As artificial intelligence rapidly advances, general-purpose AI models are proving remarkably effective at identifying and exploiting software vulnerabilities—a task once reserved for elite human experts. This capability is accelerating the adversary lifecycle, compressing the timeline from discovery to exploitation, and lowering the barrier for threat actors of all skill levels. Enterprises face a critical window: while AI will eventually help harden code, attackers are already leveraging it to find new weaknesses faster than ever. Below, we explore seven key questions about this shifting landscape and what defenders can do to stay ahead.
1. How are AI models changing vulnerability discovery?
AI models, especially large language models (LLMs), can now identify and even generate functional exploits for software vulnerabilities without being specifically designed for the task. Historically, finding zero-day flaws required deep expertise, time, and significant resources. Today, AI reduces these barriers, enabling quicker identification and exploitation. This shift means that threat actors—even those with limited technical skills—can potentially use AI tools to discover and weaponize vulnerabilities. The result is a dramatic compression of the attack lifecycle, where the gap between vulnerability discovery and exploitation shrinks from months or weeks to days or even hours. As noted in Wiz’s “Claude Mythos” post, this transformation demands immediate action from security teams to update playbooks and incorporate AI into defensive strategies.
2. What specific risks does AI-powered exploitation introduce?
The primary risk is the democratization of zero-day exploitation. Advanced threat groups, such as PRC-nexus espionage operators, are already rapidly sharing and deploying exploits across separate groups, as highlighted in the 2025 Zero-Days in Review report. This collaboration shrinks the historical window between private discovery and public exploitation. Additionally, AI tools are being marketed in underground forums, making exploit-generation capabilities accessible to a wider range of adversaries. This enables mass exploitation campaigns, ransomware operations, and extortion schemes at an unprecedented scale. Defenders must now assume that any vulnerability could be weaponized quickly, making proactive hardening and continuous monitoring essential.
3. Why is there a “critical window of risk” for enterprises?
AI is a double-edged sword. While it will eventually help organizations harden their software by automating code review and patch prioritization, we are currently in a transition period. Attackers are adopting AI-driven exploitation faster than many enterprises can integrate defensive AI. This asymmetry creates a window where legacy systems and unhardened applications are highly exposed. As noted in the original blog, defenders face two urgent tasks: hardening existing software as rapidly as possible and preparing to defend systems that cannot be immediately patched. This window may last months to years, depending on an organization's ability to modernize security operations and adopt AI-driven defenses.
4. How does AI compress the adversary attack timeline?
Traditional vulnerability exploitation followed a predictable timeline: discovery, proof-of-concept development, weaponization, and deployment—each phase requiring specialized skills and time. AI models can now assist or automate several of these steps. For instance, an LLM can analyze code to find a flaw, generate exploit code, and even suggest evasion techniques. This reduces the time between a vulnerability’s public disclosure and active exploitation from weeks to days. The Google Threat Intelligence Group (GTIG) has observed threat actors using LLMs for exploit development and marketing AI-based tools in underground forums. As a result, enterprises must accelerate their vulnerability management cycles and adopt automated patch deployment where possible.
5. What changes in the economics of zero-day exploitation?
Historically, zero-day exploits were rare, expensive, and used sparingly by advanced adversaries. AI lowers the cost of discovering and weaponizing vulnerabilities, making them accessible to less sophisticated actors. This shifts the economics: instead of guarding exploits for high-value targets, attackers can now conduct mass exploitation campaigns. Ransomware groups, extortion operations, and even hacktivists can leverage AI to find and exploit common vulnerabilities in widely used software. The result is an increased volume of attacks and a broader attack surface. Defenders can no longer rely on the assumption that zero-days are too costly for lower-tier adversaries; they must prepare for a surge in exploit-driven incidents.
6. How are advanced adversaries already leveraging AI for exploits?
Advanced persistent threat (APT) groups, particularly those linked to China’s espionage apparatus, have demonstrated the ability to quickly develop and distribute exploits among otherwise separate threat clusters. The 2025 Zero-Days in Review report highlights how PRC-nexus operators use AI to accelerate the pipeline from discovery to deployment. They share exploit code internally, reducing redundancy and time-to-exploit. This cooperative model, powered by AI, allows them to target multiple organizations simultaneously with minimal lead time. For enterprise defenders, this means that a vulnerability disclosed today could be exploited by multiple, disparate groups within days—a dramatic shift from the historical pattern of isolated, slow-moving attacks.
7. What steps can enterprises take to defend against AI-powered attacks?
Enterprises must take a multi-pronged approach. First, harden existing software by accelerating patch management, automating vulnerability scanning, and incorporating AI tools into code review to catch flaws early. Second, prepare defensive systems for unpatched environments by deploying intrusion detection, segmentation, and AI-based anomaly detection. Third, incorporate AI into security programs—using machine learning to prioritize threats, simulate attacks, and automate incident response. Additionally, security teams should update their playbooks to account for compressed attack timelines and share threat intelligence with peers. As highlighted in the Wiz blog post, now is the time to strengthen defenses before AI-powered exploitation becomes ubiquitous. Proactive investment in AI-driven security tools and processes will turn this risk into an advantage.