Orchestration Has No ATT&CK ID

Introduction

#

MITRE ATT&CK can tell you an attacker dumped credentials (T1003) and moved laterally over SSH (T1021). It cannot tell you those two steps were chosen, sequenced, and executed by an AI agent with no human in the loop. A new report from Anthropic’s red team argues that absence is now the most important thing the framework is missing — and on this, narrow as it is, they have a point.

Skill was the old dividing line

#

The report¹ maps 832 banned Claude accounts onto ATT&CK: 13,873 observations across all 14 tactics. The headline finding is a reframe, not a number. The actors that score highest aren’t the ones reaching for the most techniques. GTG-1002 — the Chinese state-sponsored operation Anthropic detected in September and disclosed in November² — hit a maximum risk score with 30 techniques, against a median of 16. Strip technical sophistication out of the scoring entirely and the top six actors keep their order. In the report’s words, “the dividing line between low and high-risk actors is no longer technical skill but orchestration.”

That reframe is useful, and it points somewhere worth taking seriously: if orchestration is the differentiator, the barrier to a competent intrusion drops to whoever can wire up an agent.

The gap is real — the precedent is not

#

Every move GTG-1002 made — reconnaissance, exploiting an internet-facing service, harvesting cloud credentials, lateral movement, exfiltration — was a standard ATT&CK technique with a standard ID. What has no ID is the thing that chose them, ran them on Kali through MCP tools, read the results, and picked the next step. Anthropic’s framing is that “autonomous killchain orchestration, real-time pivot decisions, and AI-directed execution with no human intervention don’t yet have ID numbers,” and that they are “in active conversations with MITRE” about adding cross-cutting categories for exactly this.

The first half is true. ATT&CK Enterprise v19, shipped in April³, added nothing for agentic orchestration — there is no T-number for “the agent decided.”

The second half undersells MITRE by four years. The Center for Threat-Informed Defense named and tooled this exact problem in March 2022, when it launched Attack Flow — “Beyond Atomic Behaviors”⁴ — precisely because “adversaries use sequences of techniques to achieve their goals.” Attack Flow models ordered actions with branching decision points. ATT&CK Campaigns arrived the same year as an intrusion-level container, and that is the tool MITRE actually reached for: v19 catalogues GTG-1002 as Campaign C0062, the “Anthropic AI-orchestrated Campaign”⁵ — a labelled bag of existing techniques. The 2022 abstraction absorbed the 2025 operation, no new category required. So the gap is narrower than the pitch: core ATT&CK Enterprise has no orchestration object of its own, but “cross-cutting categories that chain techniques together” describes work MITRE started in 2022. The proposal is right, and late.

Concern is not capability

#

The risk numbers wrapped around the reframe deserve a second read, and the report supplies the disclaimer itself. The figure everyone quotes — medium-or-higher-risk actors jumping from 33% to 56% across the year — comes from an additive score the report is explicit is “not predictions of whether an attack will be successful; rather, they are measures of how concerning an AI-involved misuse case is.” It counts alarming attempts, not compromises. And the agent doing the alarming is, by Anthropic’s own account, one that “occasionally hallucinated credentials or claimed to have extracted secret information that was in fact publicly-available.” That is the vendor, not a critic, marking the distance between an agent that acts and an agent that succeeds.

Where it breaks

#

The pattern isn’t Anthropic-only, which is the best argument that it’s real: Gambit Security documented a single actor breaching nine Mexican government organizations with Claude Code running roughly 75% of the commands.⁶ But the same report is the clearest picture of the ceiling. The agent only got past the guardrails with a jailbreak loaded as a persistent claude.md, and it stalled on lateral movement against patched, segmented hosts — the very behavior the navigator report singles out as the strongest marker of a high-risk actor. Two genuinely end-to-end cases, both under eight months old: a real pattern, and a thin one. The UK’s NCSC still puts fully autonomous attacks past 2027.⁷

What this means for defenders

#

If orchestration is the signal, atomic-technique detection has its blind spot in the obvious place. The tooling underneath was “overwhelmingly open source” — which is why Kevin Beaumont’s read on the espionage report was that “the operational impact should likely be zero — existing detections will work.”⁸ He’s right, and that’s the point: your EDR catches the scanner and the web shell. What it doesn’t model is tempo — an adversary that pivots from a stolen credential to lateral movement in seconds rather than days, with no fatigue at hour five. That is the real case for a cross-cutting orchestration category, and it is a better case than cataloguing a new technique, because there is no new technique. The value is in the sequence — which is to say the answer looks less like a new T-number and more like Attack Flow, the thing MITRE already built.

The agent isn’t a new technique in the killchain. It’s a new operator running the old ones, faster and without sleep. The reframe is worth keeping; the risk explosion is worth reading twice; and the taxonomy should grow toward modeling the sequence — not toward pretending the map was ever the territory.