The Cloud Security Alliance has raised alarms about a significant change in the threat landscape: the time between the discovery of a vulnerability and the creation of a working exploit is rapidly decreasing. This briefing highlights the capabilities of Anthropic’s Claude Mythos, an AI that autonomously identified thousands of zero-day vulnerabilities across major operating systems and browsers, generating effective exploits without human intervention.
Asymmetry in Offense and Defense
The core issue lies in the asymmetry of the current security environment. While AI technology reduces the cost and complexity of identifying and exploiting vulnerabilities, defensive strategies remain reliant on traditional patch cycles and risk models designed for human-speed threats. Current data from Sergej Epp’s Zero Day Clock indicates that the average time-to-exploit is now under 20 hours, a stark contrast to the slower pace of human operations.
The rise of offensive AI capabilities has been notable since mid-2025. For instance, in June 2025, the autonomous system XBOW topped HackerOne’s U.S. leaderboard. By August, Google’s Big Sleep had discovered 20 zero-days in open-source projects. A significant incident occurred in November when Anthropic reported that a Chinese state-sponsored group leveraged Claude Code to execute comprehensive attack chains on around 30 global targets. By February 2026, Claude Opus 4.6 had uncovered over 500 high-severity vulnerabilities, while AISLE identified 12 OpenSSL zero-days, including a critical flaw with a CVSS score of 9.8 dating back to 1998.
Recommendations for CISOs
CISOs are urged to take immediate action across various timeframes: immediate, 45 days, and 90 days. Key recommendations include integrating LLM-based security reviews into CI/CD pipelines, formalizing the use of AI agents in all security functions, preparing for an increase in simultaneous patches, and updating risk models that are based on outdated assumptions about exploit timelines.
Adopting AI agents is now considered an operational necessity. Organizations that resist this shift may find themselves unable to compete with the speed of AI-enhanced attacks. Rich Mogull, a chief analyst at the Cloud Security Alliance, noted the challenges associated with this transition, emphasizing the need for clear guidance and approved providers to facilitate effective AI agent deployment.
In terms of budget and staffing, Phil Venables, a partner at Ballistic Ventures, pointed out that teams across infrastructure and development must enhance their software and IT management tools to address the urgent need for faster vulnerability remediation. He described this period as a catalyst for necessary improvements that organizations had previously contemplated for various business reasons.
Mogull warns of the risks associated with inaction, drawing parallels to past incidents like the Kaminsky DNS vulnerability and the Log4j exploit, which strained response capabilities. The emergence of systems like Glasswing could lead to frequent, significant vulnerabilities, possibly multiple times a week.
Burnout as an Operational Risk
As the volume of vulnerability disclosures is expected to surge, security teams will face unprecedented challenges. Recommendations include advocating for increased headcount and budget to build reserve capacity before automation can be fully implemented. Moreover, organizations must prioritize staff resilience alongside technical controls, as the combination of higher vulnerability volume, AI-assisted development, and an expanding attack surface can lead to burnout and attrition.
The Basic Controls Still Matter
Despite the rise of advanced AI tools, established security practices must remain a priority. Basic measures such as network segmentation, egress filtering, phishing-resistant multi-factor authentication (MFA), identity and access management, and patch management for known vulnerabilities still play a critical role in increasing the cost of attacks. Notably, egress filtering succeeded in blocking all public Log4j exploits.
Looking ahead, the briefing advocates for the establishment of a dedicated Vulnerability Operations function, modeled after DevOps practices. This function should be equipped and automated for continuous, autonomous vulnerability discovery and remediation across the entirety of an organization’s software landscape.
Source: Help Net Security News