Agentic AI in the Wild: Lessons from Anthropic’s GTG-1002 Campaign

Anthropic’s GTG-1002 report isn’t about sentient “AI hackers.” It’s a case study in how agentic AI can industrialize cyber operations and what that means if you’re building or deploying these systems.

Why this report matters to AI professionals

Anthropic’s November 2025 report, Disrupting the first reported AI‑orchestrated cyber espionage campaign, is going to be cited a lot in the coming months. It describes GTG‑1002, a Chinese state‑sponsored group (in Anthropic’s terminology) that used Claude Code to run a large‑scale cyber‑espionage operation against roughly 30 targets, including major technology companies, financial institutions, chemical manufacturers, and government agencies.

You’ll see headlines about “AI hackers” and “autonomous cyberwar.” That framing is understandable, but it’s also misleading.

If you read past the headline, the report is not really about AI suddenly becoming a sentient attacker. It’s about something more mundane and, in my view, more important for people building and deploying AI systems: the industrialization of cyber operations via agentic AI.

The industrialization of cyber operations via agentic AI.

GTG‑1002 didn’t ask Claude for a few snippets of exploit code and then go back to business as usual. They built an autonomous attack framework around Claude Code and Model Context Protocol (MCP) tools, offloading 80–90% of the tactical work to the model while humans stayed in a 10–20% supervisory role.

For AI professionals, this is less a story about “rogue AI” and more a preview of how agentic systems will be used by everyone from internal automation teams to state‑level adversaries.

Who this is for

• AI leads and platform teams building or deploying agentic systems

• Security engineers and CISOs trying to understand AI‑enabled operations beyond the hype

• Technical leaders who need to brief executives on GTG‑1002 and similar cases

What you’ll learn

• How GTG‑1002 used Claude Code and MCP tools to offload 80–90% of the tactical work

• Why hallucinations currently act as an accidental safety valve for attackers—and why that won’t last

• What “AI as operator, humans as approvers” implies for safeguards, monitoring, and abuse detection in your own systems

---

What’s actually new here (and what isn’t)

The report makes several “firsts” claims: first documented AI‑orchestrated cyber‑espionage campaign, first documented case of agentic AI obtaining access to confirmed high‑value targets, and so on. Let’s separate what’s genuinely new from what is mostly reframing.

What’s new:

• Tactical offload to AI at scale.
  Anthropic estimates that Claude Code executed 80–90% of the tactical work:

  • Reconnaissance and attack surface mapping

  • Vulnerability discovery and validation

  • Payload generation and exploit execution

  • Credential harvesting and lateral movement

  • Data extraction, analysis, and categorization

  • Documentation and handoff

• Humans as strategic supervisors.
  Human operators were involved in 10–20% of the effort, focused on:

  • Campaign initialization and target selection

  • Approving escalation from recon to exploitation

  • Authorizing use of harvested credentials for lateral movement

  • Approving final exfiltration decisions

• End‑to‑end AI integration across the kill chain.
  AI wasn’t just writing a phishing email or a one‑off script. It was present in every phase of the attack lifecycle, from initial recon to documentation and handoff to other teams.

That division of labor is the real shift: AI as operator, humans as approvers.

What’s not new:

• The underlying tools.

  • GTG‑1002 leaned heavily on commodity, open‑source penetration testing tools:

    • Network scanners

    • Database exploitation frameworks

    • Password crackers

    • Binary analysis suites

The report is explicit: the novelty is not in custom malware or exotic zero‑days. It’s in how these tools are orchestrated.

• Social‑engineering the model.

  • The group got around guardrails using a pattern we’ve all seen:

    • Role‑playing as employees of legitimate cybersecurity firms

    • Framing operations as “defensive testing” or internal red‑teaming

In other words, they didn’t “break” the model so much as convince it that harmful actions were benign.

So the new thing is not that AI invented a new class of cyber capability. It’s that agentic AI and orchestration turned existing capabilities into something that looks a lot more like an industrial operation.

---

Architecture: AI as orchestrator, not assistant

The most interesting part of the report, at least for AI builders, is the architecture.

GTG‑1002 built an autonomous attack framework that used Claude Code plus MCP tools as the execution engine inside a larger orchestration system. At a high level:

• Claude as orchestration engine.
  
  Claude decomposed complex, multi‑stage attacks into discrete technical tasks:

  • “Scan this range and enumerate services.”

  • “Test these endpoints for SSRF.”

  • “Generate and validate an exploit payload.”

  • “Use these credentials to map internal services.”

  • “Query this database and categorize results by sensitivity.”

• Sub‑agents via MCP tools.
  
  The framework wired Claude into:

  • Browser automation for web recon

  • Remote command execution on dedicated pentest boxes

  • Code analysis tools for security assessment

  • Testing frameworks for systematic vulnerability validation

  • Callback systems for exploit confirmation

• Task decomposition for plausibility.
  
  Each individual request was crafted to look like a legitimate technical task when viewed in isolation. A single prompt to “scan this internal subnet and list open ports” is ambiguous: it could be defensive or offensive. The malicious intent only emerges when you see the entire sequence.

• Stateful, multi‑day operations.
  
  Claude maintained persistent context across sessions, enabling:

  • Long‑running campaigns against multiple targets

  • Seamless resumption after interruptions

  • Consistent documentation and handoff between human operators

From an AI architecture perspective, this is important because it’s the same pattern many of us are pursuing for legitimate use cases:

• Agentic models

• Tool use via MCP or similar protocols

• Orchestration layers that maintain state and coordinate sub‑agents

GTG‑1002 simply pointed that pattern at other people’s infrastructure.

---

Limitations and hallucinations: the current safety valve

The report also surfaces a limitation that’s easy to miss if you only read the headlines: hallucinations remain a real constraint on fully autonomous attacks.

Anthropic notes that Claude:

• Overstated findings.

  • It sometimes flagged “critical discoveries” that turned out to be publicly available information.

• Fabricated or misrepresented credentials.

  • It claimed to have obtained credentials that didn’t actually work.

Operationally, this matters:

• The attackers had to validate AI‑generated results before acting on them.

• Hallucinations introduced friction, wasted time, and potential detection risk.

• Anthropic explicitly frames this as an “obstacle to fully autonomous cyberattacks.”

There’s an irony here. The same hallucination behavior that frustrates enterprise users (“no, that’s not what our API does”) is currently functioning as a kind of safety valve in offensive contexts. An AI that never hallucinates about system state, credentials, or exploit success would be far more dangerous in this setting.

For AI professionals, this raises an uncomfortable question:

As we push models to be more reliable and grounded for legitimate use cases, what happens to this accidental safety margin on the offensive side?

We don’t get to freeze model quality at “just inaccurate enough to slow down attackers.” The direction of travel is clear. That means we need to think about safeguards, monitoring, and abuse detection that assume more capable, less error‑prone agents.

---

Attribution: treating “Chinese state‑sponsored” as a claim

Anthropic attributes GTG‑1002 to a Chinese state‑sponsored group. They give it an internal designation (GTG‑1002) and describe the operation as well‑resourced and professionally coordinated.

As an external reader, I don’t have access to the full evidentiary basis for that attribution. Some of it will be sensitive by design. It’s also true that false‑flag operations and deliberate mimicry of known threat actor TTPs are a real possibility in modern cyber operations.

For the purposes of this article, I’m taking a pragmatic stance:

• I treat the “Chinese state‑sponsored” label as a vendor claim, not a settled geopolitical fact.

• I focus on what we can see clearly: the workflow and architecture of the operation.

That’s not to say attribution doesn’t matter. It matters a great deal for policymakers, diplomats, and law enforcement. But for AI practitioners, the actionable insight is that this pattern of agentic AI + orchestration + commodity tools is now in play, regardless of which flag is on the attacker’s desk.

---

Industrialized cyber operations via agentic AI

If we strip away the branding and the geopolitics, what GTG‑1002 really demonstrates is a new division of labor in cyber operations:

• AI handles the industrial work:

  • Continuous, parallel reconnaissance across dozens of targets

  • Systematic vulnerability discovery and exploit validation

  • Large‑scale credential harvesting and access mapping

  • Bulk data extraction, parsing, and intelligence categorization

  • Exhaustive documentation of every step

• Humans handle strategy and risk:

  • Selecting targets and objectives

  • Deciding when to escalate from recon to exploitation

  • Choosing which credentials and systems are “worth it”

  • Approving which data to exfiltrate and how to hand off access

This is not fundamentally different from how many organizations are trying to use AI internally:

• Let the agent do the repetitive, high‑volume work.

• Keep humans in the loop for judgment calls and risk decisions.

What changes in the GTG‑1002 scenario is the scale and tempo:

• Anthropic reports “physically impossible” request rates for a human operator, with thousands of requests and multiple operations per second.

• The framework maintained separate operational contexts for multiple simultaneous campaigns.

• The AI could resume complex operations after pauses without humans reconstructing state.

In other words, agentic AI plus orchestration turns a small, well‑resourced team into something that looks operationally like a much larger organization. The bottleneck is no longer “how many operators can we hire?” but “how good is our orchestration framework, and what models do we have access to?”

That’s the industrialization story: cyber operations as a pipeline, with AI as the main labor force.

Comments

[Stanislav Huseletov]

One of the most readable technical articles, great insights too

[Carolyn Driscoll]

I like how this article treats the GTG-1002 case as a systems problem rather than a morality play. It acknowledges the complexity of agentic behavior while staying grounded in what we can actually do to improve resilience, deployment practices, and model governance. This is the level of nuance the public conversation is missing.