This study addresses the challenge of quantifying how AI misuse exacerbates cybersecurity risks. We develop nine quantitative risk models grounded in the MITRE ATT&CK framework to systematically assess AI’s impact on attack scale, frequency, success rate, and impact severity. Methodologically, we propose a novel dual-source uncertainty estimation framework integrating Delphi expert elicitation with LLM-simulated expert reasoning, and map AI benchmark scores (e.g., Cybench, BountyBench) to interpretable risk factors to decompose and attribute cross-dimensional attack efficacy uplift. Using Monte Carlo aggregation, we generate auditable, confidence-interval–bounded results. Our approach enables dynamic defense prioritization and evidence-based AI governance decisions—marking the first step toward verifiable, debatable, and iterative quantitative AI security risk assessment, moving beyond qualitative descriptions.

Advanced AI systems offer substantial benefits but also introduce risks. In 2025, AI-enabled cyber offense has emerged as a concrete example. This technical report applies a quantitative risk modeling methodology (described in full in a companion paper) to this domain. We develop nine detailed cyber risk models that allow analyzing AI uplift as a function of AI benchmark performance. Each model decomposes attacks into steps using the MITRE ATT&CK framework and estimates how AI affects the number of attackers, attack frequency, probability of success, and resulting harm to determine different types of uplift. To produce these estimates with associated uncertainty, we employ both human experts, via a Delphi study, as well as LLM-based simulated experts, both mapping benchmark scores (from Cybench and BountyBench) to risk model factors. Individual estimates are aggregated through Monte Carlo simulation. The results indicate systematic uplift in attack efficacy, speed, and target reach, with different mechanisms of uplift across risk models. We aim for our quantitative risk modeling to fulfill several aims: to help cybersecurity teams prioritize mitigations, AI evaluators design benchmarks, AI developers make more informed deployment decisions, and policymakers obtain information to set risk thresholds. Similar goals drove the shift from qualitative to quantitative assessment over time in other high-risk industries, such as nuclear power. We propose this methodology and initial application attempt as a step in that direction for AI risk management. While our estimates carry significant uncertainty, publishing detailed quantified results can enable experts to pinpoint exactly where they disagree. This helps to collectively refine estimates, something that cannot be done with qualitative assessments alone.