AI-orchestrated attacks at machine speed: what IAM teams need now

TL;DR: Anthropic’s analysis of GTG-1002 says a Chinese state-sponsored campaign used Claude Code to run a familiar APT chain against about 30 entities, but at sustained request rates and with 80% to 90% autonomous execution, according to Anthropic. The real lesson is that static credentials, weak monitoring, and slow incident response now fail under machine-speed orchestration, not because the playbook changed but because the attack tempo did.

NHIMG editorial — based on content published by Clutch Security: The Anthropic GTG-1002 Report: Nothing New, But Your Controls Better Be Tight

By the numbers:

• Anthropic said GTG-1002 targeted about 30 entities, including major technology companies and government agencies.
• Anthropic reported that 80% to 90% of the operation was autonomously executed.

Questions worth separating out

Q: What fails when exposed NHI credentials can be tested at machine speed?

A: The main failure is the assumption that there will be enough time to notice and rotate a leaked secret before it is used.

Q: Why do service accounts with standing privilege increase lateral movement risk?

A: Because a valid service account can become a bridge into multiple internal systems once the attacker has the secret.

Q: How can security teams tell whether their controls are coping with AI-orchestrated intrusion?

A: Look for whether monitoring can detect repeated validation attempts, credential reuse, and fast pivoting between systems before data access occurs.

Practitioner guidance

• Shorten the usable life of exposed secrets Replace static secrets with ephemeral credentials where possible, and set revocation processes to treat any public exposure as an immediate trust failure rather than a review item.
• Reduce identity blast radius across internal systems Review which credentials can authenticate to APIs, databases, registries, and logging platforms.
• Instrument for repeated authentication testing Watch for bursty validation patterns, especially many failures followed by a small number of successes across different systems.

What's in the full article

Clutch Security's full blog post covers the operational detail this analysis intentionally leaves for the source:

• Its line-by-line breakdown of the GTG-1002 attack stages and the specific TTPs the report maps to each phase.
• Its discussion of how AI orchestration altered request rates, operator workload, and simultaneous intrusion management.
• Its comparison with older automated attack patterns such as autopwn and what that history means for defenders.
• Its commentary on provider-side abuse detection and the uncertainty it creates for enterprise incident response.

👉 Read Clutch Security’s analysis of the Anthropic GTG-1002 report →

AI-orchestrated attacks at machine speed: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →