Evaluating potential cybersecurity threats of advanced AI

Source: DeepMind Date: 2025-04-02 URL: https://deepmind.google/blog/evaluating-potential-cybersecurity-threats-of-advanced-ai/

Summary

Google DeepMind published a framework for evaluating AI-enabled offensive cyber capabilities, analyzing 12,000+ real-world AI-assisted cyberattack attempts across 20 countries via Google Threat Intelligence. The framework adapts MITRE ATT&CK for AI-powered attacks and includes a 50-challenge benchmark spanning the full attack chain (reconnaissance through action on objectives). Key finding: current frontier models are unlikely to enable breakthrough capabilities for threat actors in isolation, but existing evaluations overlook evasion and persistence phases where AI could be particularly effective.

Implications

“Unlikely to enable breakthrough capabilities in isolation” is a carefully scoped claim. Isolation is doing a lot of work. The concern isn’t a single model enabling a novel attack — it’s AI reducing the cost and skill floor for attack components that already exist. The 12,000-attempt dataset is the right evidence base: real attack attempts across 20 countries, not synthetic red-team scenarios. That grounding makes the finding credible rather than self-serving.

Evasion and persistence as overlooked phases is the finding that matters for defenders. Current AI safety evaluations focus on initial exploitation — can the model write working malware, craft phishing, find CVEs. They mostly skip the post-compromise phases: staying undetected, moving laterally, maintaining access. Those phases are where skilled adversaries spend most of their time, and where AI assistance could dramatically lower the expertise barrier.

The 50-challenge full-chain benchmark is reusable infrastructure, not just a finding. A benchmark covering the complete attack lifecycle — including phases that existing evals miss — is valuable for the field. If adopted by METR, UK AISI, or NIST for standard frontier model evaluations, it closes the gap between what’s being tested and what attackers actually do.

Watch:

• Whether the 50-challenge benchmark is published for external use — external access is the difference between industry-wide calibration and Google-only calibration
• AISI and METR adoption of the evasion/persistence evaluation methodology in their frontier model evaluation frameworks
• Follow-up research specifically on AI-assisted persistence and lateral movement — the gap the paper identified is the next research frontier