Fortune 500 scrambles after Anthropic's warning of automated cyberattacks

Driving the news: Anthropic released a report last week detailing what it called the first known instance of a nation-state using AI agents to automate an espionage campaign.

• Anthropic said roughly 30 organizations were targeted and Claude Code automated up to 90% of the workload.

Zoom in: Since the report's release, executives have been flooding SecurityPal, a company that uses AI agents to vet the security of third-party vendors, with questions about the safety of their own tools and whether they rely on similar coding agents, SecurityPal CEO Pukar Hamal told Axios.

• "They were already asking a lot of questions about AI, but that's only gone up now since the news," Hamal said.
• SecurityPal's customers include major companies in the aviation, health care and financial services sectors, among others.

Reality check: Security researchers are questioning whether Anthropic's findings are truly the watershed moment the company suggests.

• "I continue to refuse to believe that attackers are somehow able to get these models to jump through hoops that nobody else can," Dan Tentler, executive founder of Phobos Group, told Ars Technica.
• Researchers have also noted that Anthropic's report omits details common in threat intelligence disclosures, such as indicators of compromise and examples of the prompts used to make Claude break its own rules.

• Hamal said executives on his company's security council have voiced similar frustrations about the lack of visibility.

Yes, but: That's true of many threat intelligence reports, Hamal said. For years, rising fears of lawsuits over sharing sensitive information have made cybersecurity firms more cautious.

The bottom line: Practicing cyber basics and keeping new AI agents on corporate servers, rather than exposing them to the open internet, is essential, Hamal said.

• "Take care of the basics," he said.

Go deeper: The age of AI-powered cyberattacks is here