In the digital age, the speed and cost of cyberattacks have shifted dramatically. What once required months of effort can now be accomplished in minutes, often for less than a dollar, thanks to generative AI. Recent events like Anthropic's Project Glasswing highlight this unsettling reality. Yet, the same technology that empowers attackers also arms defenders—Anthropic's Claude Mythos model has already discovered over a thousand zero-day vulnerabilities. To navigate this new landscape, we must understand how AI-driven bug discovery parallels earlier automation waves, such as fuzzing, and what lessons can be applied to tip the scales in favor of security.

How has generative AI changed the landscape of cyberattacks?

Generative AI, particularly large language models, has compressed the timeline of cyberattacks from months to minutes. Transforming a newly discovered software vulnerability into an exploit used to require deep technical expertise and significant time. Today, a single cloud-computing investment of under a dollar can enable AI to automate that entire process. This was starkly illustrated by the recent headlines around Anthropic's Project Glasswing, which demonstrated how quickly and cheaply attacks can be launched. The result is a democratization of hacking: attackers no longer need advanced skills to exploit code, and the barrier to entry has plummeted. This asymmetry poses a serious challenge, as defenses still rely on human engineers to interpret and act on AI findings.

What is Claude Mythos and how does it help defenders?

Claude Mythos is a preview model from Anthropic that leverages AI for defensive cybersecurity. Its primary role is to proactively discover zero-day vulnerabilities—flaws unknown to the software vendor—before malicious hackers can exploit them. According to Anthropic, the model has already identified over a thousand such vulnerabilities, spanning every major operating system and web browser. Crucially, Anthropic coordinates with developers to patch these flaws, ensuring that the discovered bugs are fixed rather than weaponized. While it remains uncertain whether AI-driven bug finding will ultimately favor attackers or defenders, tools like Claude Mythos offer a glimmer of hope. They transform AI from a pure threat into a powerful ally, capable of scanning vast codebases with minimal cost and effort.

How does AI-driven vulnerability discovery compare to the earlier “fuzzing” era?

In the early 2010s, a new class of software called fuzzers emerged, exemplified by tools like American Fuzzy Lop (AFL). These programs bombarded software with millions of random, malformed inputs in search of crashes—a digital monkey at a typewriter. Fuzzers quickly uncovered critical flaws in every major browser and operating system. The current AI-driven approach, by contrast, uses large language models that can understand code context and generate targeted prompts to find vulnerabilities. While fuzzing required significant technical setup and specialized knowledge, AI can achieve similar results with just a single natural language prompt. This makes AI both more accessible to attackers and more challenging for defenders to manage, as the ease of discovery outstrips the ease of remediation.

What lessons can organizations learn from the response to fuzzing?

When fuzzing first shook the security world, the reaction was not panic but industrialization. Organizations recognized that automated bug finding was here to stay and built systematic defenses. Google's OSS-Fuzz is a prime example: it runs fuzzers continuously on thousands of open source projects, catching vulnerabilities before software ships rather than after attackers find them. The same principle applies to AI-driven discovery: organizations should integrate these tools into standard development pipelines, run them 24/7, and expect a new baseline for security. By embedding AI vulnerability scanning into the software development lifecycle, companies can preemptively patch weaknesses. The lesson is clear: proactive, continuous, and automated defense turns a disruptive technology into a manageable part of cybersecurity.

Why is the analogy between fuzzing and AI limited?

Despite similarities, the analogy has a critical limit. Fuzzing was a tool for specialists, requiring deep technical expertise to configure and interpret results. AI-driven vulnerability discovery, on the other hand, works with just a prompt—anyone can attempt to find bugs. This creates a troubling asymmetry: attackers no longer need technical sophistication to exploit code, while robust defenses still demand engineers to read, evaluate, and act on AI findings. The human cost of finding bugs may approach zero, but fixing them remains labor-intensive. Additionally, AI models can generate many false positives or miss context-dependent flaws that a human expert would catch. Thus, while both waves share the theme of automation, AI's ease of use amplifies the challenge for defenders.

Is AI better at finding bugs than fixing them?

Current evidence suggests that AI excels at vulnerability discovery but falls short when it comes to remediation. As Peter Gutmann noted in his book Engineering Security (2014), many security technologies are “secure” only because no one examined them. AI makes examination cheap and fast, but fixing the uncovered issues still requires human expertise. In the open source ecosystem, where much commercial software relies on small teams or volunteers, the burden of patching can be overwhelming. While AI can generate code suggestions or even automated patches, the nuanced understanding needed to ensure a fix doesn't break functionality remains a human domain. Until AI can both find and fix bugs with equal proficiency, the security community must invest in bridging the gap between discovery and remediation.

What are the implications of cheap bug discovery for open source software?

Open source software forms the backbone of modern commercial applications, but it is often maintained by small teams, part-time contributors, or individual volunteers with no dedicated security resources. The advent of cheap, AI-driven bug discovery means that these projects are now under unprecedented scrutiny—both from benevolent researchers and malicious actors. A single vulnerability in a widely used open source library can ripple across thousands of downstream products. The implication is clear: the security community must acknowledge that finding bugs is no longer the bottleneck; fixing them is. This calls for better coordination, automated patch generation, and increased support for maintainers. Without such measures, the low cost of discovery could lead to a flood of unpatched flaws, undermining trust in the digital infrastructure.