VFF - The signal in the noise
News

AI Can Now Find Zero-Days. Your Patch Process Isn't Ready.

Read original
Share
AI Can Now Find Zero-Days. Your Patch Process Isn't Ready.

Anthropic's Claude Mythos model can autonomously discover zero-day vulnerabilities, closing a critical safety margin that previously existed because AI could only exploit known CVEs. Exploitation timelines have collapsed to hours rather than days, rendering traditional patch windows ineffective. Organizations must overhaul vulnerability prioritization and authorization controls to account for AI-driven attack speeds.

  • Claude Mythos discovered thousands of zero-day vulnerabilities across major operating systems and browsers, achieving 83.1% on vulnerability reproduction benchmarks
  • Recent exploits occurred in under 10 hours post-disclosure, before patches were available, invalidating assumptions about safe patch windows
  • CVSS-only prioritization is insufficient; a three-layer filter using CISA KEV status, EPSS scores, and CVSS achieved 18x efficiency gains and 85.6% coverage of exploited vulnerabilities
  • Authorization policies for privileged agent credentials have not been tested against AI behavior, creating measurable security gaps like Docker's CVE-2026-34040

The discovery that AI can autonomously find zero-days eliminates the assumption that enterprises have time to patch vulnerabilities before exploitation. Exploitation is now happening faster than patches can be developed and deployed, fundamentally breaking the traditional vulnerability management timeline. This requires immediate changes to how organizations prioritize and respond to security threats.

Enterprises cannot rely on their existing patch management processes to protect against AI-driven exploitation. The cost of discovering and exploiting vulnerabilities has dropped dramatically (under $20,000 for some campaigns), making attacks more economically feasible. Organizations that do not restructure their vulnerability prioritization and authorization controls face significantly elevated breach risk.

  • Vulnerability prioritization must shift from CVSS scores alone to a three-layer model incorporating active exploitation status, predicted exploitation likelihood, and severity baseline
  • Patch windows are no longer a reliable defensive assumption; organizations must assume exploitation can occur within hours of disclosure
  • Authorization systems and privileged access controls must be audited and redesigned to account for AI agent behavior, not just human operators

Monitor whether organizations adopt the three-layer prioritization framework and how quickly they can operationalize it. Track whether authorization bypass vulnerabilities in common platforms (Docker, Kubernetes, cloud providers) become more prevalent. Watch for industry guidance on AI-aware security architecture and whether vendors update their authorization plugins to account for AI agent behavior patterns.

Share

Subscribe to the newsletter

The latest stories and analysis, delivered to your inbox.

Free. No spam. Unsubscribe any time.

Related stories

Microsoft Launches AI Bug Finder Using Anthropic and OpenAI Models

Microsoft Launches AI Bug Finder Using Anthropic and OpenAI Models

Microsoft is preparing to launch Project Perception, an AI-powered security product designed to identify software bugs, set to debut as soon as July 2026. The tool will combine AI models from Anthropic, OpenAI, and Microsoft to compete in the growing cyber defense market. The product targets enterprises increasing their security spending and represents Microsoft's effort to capitalize on demand for AI-driven vulnerability detection.

by Aaron Holmes· The Information
OpenAI Automates Red Teaming with GPT-Red Self-Play System
TrendingNews

OpenAI Automates Red Teaming with GPT-Red Self-Play System

OpenAI has introduced GPT-Red, an automated red teaming system that uses self-play to identify and address vulnerabilities in AI models. The system is designed to improve safety, alignment, and robustness against prompt injection attacks. GPT-Red represents an approach to proactive AI security testing that could inform how organizations evaluate model vulnerabilities before deployment.

· OpenAI
White House Launches Gold Eagle Vulnerability Coordination Program

White House Launches Gold Eagle Vulnerability Coordination Program

The White House announced Gold Eagle, the first program emerging from its June AI cybersecurity executive order. Gold Eagle is a clearinghouse that brings together government agencies and companies to coordinate on cyber vulnerabilities. The initiative represents the administration's effort to operationalize its AI security policy through public-private coordination.

by Leo Schwartz· The Information
Apple sues OpenAI over alleged trade secret theft
TrendingNews

Apple sues OpenAI over alleged trade secret theft

Apple has filed a lawsuit against OpenAI alleging the company stole trade secrets, with the misconduct allegedly directed by OpenAI's senior leadership including a longtime former employee. The suit represents a significant escalation in tensions between two major technology companies over intellectual property and competitive practices. Details on the specific trade secrets at issue and the scope of the alleged theft remain limited based on available information.

by Sarah Perez· TechCrunch AI