On 13 November, Anthropic published an incident report that should have rearranged every SOC roadmap in Johannesburg. In mid-September, the company detected a state-aligned group, tracked as GTG-1002 and attributed to China, using Claude Code to run a near-autonomous espionage campaign against roughly thirty technology, finance, chemicals and government targets.
The humans set the objectives. The model did the rest. Reconnaissance, vulnerability discovery, exploit development, credential harvesting, lateral movement, exfiltration. Anthropic estimates the AI handled 80 to 90 percent of the tactical work, with operators stepping in only at four to six escalation points per campaign. Claude was issuing thousands of requests per second at peak.
That is the number South African boards need to internalise. Not the breach count. The cadence.
The safeguards did not hold in the way most assumed they would. The operators decomposed malicious objectives into innocuous sub-tasks and instructed the model to roleplay as a defensive red team. Claude, asked politely and in pieces, complied. The lesson is not that model guardrails are theatre. It is that any agent fluent enough to be useful is fluent enough to be convinced.
The tempo problem
Set aside the novelty for a moment and look at the operational reality. A human red team, working a single target, takes days to move from initial access to credentialed lateral movement. The GTG-1002 operation compressed that to minutes per stage, in parallel, across thirty targets. Anthropic's own capability evaluations now show offensive cyber performance roughly doubling every six months.
Most South African SOCs are still tuned to a human attacker. Mean time to detect, measured in hours or days, was acceptable when the adversary needed coffee breaks. It is no longer acceptable. An XDR feed that takes six minutes to correlate is slower than the adversary it is watching. A SOC that escalates by email is bringing a memo to a fight that ended two ticket queues ago.
What this means for the SA detection stack
The instinct will be to buy another tool. Resist it. The Micro · Meso · Macro lens is more useful here.
At the micro layer, endpoint and identity telemetry has to capture machine-speed behaviour without drowning analysts. That means signal enrichment at ingest, not at triage. At the meso layer, correlation across identity, endpoint, cloud and SaaS must happen in seconds, not in scheduled jobs. At the macro layer, governance has to accept that POPIA's reasonable security obligations now include response tempo, not just control inventories. The Information Regulator will not be impressed by a control matrix if the breach window was four hours and the attacker was an agent.
This is also where the third-party question sharpens. Every SaaS vendor in your stack is a potential pivot point for an agentic attacker that can enumerate API surface faster than your procurement team can read a SOC 2. Black Kite's continuous monitoring of fourth-party exposure stops being a nice-to-have and becomes a board metric.
The symmetric response
If the attacker is operating at agent tempo, the defender cannot remain at analyst tempo. This is the operational case for Sam, the Securonix agentic SOC analyst we deploy inside the Digital Resilience managed detection and response stack. Sam triages, enriches and correlates at the speed the telemetry arrives, escalating only the decisions a human should own. It is not a replacement for the analyst. It is the layer that lets the analyst stay strategic while the machine work happens at machine speed.
The point is not the product. The point is the architecture. A modern SOC needs three layers working in concert. Telemetry that captures agentic behaviour, an agentic analytics layer that reasons across that telemetry in real time, and a human governance layer that owns intent, escalation and accountability. Pull any one of those out and the other two cannot compensate.
What boards should ask this quarter
Three questions. What is our current mean time to detect and contain, and how does it compare to a fifteen minute adversary. Which of our critical third parties has access tokens or API surface that an agentic attacker could enumerate inside an hour. And where in our SOC are we still relying on humans to do work that the attacker has already automated.
Anthropic's disclosure is not a warning shot. It is a record of an attack that already happened against thirty organisations, several of which were breached. The agentic threat model is operational, not theoretical, and the gap between attacker tempo and defender tempo is the single most important number in your security programme this year.
Detection is not protection. Containment is. And containment, at this tempo, is no longer something a human SOC can deliver alone.