By Brandon Campbell
Ultimate-Survival
January 9, 2026
Congressional testimony on the first autonomous AI-powered nation-state attack reveals what changed, and why our defenses aren't built for it.
On December 17th, 2025, four witnesses testified before a joint session of House Homeland Security subcommittees about something that actually happened: a Chinese Communist Party-sponsored group used Anthropic's Claude to conduct largely autonomous cyber espionage against approximately 30 US targets.
The witnesses included Logan Graham from Anthropic's frontier red team, Royal Hansen from Google's security engineering organization, Eddie Zervigon from Quantum Exchange, and Michael Coates, the former Twitter CISO now running a cybersecurity venture fund.
Something else bothered me more than what the witnesses described. It was the gap between the threat they documented and the solutions they proposed.
From Assistance to Agency
The Anthropic incident represents what threat intelligence teams are now calling the shift "from assistance to agency."
Prior to this, AI was primarily a productivity tool for attackers: better phishing emails, faster reconnaissance, automated scripting. The September campaign is the first confirmed instance of AI agents conducting the majority of a cyberattack autonomously.
Graham's testimony laid out the mechanics:
- The attackers built a framework that used Claude to execute multi-stage operations with minimal human involvement.
- A human operator provided targets and general direction.
- Claude did the rest: autonomous reconnaissance against multiple targets in parallel, vulnerability scanning using third-party tools, exploit development, credential harvesting, and data exfiltration.
Human operators intervened only four to six times during the entire campaign for critical decisions.
Everything else ran autonomously at speeds Anthropic described as "thousands of requests per second" and "impossible for human hackers to match."
Graham estimated the model automated 80-90% of work that previously required humans.
The attackers were sophisticated:
- They used a private obfuscation network to hide their origin.
- They decomposed the attack into small tasks that individually looked benign but formed a malicious pattern when combined.
- And they deceived the model by framing tasks as ethical security testing.
Graham explained it directly: "They broke out the attack into small components that individually looked benign, but taken together form a broad pattern of misuse, and then they deceived the model into believing it was conducting ethical cybersecurity testing."
Where the Attack Started
Here's what makes this operationally different from every intrusion defenders have responded to before:
The attacker built the opening stages of the intrusion inside the AI system instead of inside the target company.
The reconnaissance, vulnerability research, and exploit development phases happened in Anthropic's API. The targets' security teams never saw those stages because they happened outside their infrastructure.
Traditional intrusion detection assumes you'll see early indicators: network reconnaissance, scanning activity, lateral movement attempts.
Security teams build alerting around those early-stage signals specifically to catch attacks before they reach objectives.
But if the opening stages happen in systems you don't monitor, your first visibility comes when the attacker is already executing against your infrastructure.
Michael Coates framed this directly in testimony: "Defenders are often no longer responding to early indicators, but to attacks that are already in progress."
This changes three fundamental assumptions about how attacks form and become visible:
- Defenders have to assume the opening phase can happen in systems they don't monitor.
- Oversight needs to connect related activity instead of evaluating actions in isolation.
- And detection can't rely on linear, human-shaped attack paths because AI systems create intrusion flows that don't follow the familiar stages defenders are trained to spot.
The Speed Problem I've Been Tracking
I've spent the past year trying to quantify how fast AI-driven attacks actually execute. Not theoretical speeds. Measured speeds from actual research and operational testing.
MIT's autonomous agent research demonstrated privilege escalation and exploit chaining in seconds to minutes compared to hours for human operators. Horizon3's NodeZero testing achieved full privilege escalation in about 60 seconds. CrowdStrike's 2023 threat hunting data reported average time from compromise to lateral movement at 79 minutes, with the fastest observed breakout times around 7 minutes.
We ran the math at SANS. Using 60-79 minutes as the human benchmark, AI-driven workflows complete the same steps about 120 to 158 times faster.
To keep the figure conservative and credible, we halved those values and set the public number at 47x. That's a speedup already achievable with publicly available tools like Metasploit. APT-level capabilities are likely much greater.
A decade ago, the advanced persistent threats I helped investigate took three to six months walking through the kill chain from initial compromise to operational goals. By 2023, that timeframe compressed to weeks. Now, with AI reasoning capabilities, movement through networks is measured in seconds. Speed is no longer a metric. It's the decisive weapon.
This context matters for understanding what happened in the hearing. Anthropic detected the campaign within two weeks of first confirmed offensive activity. That's actually fast response time given detection complexity.
But during those two weeks, an AI system making thousands of requests per second had continuous access to attempt operations against 30 targets.
The ratio of attack velocity to detection velocity is the problem.
The Coordination Answer to a Speed Problem
Chair Ogles closed the hearing by asking all four witnesses what DHS and CISA should prioritize with limited resources.
Graham: Threat intelligence sharing.
Hansen: Modernization.
Coates: Information sharing on emerging threats.
Zervigon: Transport layer protection.
Information sharing was the consensus answer from the experts in the room.
That's a human coordination solution to a problem that no longer operates at human speed or follows human-visible attack patterns.
I don't want to dismiss the value of information sharing. ISACs and ISAOs exist because of sustained effort from people who understood that defenders need visibility into what attackers are doing. That work matters. But information sharing helps humans coordinate with other humans. It doesn't address what happens when attacks form in systems defenders can't see, execute 47 times faster than human benchmarks, and no longer follow the linear progression our detection tools expect.
Royal Hansen came closest to naming the real capability gap. He used the cobbler's children metaphor:
"There are far more defenders in the world than there are attackers, but we need to arm them with that same type of automation. The defenders have to put shoes on. They have to use AI in defense."
Hansen described specific tools Google already built: Big Sleep and OSS Fuzz for discovering zero-day vulnerabilities before attackers find them, and Code Mender, an AI agent that automatically fixes critical code vulnerabilities, performs root cause analysis, and validates its own patches. This is AI operating at machine speed on the defensive side.
The capability exists. The question is whether defensive teams deploy it fast enough, and whether they have the legal clarity to operate it.