AI Vulnerability Discovery: The New Defender Economics
AI vulnerability discovery is collapsing the cost of finding zero-days. Learn how this rewrites defender economics and what shift it forces.
Almost every defensive control in enterprise security rests on a single hidden assumption: that finding novel vulnerabilities is expensive. Patch Tuesday works because attackers cannot weaponize n-days fast enough. Bug bounties work because finding bugs is hard. Threat intelligence works because attacker tradecraft evolves slowly enough to catalog. The entire economic model of enterprise defense is built on the scarcity of zero-day discovery.
That scarcity is ending. Not gradually. Not over a decade. AI-driven vulnerability discovery is collapsing the cost curve right now, and the implications for defender economics are larger than the industry is acknowledging.
This piece is about what happens when the assumption underneath everything changes. We will not pretend the news is good. We will also not pretend the situation is hopeless. There are specific things that break, specific things that don't, and a clear architectural response that defenders who move now will benefit from for years.
What AI vulnerability discovery actually means
Vulnerability discovery has always involved some combination of static analysis, dynamic analysis, fuzzing, and human reasoning. Each of these techniques produces value, and each has well-understood limits. Static analysis finds patterns. Fuzzing finds crashes. Symbolic execution explores code paths. Human researchers find the bugs the tools miss, the logic flaws, the protocol abuse, the unintended interactions across system boundaries.
AI vulnerability discovery is different. The current generation of frontier models can reason about code the way a senior security researcher reasons about it, building mental models of intended behavior, hypothesizing where those models break, generating proof-of-concept exploits to validate the hypothesis, and iterating until the exploit works. Anthropic's Claude Mythos Preview, the most public example, has done this thousands of times in the past few weeks across every major operating system and browser.
The capability is not pattern matching against known CVEs. That would be the easy story. The harder story is that these models are finding novel zero-days, vulnerabilities that have never been publicly disclosed and that survived decades of human review. A 27-year-old integer overflow in OpenBSD. A 16-year-old flaw in FFmpeg that survived more than five million automated tests. The capability gap between elite human researchers and frontier models has narrowed enough that, on certain classes of tasks, the models are now competitive. On some tasks, they are better, mostly because they don't get tired and they can run a thousand instances in parallel.
The UK AI Security Institute confirmed in independent evaluations that Mythos Preview can execute multi-stage attacks on vulnerable networks autonomously, completing in minutes the kind of work that would take human professionals days. This is not a benchmark artifact. It is a real measurement of a real capability.
The old economics: why zero-day scarcity defined defense for 30 years
To understand what changes, you have to understand what the old economics actually were.
A novel zero-day in a major operating system or widely used library used to require a team of elite researchers working for weeks to months. The unit cost was somewhere between $200,000 and several million dollars depending on target, exploit reliability, and the buyer's level of demand. Brokers like Zerodium publicly published bounty schedules that anchored the market. Nation-state programs hoarded zero-days as strategic assets. The supply was constrained by the number of humans capable of finding them, which was small, and by the time those humans needed to do the work, which was significant.
Every defensive control built over the last thirty years assumes this constraint. Patch SLAs measured in days work because attackers cannot weaponize most n-days within that window. Threat intelligence catalogs of attacker TTPs work because evolving tradecraft is expensive. The whole concept of "advanced persistent threat" depends on advancement and persistence being scarce, only well-funded actors with deep capabilities could pull off sophisticated multi-stage operations.
Bug bounty programs work because the asymmetry of researcher time favors disclosure over exploitation for most actors. If finding a bug takes six weeks of a senior researcher's time, the $50,000 bounty payment is competitive with the underground market for everyone except the most sophisticated criminal and state actors. The entire "responsible disclosure beats the black market" argument rests on this calculation.
The defenders' implicit calculation, repeated millions of times across enterprise security teams: "we don't need perfect coverage; we need to be hard enough that attackers go elsewhere." That calculation is a theorem about scarcity. When scarcity ends, the theorem doesn't hold.
The new economics: when finding bugs becomes cheap
Run the numbers under AI-era conditions. A frontier model competent at autonomous vulnerability discovery costs perhaps a few thousand dollars per month in inference. Run a hundred instances in parallel against a target codebase, and you have something equivalent to a hundred competent security researchers working continuously. The cost structure of finding a novel zero-day in widely deployed software shifts from "elite human researchers, six weeks" to "AI agents, hours, at compute cost."
This is not a marginal change. This is a roughly two-orders-of-magnitude collapse in the cost of zero-day discovery. The implication is that capability previously available only to nation-state actors and the most sophisticated criminal groups becomes available to mid-tier ransomware operators, hacktivist collectives, opportunistic insiders, and anyone willing to spend a few thousand dollars on compute.
This is the shift the industry is not naming clearly enough. The threat surface is not getting incrementally worse. The threat surface is getting categorically different. The actors who can plausibly find novel zero-days in your environment go from "fewer than a hundred organizations globally" to "anyone with an API key and a credit card."
We need to be honest about timing. Today, this capability is concentrated in restricted environments, Anthropic's Project Glasswing coalition, internal use by major AI labs, government programs we don't know the details of. The defensive firebreak is real. But it is also temporary. Open-weights models are advancing. Other labs are building toward similar capabilities without Anthropic's restraint. The capability proliferation timeline is measured in quarters, not years.
What breaks: patch SLAs, bug bounties, threat intel, disclosure norms
Five things in defensive practice break, in roughly this order:
Patch SLAs break. A 7-day SLA for criticals presupposes that exploits take more than 7 days to develop. That presupposition no longer holds for AI-era n-days. We cover this in detail in Patch Window Collapsed: AI-Native Incident Response Now.
Bug bounty economics break. When finding a bug costs an attacker a few hours of compute instead of six weeks of researcher time, the calculus of "sell to vendor for $50K vs. exploit privately" shifts significantly toward exploitation. Bug bounty programs will need to dramatically increase payouts, change scope to focus on logic flaws and architectural issues that AI handles less well, or accept that more bugs flow to private exploitation than to disclosure.
Threat intelligence catalogs break. The whole premise of cataloging attacker TTPs assumes evolving tradecraft is slow enough to keep up with. When attackers can generate novel exploit chains autonomously, "tracking" them in the traditional sense becomes harder. Attribution gets noisier, when any modestly-resourced actor can execute attacks previously requiring nation-state capability, "this looks like APT-29" becomes less informative.
Coordinated disclosure breaks. The 90-day disclosure window was designed for a world where one researcher finds one bug and gives the vendor 90 days. What happens when an AI agent finds 4,000 bugs in your product in a weekend? Vendors cannot patch that fast. Researchers cannot responsibly sit on stockpiles. Read our analysis in Project Glasswing: The New Disclosure Architecture.
Software liability shields break. The implicit "security is hard, bugs happen, no warranty expressed or implied" defense that has protected the software industry for forty years becomes politically untenable when AI demonstrates that most bugs were findable all along. Expect aggressive liability legislation in the EU first, then US sector-specific. The SBOM mandates were the warm-up.
The asymmetry problem: defenders operate under friction, attackers don't
A comforting narrative is forming: AI helps defenders too, the asymmetry will balance out, defenders have AI agents now, everything will be fine. This narrative is wrong in a specific and important way.
Defenders use AI within bureaucratic, audited, governance-bound constraints. Model risk committees. Change management. SOC2 audits of the AI agents themselves. Procurement cycles measured in quarters. AI ethics review. Legal review. Compliance review. Each layer of governance is individually defensible and collectively additive.
Attackers do not operate under any of those constraints. A criminal group can spin up Mythos-class capability the moment such capability becomes available outside Glasswing, with no governance, no audit, no policy review. The same capability that takes a Fortune 500 enterprise nine months to deploy, through procurement, security review, model risk committee, legal sign-off, and operational integration, takes an attacker an afternoon.
The same capability is force-multiplied for offense and friction-multiplied for defense. This is the asymmetry no one wants to name in a quarterly earnings call.
The honest defensive response is to accept the asymmetry rather than pretend it doesn't exist. That means assuming continuous compromise rather than treating prevention as the dominant goal. It means optimizing for blast radius limitation and recovery time rather than perimeter strength. It means investing in the architectural layers that AI-era attackers cannot easily bypass even with superior offensive capability.
What doesn't break: why architecture and memory matter more than ever
Here is the part of the analysis the doom narratives miss. AI capability does not change everything. It changes specific things and leaves other things untouched.
What it does not change: the value of network segmentation. The value of identity hygiene. The value of immutable infrastructure. The value of comprehensive logging and forensic depth. The value of out-of-band recovery capability. The value of architectural simplicity that limits blast radius when something does fail.
It changes the value of speed, defenders need to respond faster, without changing the value of these structural properties. In some cases it raises the value of these properties dramatically. The architectural layers that make a compromise contained, observable, and recoverable become more valuable as the probability of compromise rises.
Most importantly, AI capability does not change the value of telemetry depth and historical reasoning. If anything, it dramatically increases that value. When a fresh CVE drops and your AI agent needs to determine whether your environment was exploited at any point in the previous twelve months, the agent can only reason over telemetry that actually exists. Sampled data produces sampled conclusions. Cold-storage data produces conclusions that arrive too late. Data that was dropped to control SIEM ingestion costs produces no conclusions at all.
This is the architectural insight underneath Bloo's category. The shift from human-speed defense to AI-speed defense changes what infrastructure is valuable. Real-time alerting was valuable when humans triaged alerts. Now AI agents triage alerts, and what they need is not a faster alert pipeline. They need machine-reasonable history. We make this architectural argument in detail in AI-Native Incident Response Needs Full-Fidelity History.
The defender's playbook for the AI discovery era
The work for defenders divides into two horizons.
The 90-day horizon, operational. Compress patch cycles. Audit auto-update posture. Treat dependency upgrades carrying CVE fixes as P0 incidents. Inventory legacy code and dependencies that may carry latent zero-days about to be discovered. Shorten quarterly assessment cycles toward continuous validation. Brief boards on the changing threat model so the budget conversations in Q3 and Q4 are framed correctly. Read our 90-day plan in How to Prepare for the AI-Discovered CVE Wave.
The 18-month horizon is architectural. Audit telemetry retention against the new threat model. If your SIEM drops or tiers data after 90 days, you have a structural blind spot the moment a freshly disclosed zero-day with a six-month exploitation history becomes public. Move toward full-fidelity retention measured in years. Move toward telemetry structured for machine consumption, entity-resolved, cross-domain, queryable by agents rather than only by dashboards. Move toward economic models that don't punish you for keeping the data you need.
The tooling layer of cybersecurity will get a lot of attention in the next 12 months. There will be many announcements, much consolidation, several new acquisitions. Most of it is downstream of the architectural shift, not a substitute for it. The defenders who get this right are the ones building the substrate underneath the tooling, not the ones swapping tools at the surface.
The shift the industry is not naming
The story being told in most coverage of AI vulnerability discovery is "scary new attack capability, buy more defensive tools." That story is true and inadequate. The deeper story is that the economic foundation of enterprise defense has shifted, and the architecture built on that foundation has to shift with it.
Defenders who recognize this early will spend the next two years building the substrate that AI-era defense requires, full-fidelity telemetry, machine-reasonable history, predictable economics that reward retention. Defenders who don't will spend the next two years patching faster and falling further behind, until a regulator or a board asks the question they cannot answer: when this CVE was disclosed, did it touch us in the previous year? And how do we know?
The right time to start building the answer to that question was last quarter. The next-best time is now.
Related reading
- What Claude Mythos Means for the Future of Cybersecurity. The pillar piece. The full picture.
- Patch Window Collapsed: AI-Native Incident Response Now. The defender's playbook for compressed exploit windows.
- How to Prepare for the AI-Discovered CVE Wave. The 90-day operational plan.
- AI-Native Incident Response Needs Full-Fidelity History. The architectural anchor.
- Inside the Zero-Days Claude Mythos Discovered. What the OpenBSD and FFmpeg findings reveal.
- Project Glasswing: The New Disclosure Architecture. How vulnerability disclosure breaks at AI scale.
- Telemetry Intelligence: The Next Layer of Enterprise Infrastructure. The category being defined.