The AI-Powered Attack That Breaks Our Detection Model: What the December 17 Hearing Revealed About the State of Cyber Defense

On December 17th, 2025, four witnesses testified before a joint session of House Homeland Security subcommittees about something that actually happened: a Chinese Communist Party-sponsored group used Anthropic’s Claude to conduct largely autonomous cyber espionage against approximately 30 US targets.

The witnesses included Logan Graham from Anthropic’s frontier red team, Royal Hansen from Google’s security engineering organization, Eddie Zervigon from Quantum Exchange, and Michael Coates, the former Twitter CISO now running a cybersecurity venture fund.

Something else bothered me more than what the witnesses described. It was the gap between the threat they documented and the solutions they proposed.

From Assistance to Agency

The Anthropic incident represents what threat intelligence teams are now calling the shift “from assistance to agency.”

Prior to this, AI was primarily a productivity tool for attackers: better phishing emails, faster reconnaissance, automated scripting. The September campaign is the first confirmed instance of AI agents conducting the majority of a cyberattack autonomously.

Graham’s testimony laid out the mechanics:

• The attackers built a framework that used Claude to execute multi-stage operations with minimal human involvement.
• A human operator provided targets and general direction.
• Claude did the rest: autonomous reconnaissance against multiple targets in parallel, vulnerability scanning using third-party tools, exploit development, credential harvesting, and data exfiltration.

Human operators intervened only four to six times during the entire campaign for critical decisions.

Everything else ran autonomously at speeds Anthropic described as “thousands of requests per second” and “impossible for human hackers to match.”

Graham estimated the model automated 80-90% of work that previously required humans.

The attackers were sophisticated:

• They used a private obfuscation network to hide their origin.
• They decomposed the attack into small tasks that individually looked benign but formed a malicious pattern when combined.
• And they deceived the model by framing tasks as ethical security testing.

Graham explained it directly: “They broke out the attack into small components that individually looked benign, but taken together form a broad pattern of misuse, and then they deceived the model into believing it was conducting ethical cybersecurity testing.”

Where the Attack Started

Here’s what makes this operationally different from every intrusion defenders have responded to before:

The attacker built the opening stages of the intrusion inside the AI system instead of inside the target company.

The reconnaissance, vulnerability research, and exploit development phases happened in Anthropic’s API. The targets’ security teams never saw those stages because they happened outside their infrastructure.

Traditional intrusion detection assumes you’ll see early indicators: network reconnaissance, scanning activity, lateral movement attempts.

Security teams build alerting around those early-stage signals specifically to catch attacks before they reach objectives.

But if the opening stages happen in systems you don’t monitor, your first visibility comes when the attacker is already executing against your infrastructure.

Michael Coates framed this directly in testimony: “Defenders are often no longer responding to early indicators, but to attacks that are already in progress.”

This changes three fundamental assumptions about how attacks form and become visible:

• Defenders have to assume the opening phase can happen in systems they don’t monitor.
• Oversight needs to connect related activity instead of evaluating actions in isolation.
• And detection can’t rely on linear, human-shaped attack paths because AI systems create intrusion flows that don’t follow the familiar stages defenders are trained to spot.

The Speed Problem I’ve Been Tracking

I’ve spent the past year trying to quantify how fast AI-driven attacks actually execute. Not theoretical speeds. Measured speeds from actual research and operational testing.

MIT’s autonomous agent research demonstrated privilege escalation and exploit chaining in seconds to minutes compared to hours for human operators. Horizon3’s NodeZero testing achieved full privilege escalation in about 60 seconds. CrowdStrike’s 2023 threat hunting data reported average time from compromise to lateral movement at 79 minutes, with the fastest observed breakout times around 7 minutes.

We ran the math at SANS. Using 60-79 minutes as the human benchmark, AI-driven workflows complete the same steps about 120 to 158 times faster.

To keep the figure conservative and credible, we halved those values and set the public number at 47x. That’s a speedup already achievable with publicly available tools like Metasploit. APT-level capabilities are likely much greater.

A decade ago, the advanced persistent threats I helped investigate took three to six months walking through the kill chain from initial compromise to operational goals. By 2023, that timeframe compressed to weeks. Now, with AI reasoning capabilities, movement through networks is measured in seconds. Speed is no longer a metric. It’s the decisive weapon.

This context matters for understanding what happened in the hearing. Anthropic detected the campaign within two weeks of first confirmed offensive activity. That’s actually fast response time given detection complexity.

But during those two weeks, an AI system making thousands of requests per second had continuous access to attempt operations against 30 targets.

The ratio of attack velocity to detection velocity is the problem.

The Coordination Answer to a Speed Problem

Chair Ogles closed the hearing by asking all four witnesses what DHS and CISA should prioritize with limited resources.

Graham: Threat intelligence sharing.

Hansen: Modernization.

Coates: Information sharing on emerging threats.

Zervigon: Transport layer protection.

Information sharing was the consensus answer from the experts in the room.

That’s a human coordination solution to a problem that no longer operates at human speed or follows human-visible attack patterns.

I don’t want to dismiss the value of information sharing. ISACs and ISAOs exist because of sustained effort from people who understood that defenders need visibility into what attackers are doing. That work matters. But information sharing helps humans coordinate with other humans. It doesn’t address what happens when attacks form in systems defenders can’t see, execute 47 times faster than human benchmarks, and no longer follow the linear progression our detection tools expect.

Royal Hansen came closest to naming the real capability gap. He used the cobbler’s children metaphor:

“There are far more defenders in the world than there are attackers, but we need to arm them with that same type of automation. The defenders have to put shoes on. They have to use AI in defense.”

Hansen described specific tools Google already built: Big Sleep and OSS Fuzz for discovering zero-day vulnerabilities before attackers find them, and Code Mender, an AI agent that automatically fixes critical code vulnerabilities, performs root cause analysis, and validates its own patches. This is AI operating at machine speed on the defensive side.

The capability exists. The question is whether defensive teams deploy it fast enough, and whether they have the legal clarity to operate it.

The Unsolved Asymmetry Problem

Chair Ogles said something in his closing remarks that nobody in the room fully addressed:

“Our adversaries are not going to use guardrails. I would argue that they would, quite frankly, be reckless in achieving this goal.”

He’s right. I published a paper for RSA 2025 called “From Asymmetry to Parity: Building a Safe Harbor for AI-Driven Cyber Defense.” The core thesis: the protection of citizens through privacy laws has created an ironic situation where these measures could actually empower cybercriminals by restricting defenders’ data access and technology utilization.

Every witness in that hearing talked about safeguards: Anthropic’s detection mechanisms, Google’s Secure AI Framework, responsible disclosure practices. All necessary work. All constrained to US companies operating under US norms and US laws.

Chinese state-backed models don’t have the safety constraints US labs build into their systems. Criminal organizations using tools like WormGPT operate without acceptable use policies or red teams looking for misuse. Meanwhile, defenders operating under GDPR, CCPA, and the EU AI Act face operational constraints attackers simply don’t have.

The operational friction is real and measurable.

• GDPR requires human oversight for AI decisions that have significant effects, which increases the time it takes to contain breaches from seconds to minutes.
• Cross-border incident response gets delayed because responders need legal permission and data handling agreements before AI analysis of pooled data, even while the attack is active.
• Security teams face GDPR violations or lawsuits when using AI to analyze employee emails, but attackers face no such restrictions when using stolen emails to develop personalized scams.

The current unbalanced regulations may create a safer environment for attackers to operate in than for defenders who seek to protect themselves against attacks.

The DeepSeek Problem and the Framework of No

Graham testified about asymmetry from a different angle:

US companies integrating DeepSeek models are “essentially delegating decision making and trust to China.” Coates backed this up with CrowdStrike research published in November showing DeepSeek generates more vulnerable code when prompts mention topics unfavorable to the CCP.

The baseline vulnerability rate was 19%. When prompts mentioned Tibet, that jumped to 27.2%, nearly a 50% increase. For Falun Gong references, the model refused to generate code 45% of the time despite planning valid responses in its reasoning traces. That’s bias embedded in model weights, not external filters that can be removed.

This connects to something I’ve been writing about for the past year that I call the Framework of No. Most security teams have spent the past two years responding to AI requests with variations of “no” while waiting for perfect policies, perfect tools, perfect understanding. Meanwhile, 96% of employees use AI tools. 70% use them without permission. That’s shadow AI.

The Framework of No doesn’t stop AI usage. It drives AI usage into shadows where security teams can’t see it, can’t govern it, can’t log it. The solution isn’t more prohibition. It’s bringing shadow AI into sunlight where you can actually see what’s happening.

The DeepSeek testimony shows what happens when the Framework of No meets geopolitics.

Companies choosing cheaper or more capable Chinese AI tools are accepting security risks they may not understand. But security teams saying “no” to all AI doesn’t solve that problem. It just means the shadow AI your employees are using might have nation-state bias baked in, and you won’t know because you’re not watching.

What Actually Needs to Happen

I don’t want to criticize testimony without offering what I think was missing.

First, defenders need to adjust detection models for attacks that form outside monitored infrastructure. If the opening stages happen in commercial AI APIs or self-hosted attacker infrastructure, early detection either requires visibility into systems we don’t control or assumes we’ll only see attacks once they’re already in motion. That changes what “early indicator” means operationally.

Second, defenders need AI-powered tools that operate at machine speed. Not better coordination between humans. Actual AI systems that can detect, investigate, and respond at the same velocity attackers operate. Hansen mentioned this with Code Mender. The tools exist. The question is deployment speed across the defender ecosystem.

Third, defenders need legal clarity. The RSA paper I wrote calls for a cybersecurity safe harbor that establishes a protection system granting immunity to entities performing defense in good faith while staying within defined boundaries. CISA 2015 already provides liability protection for companies sharing threat data according to specified requirements. It expires next month. Ranking Member Thanedar raised this in the hearing. He wants a ten-year extension approved immediately. Without that protection, information sharing slows to nothing.

Fourth, we need to be honest about guardrails. Guardrails on US models are necessary but not sufficient. They protect against misuse of those specific models. They don’t protect against Chinese models, Russian models, or criminal infrastructure operating without guardrails. The next attack won’t necessarily use Claude and get caught by Anthropic’s detection systems.

Fifth, security teams need to abandon the Framework of No and move toward what I call Sunlight AI. Bring the shadow AI that’s already happening into visibility where it can be governed. That’s how you find out your employees are using DeepSeek before the CrowdStrike research tells you why that’s a problem.

Writing the Rules or Watching Them Get Written

Graham’s testimony included this line: “We have reached an inflection point in cybersecurity. It is now clear that sophisticated actors will attempt to use AI models to enable cyber attacks at unprecedented scale.”

He also put a time limit on the window:

“If advanced compute flows to the CCP, its national champions could train models that exceed US frontier cyber capabilities. Attacks from these models will be much more difficult to detect and deter.”

The response to an inflection point shouldn’t be more of what we’ve already been doing. Information sharing matters. Faster coordination matters. But when attacks form outside your infrastructure, execute at machine speed, and adapt dynamically during execution, the answer has to be capabilities that match what attackers are deploying.

Representative Luttrell asked the question that cuts to the operational reality:

“Are they lying in wait? Are they sleeping inside the program now and we missed it, and they’re watching you fix the problem, and they know how you fix it, and they’re going to test someone else that’s not as strong?”

Graham confirmed it:

“Sophisticated actors are now doing preparations for the next time, for the next model, for the next capability they can exploit.”

Anthropic caught this one and did everything right: detection, disruption, disclosure, testimony.

The question for the rest of us is what we do before the next attack uses infrastructure nobody is watching, executes at speeds we calculated at 47x faster than human benchmarks, and exploits the asymmetry between constrained defenders and unconstrained attackers.

Either we write the rules, or our adversaries write our future.

The hearing showed Congress understands the threat.

Now defenders need the tools, the legal clarity, and the operational freedom to respond.

The parity window is open. It won’t stay open.

Rob T. Lee is Chief AI Officer & Chief of Research, SANS Institute