AI Vulnerability Discovery is Real, and it is Here!
Every repository of code you rely upon just became a liability with a clock on it. Zero-day exploit development has gone exponential.
More than a year ago I started warning anyone who would listen that agentic vulnerability discovery was improving at an astounding rate and it would rewrite the offense-defense balance. I said it on stage. I said it to reporters. I said it to boards who politely nodded. Here’s my view at RSA a year ago:
https://www.theregister.com/2025/04/30/exnsa_cyber_boss_ai_expoit_dev/
This week Anthropic pulled the curtain back on Claude Mythos. Vulnerability discovery, exploit development, and weaponization capabilities that exceed almost every human practitioner alive. Given enough compute, it finds a path to exploit essentially everything it is pointed at. Decades-old bugs in Linux kernel. Chained browser exploits. Working proof of concepts on the first try more than 80 percent of the time. All autonomous and only limited by the compute you can afford to feed Mythos.
Project Glasswing will harden a handful of platforms from Apple, Microsoft, Google, AWS, Cisco, and a few others. That is good news for us all because we all rely on their products.
The bad news is the rest of the internet. The mountain of technical debt sitting in everything from industrial controllers to municipal systems to the average enterprise app stack is not getting a Glasswing review. And the same capabilities will reach adversaries. Maybe in six months. Maybe in eighteen. Certainly not longer.
This is a transition point we have never navigated before. If your security program still assumes attackers are constrained by human talent and human hours, you are already behind.
Think about what is actually running your business. Legacy applications no one has touched in a decade. Vendor code you cannot patch. Industrial systems built when memory safety was a research topic. Firmware in devices that will never see another update. That is the surface area a capable adversary will scan first, because that is where the yield is highest.
Technical debt used to be a budgeting problem. It is now a survival problem. The window to inventory what you own, retire what you cannot defend, and modernize what you must keep is closing faster than any board-level risk register currently reflects.
I have been worried about this moment for a long time. Seeing the capability emerge does not make me feel better. It makes me want to move faster. If you run a security program, the question to answer is brutally simple: when the capability proliferates, what in your environment is indefensible, and what are you going to do about it before then?
