Cybersecurity experts warned companies have a narrow three-to-five-month window before AI-driven cyberattacks become the new norm.
Anthropic’s Mythos and OpenAI’s GPT-5.5-Cyber are making it easier for hackers to exploit unknown software vulnerabilities. Furthermore, the models can chain multiple flaws together into working exploit paths which earlier systems struggled to accomplish.
Major companies testing these frontier AI models discovered vulnerabilities at unprecedented rates during recent scanning efforts. One cybersecurity firm found 75 security holes after scanning 130 products compared to its typical five monthly discoveries. Meanwhile, Mozilla fixed 423 Firefox bugs in April after Mythos found 271 flaws representing five times higher than March fixes.
“We now estimate a narrow three-to-five-month window for organizations to outpace the adversary before AI-driven exploits start to become the new norm,” wrote Palo Alto Networks tech chief Lee Klarich in a blog post on Wednesday. “This impending vulnerability deluge demands urgency.”
Microsoft used its MDASH agentic bug hunting system finding 17 vulnerabilities on record-setting Patch Tuesday with 30 critical CVEs disclosed. The UK’s AI Security Institute stated both Mythos and GPT-5.5 substantially exceeded the doubling trend tracked since late 2024. Consequently, researchers say AI just broke every benchmark for autonomous cyber capability.
Anthropic limited Mythos rollout to select companies including CrowdStrike, Amazon, Apple, and JPMorgan through Project Glasswing. OpenAI announced GPT-5.5-Cyber last week followed by Daybreak cyber initiative rollout allowing limited access to vetted cybersecurity teams. However, the models generated working exploits more than 70% of the time during internal testing.
Industry experts emphasized finding vulnerabilities still requires extensive human expertise and customization despite model capabilities. Organizations should find and patch vulnerabilities before attackers can exploit them while reducing internet-facing exposure.
Companies must deploy automated detection and prevention tools capable of blocking attacks in real time as AI-powered exploits may unfold within minutes.
