As artificial intelligence advances, general-purpose AI models are becoming remarkably adept at discovering and even exploiting software vulnerabilities—often faster and with less specialized expertise than traditional methods. This capability promises to make code more secure in the long run, but it also creates a dangerous window where attackers can leverage AI to find new weaknesses before defenders patch them. In this Q&A, we explore how the adversary lifecycle is changing, what it means for zero-day economics, and the critical steps enterprises must take to harden systems and update their defensive playbooks.
1. How are AI models changing the vulnerability discovery process for attackers?
AI models, especially large language models (LLMs), now demonstrate the ability to identify novel vulnerabilities and even generate functional exploits without being purpose-built for the task. Historically, discovering zero-day flaws required deep human expertise, months of manual analysis, and significant resources. Today, an AI model can scan code, recognize patterns, and suggest exploitation paths in hours or days. This compresses the discovery-to-exploit timeline dramatically. Threat actors of all skill levels can now use AI tools—some openly advertised on underground forums—to conduct vulnerability research that was once the domain of elite researchers. As a result, we are seeing a democratization of exploit development, with even low-skilled adversaries capable of launching sophisticated attacks. The traditional gap between vulnerability discovery and weaponization is shrinking, forcing defenders to accelerate their own patch cycles and AI integration.
2. What shifts are occurring in the adversary lifecycle due to AI?
The adversary lifecycle—from reconnaissance to exploitation to data exfiltration—is being compressed at the exploitation stage. In the past, after a vulnerability was discovered, developing a reliable exploit could take weeks or months. AI models can now assist in creating working exploits quickly, reducing the time between disclosure and weaponization. This means that the window for defenders to patch or mitigate vulnerabilities is considerably shorter. Additionally, AI enables automated scanning at scale, allowing attackers to probe thousands of targets for the same vulnerability simultaneously. Once a working exploit is created, it can be distributed rapidly across threat groups. We have already observed this in intelligence reports: PRC-nexus espionage groups, for example, are sharing and deploying exploits across multiple teams faster than ever. The result is a shift from targeted, sparing use of zero-days to mass exploitation campaigns and ransomware operations that leverage AI-discovered flaws before patches are available.
3. How does AI affect the economics of zero-day exploitation?
Zero-day exploits have traditionally been expensive, time-consuming to develop, and guarded by advanced persistent threat groups and nation-states. AI changes this calculus by lowering the cost and expertise required to find and weaponize vulnerabilities. With AI tools, even moderately skilled attackers can generate functional exploits, reducing the market price for zero-days on underground forums. This economic shift encourages mass exploitation rather than targeted, limited use. Ransomware groups and extortion operations can now afford to launch campaigns that exploit newly discovered vulnerabilities on a large scale, increasing the volume of attacks. Moreover, AI can accelerate the reverse engineering of patches, allowing attackers to quickly develop exploits for disclosed vulnerabilities before organizations apply updates. The net effect is a more crowded and faster-moving threat landscape where defenders must prioritize rapid patching, AI-assisted detection, and proactive hardening to stay ahead.
4. What are the two critical tasks for defenders in this AI-driven era?
Defenders face two urgent priorities. First, they must harden existing software as rapidly as possible by integrating AI into their security programs. This means using AI for automated code review, vulnerability scanning, and patch prioritization—matching the speed of attackers. Second, they must prepare to defend systems that have not yet been hardened. Since not every application can be updated immediately, defenders need robust detection and response capabilities that can identify exploitation attempts in real time. This involves strengthening security playbooks, reducing the attack surface by disabling unnecessary services, and deploying AI-based monitoring tools that can spot anomalies indicative of AI-generated exploits. The window between discovery and exploitation is shrinking, so defenders must assume that a vulnerability will be weaponized quickly. Proactive measures, like threat hunting and deception technologies, become essential to buy time while patches are developed and rolled out.
5. How can enterprises incorporate AI into their security programs effectively?
To incorporate AI into security programs, enterprises should start by adopting AI-driven tools for vulnerability management. For instance, AI can analyze codebases to identify potential flaws and suggest fixes, similar to how attackers use it to find exploits. Secondly, use AI to enhance threat detection—machine learning models can spot patterns of AI-generated attacks, such as rapid, automated scanning or unusual exploit attempts. Thirdly, automate incident response playbooks with AI to reduce response times. It's also crucial to invest in AI security training for staff to understand both defensive and offensive AI capabilities. Finally, enterprises must continuously monitor the AI threat landscape, including underground forums, to anticipate new techniques. By integrating AI into the development lifecycle (DevSecOps), organizations can shift left—finding and fixing vulnerabilities before code is deployed. Remember, defenders must also secure their AI models against adversarial attacks, ensuring that the AI itself is not turned against them.
6. What is the risk period during the transition to AI-hardened software?
The transition to AI-hardened software creates a critical window of risk. While AI will eventually make code more difficult to exploit by catching vulnerabilities early, the adoption of AI by defenders is not instantaneous. During this transition, threat actors are already using AI to discover and exploit novel vulnerabilities in existing, unhardened software. This asymmetry means that attackers can exploit the gap between the release of AI-assisted exploits and the deployment of AI-based defenses. The risk is amplified by the fact that many legacy systems cannot be easily updated or replaced. During this period, enterprises must operate under the assumption that any vulnerability could be discovered and weaponized by AI within days. Mitigation strategies include aggressive patch management, network segmentation, and investing in runtime application self-protection (RASP) and web application firewalls (WAFs) tuned to AI-generated attack patterns. The key is to accelerate hardening efforts while accepting that perfect security is impossible until the transition is complete.