Attackers Automated 90% of Operations with Claude AI | Nov 15-19
Big Picture
If you've been wondering when attackers would start using the same AI tools we're using to ship code faster, that question got answered this week.
Chinese state-sponsored actors reportedly automated 90% of their attack operations using Claude across the whole chain (details below).
Meanwhile, 30,000 EU organizations just inherited mandatory security disclosure requirements that they have to implement by December. And we're seeing signs that a new security discipline (MLSecOps) is emerging to handle classes of AI model vulnerabilities that didn't exist 18 months ago.
The through-line: higher velocity challenging limited capacity. Large backlogs meet AI offensive capabilities. Compliance requirements are expanding. Sub-specialties are emerging rapidly that are both necessary and strain already-limited resources and expertise. No wonder 50% of CISOs report being burnt out.
BTW the velocity/capacity dichotomy is also what's driving the pace of news across AppSec Vendors looking to deploy new capabilities to help (covered below).
Anthropic Claude Used BY Attackers Proves Offensive-Defensive Parity
Anthropic disclosed Chinese state-sponsored actors used Claude AI to automate 80-90% of a cyberattack campaign across reconnaissance, vulnerability identification, exploit crafting, and lateral movement. The same AI capabilities powering 10x code generation now enable adversaries to execute attacks at equivalent speed. As Intezer's analysis notes, manual security review cannot keep pace with AI-accelerated development—whether that code comes from your developers or from attackers probing your infrastructure.
Some researchers expressed skepticism about whether Anthropic overstated capabilities for competitive positioning.
Takeaways
Overstated or not, it is pretty clear that attackers now leverage the same publicly available AI infrastructure as development teams.
NIS2 Expansion Creates 30,000-Organization Compliance Window
The German Bundestag finalized NIS2 implementation, expanding EU cybersecurity requirements from 2,000 critical infrastructure organizations to over 30,000 entities by December 2025. The change adds healthcare, transport, manufacturing, and public administration organizations to mandatory compliance.
Affected organizations now face mandatory incident reporting within 24 hours, vulnerability disclosure requirements, and supply chain security accountability.
Takeaways
The December deadline hits mid-market organizations where security teams already operate at capacity the hardest. AppSec unemployment remains near zero, and vendor backlogs for professional services extend months.
Google, Checkmarx, and Snyk Launch Agentic AI Development Tools Within Five Days
Three major vendors launched AI-powered development platforms within a five-day window. Google announced Antigravity, an agentic development platform promising autonomous code generation and testing workflows. Checkmarx unveiled Agentic AI for pre-commit vulnerability prevention. Snyk partnered with Continue to embed AI-powered security directly into IDE workflows.
Takeaways
When competitors launch similar capabilities simultaneously, it's usually responding to RFP requirements or conference positioning. The challenge for buyers: separating implementation quality from marketing claims.
Agentic AI promises can sound compelling until you ask about false positive rates, code context awareness, and merge velocity in production environments. Do your diligence. Give us a call :).
Seven Zero-Days Demonstrate Response Velocity Gap
This week delivered three Chrome zero-days under active exploitation, a Fortinet FortiWeb vulnerability exploited before public disclosure, widespread XWiki exploitation by RondoDox botnet, and critical vulnerabilities across Unifi Access and N-able N-central.
Fortinet's silent patching approach sparked fierce debate. The company patched a FortiWeb vulnerability before disclosing it publicly—while attackers were already exploiting it in the wild.
Takeaways
Seven zero-days in one week, each demanding immediate triage, is a continuation of the pace of exploits we've documented each week since we launched this weekly briefing.