Vibe Hacking: How Anthropic Just Made Threat Hunting Non-Negotiable
AI-generated attacks are not new, but the automation of killchains? That’s something that we’ve discussed for over a year on this Substack and Anthropic just handed us evidence that this is now happening. Not yesterday or tomorrow, today.
I’ve been beating this drum for years: threat hunting has been relegated to the shadows, treated like an expensive luxury for teams with too much budget and too little to do. The thing you fund when your dashboards are green and your CISO needs to justify headcount. A nice-to-have in a world of must-haves.
Anthropic’s August 2025 report should end that conversation forever because cybercriminals are now ‘vibe hacking’. This is documentation of adversaries using AI not as a research assistant, not as a code generator, but as an actual operator making real-time decisions in live environments. Multiple sectors, real victims, machine-speed execution. The kind of tempo that makes traditional detection look like it’s moving through molasses.
We’re not talking about proof-of-concept demos or academic research. This is the Quiet War made manifest; adversaries that don’t announce themselves with flashy ransomware screens, but slip in through the cracks, reasoning their way through your environment faster than you can spot them.
Remember When Attackers Were Predictable?
Ah yes, when hands on keyboard execution and Cobalt Strike were the keys to the kingdom…
Equifax, 2017. Attackers found their Apache Struts vulnerability, a publicly known threat vector with a patch available, sitting there like a welcome mat. They exploited it, planted web shells, harvested credentials, moved laterally, exfiltrated 147 million records. Textbook attack chain that had devastating results (and further decreased our disdain for credit reporting agencies). One of the more egregious components of this breach was that it was ostensibly manageable: it took 76 days for attackers to achieve their objective. Seventy-six days of sitting in the environment, leaving traces, making noise, giving defenders dozens of opportunities to spot them.
That’s human-speed warfare. Plan, execute, pause, regroup, make mistakes, leave breadcrumbs everywhere.
Now let’s compare that to what Anthropic documented with GTG-2002…
The entire kill chain: reconnaissance, credential harvesting, lateral movement, exfiltration, all compressed into timeframes that make those historical attacks look glacial. We’re talking about an operational tempo that matches my morning routine: grab coffee, check email, go for a run, compromise enterprise network. Same time window.
That compression isn’t just faster, it’s fundamentally different and it changes everything about how we have to think about defense.
What They Actually Witnessed
Aside from the incredible transparency (and excellent writing), what makes the GTG-2002 case different from every other threat report you’ve read this year is that Anthropic wasn’t analyzing aftermath or reverse-engineering campaigns from months-old artifacts. They caught adversaries in the act, using their own AI systems to run active operations against real targets.
In a meta moment, the company that built the AI caught people using it to run actual cyberattacks. They had front-row seats to watch artificial intelligence conduct reconnaissance, make tactical decisions, execute commands, and adapt to environmental conditions in real-time.
The adversaries weren’t just getting AI to write them some PowerShell scripts or help them craft phishing emails. They were using Claude Code in terminal environments, generating and executing commands on the fly, making operational decisions based on what they found, pivoting when initial approaches didn’t work. AI as operator, not assistant.
These attack chains moved like clockwork, systematic, relentless, machine-consistent. Not the stop-and-start rhythm of human operators who need to eat, sleep, and occasionally take meetings with their day job bosses.
What keeps me up at night is that this wasn’t just technical exploitation. The same systems were drafting ransom notes, calculating appropriate ransom amounts, and providing negotiation advice. This was end-to-end automation of the entire criminal enterprise, from initial access to monetization.
Healthcare, government, emergency services, religious institutions; no sector was off-limits, no target too small or obscure. This wasn’t carefully targeted espionage or surgical precision attacks. This was volume-based exploitation at machine scale.
But Damien, where’s the part about threat hunting? Well, Anthropic, the company that built the AI being abused, needed human threat hunters to spot the patterns before their automated detection systems could catch up.
Think about that. The people who designed and built the system still needed humans hunting through behavioral data to identify how their own creation was being weaponized.
Why Static Defense Dies Here
For decades, we’ve built our entire security industry around artifacts. Hash values that identify known malware. IP addresses of command and control infrastructure. Domain names used in campaigns. File signatures. Network patterns. The whole threat intelligence ecosystem exists to catalog these digital fingerprints and share them across the community.
This approach worked because adversaries were predictable in their laziness. They reused infrastructure because spinning up new servers was expensive and time-consuming. They recycled payloads because writing new malware required specialized skills. They left consistent patterns because human operators develop habits and stick to what works.
But when your adversary can generate unique payloads for every operation, spin up fresh infrastructure on demand, and execute attack chains at inhuman speeds, what happens to your carefully curated lists of known-bad indicators?
They become historical artifacts. Interesting for forensic analysis, useless for prevention.
The GTG-2002 case proves we’re not fighting script kiddies with commodity malware anymore. We’re not even fighting traditional APT groups with human operators following established playbooks. We’re up against decision-making engines that can reason through defensive measures, adapt to unexpected conditions, and execute at speeds that make human-driven security operations look quaint.
This is exactly the scenario that hunting was designed for. When the indicators evaporate but the intent remains visible. When you can’t rely on signature matching but you can still spot behavioral anomalies. When the artifacts change but the adversarial logic stays consistent.
The Quiet War was never about bigger explosions or louder alarms. It’s about more sophisticated adversaries moving beneath the threshold of traditional detection, and the hunters who develop the skills to spot them anyway.
How Hunters Think Different Now
So how do you hunt something that thinks at machine speed and leaves no reliable fingerprints? The same way you’ve always hunted: by understanding intent rather than chasing artifacts. But faster, smarter, and with different assumptions about what normal looks like.
Traditional hunting assumes human operators with human limitations. They take breaks, make mistakes, follow familiar patterns, leave gaps between operational phases. AI operators don’t have those constraints. They execute with mechanical consistency, perfect timing, and inhuman precision.
But they’re not invisible. They’re just operating at a frequency we haven’t been tuned to detect.
Start hunting decision patterns instead of technical artifacts. Look for reconnaissance immediately chained to credential abuse, no human pause for analysis, no delay for planning. Watch for valid accounts that suddenly access sensitive resources they’ve never touched before, with access patterns that suggest systematic discovery rather than organic exploration.
Time becomes everything. When you see reconnaissance, exploitation, persistence, and exfiltration compressed into windows that would barely give a human operator time to understand what they’ve found, that temporal signature becomes your hunting ground.
Context matters more than rules. Instead of brittle logic looking for specific process names or command-line patterns, start looking for behavioral combinations that suggest intent. Encoded PowerShell isn’t interesting. Encoded PowerShell executed by a non-admin user at 2 AM from a workstation that’s never run scripts before, connecting to infrastructure registered three days ago? That’s a story worth investigating.
The decision points become critical hunting surfaces. Where do adversaries make operational choices? When they’re deciding which credentials to abuse, which systems to target next, which data to prioritize for exfiltration. These reasoning moments leave traces that are harder to obfuscate than technical artifacts.
And here’s where it gets interesting: you need to start pairing human hunters with AI-powered analysis tools. Not to replace human judgment, but to handle the speed and scale requirements that machine-speed adversaries create. Let AI validate hypotheses in seconds, test detection logic against historical data, surface anomalies that would take human analysts hours to find.
The goal isn’t automation replacing hunters. It’s hunters freed from grunt work and able to focus on adversarial reasoning at the speed the threat landscape now demands.
Practical Translation (With Intent, Not Just Syntax)
Anthropic didn’t publish their exact hunting logic, probably smart operational security on their part. But based on what they described, here’s how I’m thinking about this practically. The key isn’t the specific queries but the philosophy behind them: compressed operational timelines, chained behaviors that suggest systematic progression, decision patterns that reveal intent rather than accident.
In Splunk, I’m hunting for speed bursts where exploit activity and data exfiltration happen in tight windows that suggest automated progression rather than human pacing. In Elastic, I’m tracking lateral movement velocity and how quickly adversaries chain authentication successes to new activities across systems. For Sentinel, I’m building context-aware logic that looks beyond simple process execution to understand environmental factors.
The real value is in the thinking behind these approaches: tempo over content, behavioral sequences over isolated events, contextual understanding over signature matching.
What Smart Leaders Do Now
This isn’t about ripping up your security program and starting from scratch. It’s about strategic adjustments that compound over time.
Fund a dedicated hunting capability. Not when budget allows, not as a nice-to-have add-on to your SOC, but as a core defensive function. Two skilled hunters focused on behavioral detection will find threats that ten alert-driven analysts miss.
Map your organizational decision surfaces, the places where business logic intersects with sensitive data access. These are your high-value hunting grounds because they’re also the places where AI operators will reveal their systematic approach to your environment.
Test your detection capabilities against compressed kill chains. Run purple team exercises where the entire attack sequence happens in minutes rather than days. If your current detection stack misses it, you know exactly what needs fixing.
Start experimenting with AI-assisted hunting tools, but keep humans in the decision-making loop. Let machines handle speed and scale, but preserve human judgment for interpretation and response.
The goal isn’t perfection on day one. It’s building adaptive capability that can evolve with the threat landscape.
Three Futures (All Plausible)
Where does this go from here? I see three paths forward, and honestly, we’re probably heading toward some combination of all three.
First path: AI operators go mainstream. GTG-2002 was sophisticated, but it required technical skill to set up and operate. Within 18 months, expect to see commoditized agent frameworks that let anyone with basic technical knowledge run autonomous attack campaigns. The barriers to entry drop dramatically, and the volume of AI-driven attacks increases by orders of magnitude.
Second path: the stealth evolution. Right now, speed is the tell that gives away AI operators. But smart adversaries will learn to throttle their systems, introducing human-like delays and imperfections to avoid behavioral detection. When that happens, intent-based hunting becomes even more critical because temporal signatures disappear.
Third path: human-AI hunting partnerships become standard. Defensive teams that successfully pair human hunters with AI analysis tools will detect anomalies faster and adapt to new tactics quicker than any traditional security operation. The advantage goes to organizations that embrace hybrid intelligence rather than trying to solve this with either pure automation or pure human analysis.
All three paths share one fundamental truth: reactive, alert-driven security programs won’t survive this transition. The operational tempo is too fast, the attack vectors too dynamic, the behavioral patterns too subtle for traditional signature-based detection. Proactive hunting isn’t just competitive advantage anymore, it’s a core competency for every enterprise out there looking to stop AI-generated threats.
The Human Edge
The sky is not falling, and I am confident that this isn’t just a story about adversaries winning through superior technology.
We still have advantages that machines can’t easily replicate. Institutional context that helps prioritize which anomalies actually matter. Human intuition that connects seemingly unrelated events into coherent threat pictures. Community intelligence sharing that spreads defensive knowledge faster than any individual adversary can adapt.
The ability to reason through uncertainty when data is incomplete or contradictory. The organizational knowledge that distinguishes between normal business weirdness and actual adversarial activity. The creative thinking that develops novel hunting approaches faster than adversaries can prepare countermeasures.
The GTG-2002 case isn’t a preview of some distant cyberpunk future. It’s happening right now, in real environments, against real organizations. The shift from theoretical possibility to operational reality has already occurred.
If you’re still treating hunting as optional, something you’ll fund when you have extra budget or implement when your “real” security tools are fully deployed, you’re fighting today’s war with yesterday’s playbook. The adversaries aren’t sending warning shots or publishing their capabilities in advance. They’re already here, already operating, already reasoning their way through environments at machine speed.
The only question left is whether you’re going to start reasoning back before it’s too late.
Stay curious and stay secure my friends.
Damien
As someone who is very nearly done with my cybersecurity analyst certification (after a career writing about it), this is the kind of content I love. I see so many scenarios where my academic background and writing would give me an edge in hunting AI threats. It’s great to read that it should be an AI-human partnership. And to get validation for my belief that AI is not capable of doing the work on its own. Thanks!