AI is compressing attack timelines. Here's how agencies can respond.

AI is compressing attack timelines. Here's how agencies can respond.

Briefly

"Anthropic recently revealed that its Mythos preview model had identified thousands of zero-day vulnerabilities across every major operating system and web browser, including a 27-year-old bug in OpenBSD. This has taken the security community by storm. The risks for federal and state chief information security officers (CISOs) are higher than those of their private sector counterparts, not just in degree but in kind."

"Large, well-funded foreign adversaries actively target government systems and will deploy their best, newest tooling there first. These aren't average attackers; they are highly resourced, and they are already developing or deploying AI-assisted attack tools against U.S. government systems. CISA has documented that nation-state actors are adept at exploiting zero-day vulnerabilities, and AI-assisted discovery is a logical extension of that capability."

"For years, the conventional wisdom was that AI would be a double-edged sword, helping attackers find vulnerabilities, but also helping defenders close them. That framing now looks dangerously optimistic. AI is compressing attack timelines faster than most defense organizations can respond, and the gap is widest in the public sector."

"Consider the baseline before AI entered the picture: the median time for an organization to remediate half of its open, internet-facing vulnerabilities was 361 days. Exploitation, meanwhile, takes hours. One-third of exploited CVEs in the first half of 2025 showed attacker activity on or before the day of public disclosure, before most teams even knew there was anything to patch."