position: we run a fleet of honeypots that watches the same adversaries from the other side, at the moment they reach an exposed system. So we asked a simple question. Does what we see match what they see?
Mostly yes, and the differences are illuminating. Anthropic sees the prompt, what attackers ask a model to do, and it skews heavily to preparation: building and hiding tools. We see the action, what attackers do at the door, and it is dominated by credential attacks. Those are two ends of one pipeline. Both datasets agree on the big picture: today AI is mostly a preparation multiplier, and the autonomous, in-network AI attacker is the rare leading edge, not the norm. And we did find that leading edge in our own data. Of 8,887 attackers in a two-week window, our classifier flagged 5 as agentic and 3 as AI-assisted, with a recognizable behavioral fingerprint.
The most useful way to read our data next to Anthropic's is as two windows onto one attack lifecycle. Anthropic can see what a person types into a model. We can see what eventually arrives at a target. Line them up and they are close to mirror images.
Anthropic's single largest category is defense evasion (84% of actors touched it), and the top technique is malware development (69% of actors). Credential access sits near the bottom of their list at 6%. Our distribution is the inverse: 73% of what we observe is credential access, brute force at the door, and the build-and-obfuscate stages are invisible to us, because you cannot watch someone write malware from a honeypot login. This is not a contradiction. Attackers use AI to build and obfuscate payloads, which Anthropic sees, then commodity automation sprays credentials and delivers those payloads to exposed systems, which we see. The 1,885 malware samples our control honeypots captured in a single window are the obfuscated output of that build stage arriving at its destination.
Before the AI question, the honest baseline: the internet's background traffic is still overwhelmingly dumb. Our Bestiary classifier sorts every source IP into archetypes by behavior. In the April run, 88% were nuisance scanners, and the next largest groups were commodity botnets, scanners, and credential-spray bots. The AI classes are the two smallest meaningful tiers on the board.
Now the interesting part. The sessions our classifier flagged as agentic or AI-assisted share a distinctive style: a broad, clean, typo-free system enumeration, run at machine pace, with graceful fallbacks when a command returns nothing. One source on Hetzner cloud ran 27 distinct commands inside a single second.
Two things make this more than a fast script. First, the style: every command is wrapped in 2>/dev/null, and when one returns nothing the session emits a tidy fallback like echo 'No GPU info' or echo unknown. That defensive, edge-case-handling pattern is exactly what generated or agent-driven recon looks like, not the blunt one-liner of a Mirai bot.
We hold ourselves to what the data can support, so three caveats travel with this finding, and they happen to be the most interesting result of all.
First, behavioral classification is not proof of AI. We cannot see the attacker's prompt. We infer from speed, cleanliness, breadth, and the reuse of one template across many hosts. Second, the heuristic over-reaches. Fast, clean cryptominer recon scripts (uname, nvidia-smi, curl ipinfo.io/org, crontab -r, kill the competition) trip the same thresholds. Our classifier suppresses those by checking the cryptominer, botnet, and key-injector rules first, which is why the disciplined count is 5 plus 3, not dozens. Third, the scale is tiny: even counting generously, AI-consistent actors are well under one in a thousand of what we see.
Here is why those caveats matter: they are the same wall Anthropic hit from the other side. Anthropic found that an actor's technical skill, interface, and even technique count are weak predictors of how much AI actually helped them. The thing that distinguishes the highest-risk actors is orchestration, the scaffolding that chains techniques into an autonomous operation. We reached the identical conclusion from network data: you cannot find the AI attacker by speed or command count, because a clean script looks the same. The real tell is orchestration and the reuse of a generated playbook. Two independent vantage points, the same lesson.
The dividing line is no longer technical skill. It is orchestration. And orchestration is exactly what raw event counts cannot see.
If the differentiator is orchestration rather than skill or volume, then the way you catch the AI-driven attacker is not a bigger pile of alerts. It is dwell and adaptation.
The headlines about AI and cybercrime tend to collapse two very different realities. From Anthropic's vantage, AI is already woven through the preparation stage of most attacks. From ours, the thing actually knocking on the door is still, overwhelmingly, the same commodity botnet it was five years ago, with a tiny but unmistakable population of automated, agent-like operators beginning to appear. Both are true. Holding both at once is how you plan well: harden against the bots today, and instrument for the agents tomorrow. The way you will know the agents have arrived is not a louder alarm. It is a quieter, cleaner, faster pattern that no human could have typed.
We did not find an army of AI hackers. We found eight, hiding in a crowd of nine thousand, and a clear method for finding the next ones.
Deception Check operates a global fleet of LLM-backed honeypots that study how attackers behave the moment they reach an exposed system. We turn that behavior into early-warning detection for the operational technology, healthcare, and enterprise environments that conventional tools struggle to protect. This briefing is for educational purposes and references open, citable sources throughout.
© 2026 Deception Check.