The skills needed to mount a serious cyberattack are being commoditized. Tasks that once demanded years of expertise — writing convincing phishing lures, hunting for software vulnerabilities, automating an intrusion — can increasingly be handled, or sped up, by AI tools. The threat is real and measurable; it is also not one-sided, because the same technology is arming defenders. Here's the state of that arms race.
Attacks are faster and more automated
Security firms are seeing the shift in their data. CrowdStrike's 2026 Global Threat Report documented a sharp rise in activity it attributes to AI-enabled adversaries — using AI to scale social engineering and automate reconnaissance, the firm said. One telling metric is "breakout time" — how long after breaching a network an attacker takes to spread to other systems — which CrowdStrike says has fallen to well under an hour, with the fastest cases measured in seconds.
The window to react is shrinking elsewhere too. By IBM's X-Force analysis, the time between a vulnerability being disclosed and being exploited has collapsed over recent years, as AI accelerates the hunt for weaknesses. The barrier to entry has dropped with it: incident responders describe capabilities once reserved for skilled operators now within reach of amateurs through cheap, off-the-shelf AI services. (Explainers: phishing is tricking someone into handing over credentials or money; a vulnerability is a software flaw an attacker can exploit; social engineering is manipulating people rather than machines.)
The Mythos flashpoint
The double-edged nature of the technology is captured by a model Boursel has covered. Anthropic's "Mythos" proved so capable at finding vulnerabilities and generating exploits that the company restricted its release and disabled cyber features in the public version, granting full access only to vetted defenders, CNBC reported — and the US government separately curbed foreign access on national-security grounds.
But restriction has limits. As we reported, China's Z.ai released an open-weight model, GLM-5.2, that it claims rivals Mythos at vulnerability-finding — and an open model is hard to fence in, with users quickly circulating "jailbreaks" to strip its safety guardrails. The lesson: export controls on one company's model do little when a capable open alternative exists, and they may shift the threat rather than remove it.
Defenders have AI too
This is an arms race, not a rout. The same tools that speed attacks also power defense — automated threat detection, faster patching, and AI "co-pilots" in security operations centers that can compress investigations from many minutes to a couple. Industry surveys point to a rapid rise in organizations adopting AI-augmented security tools, and national cyber agencies including the US CISA and the UK's NCSC have urged faster patching as AI quickens the discovery of flaws. The edge tends to go to whoever moves fastest — and well-resourced defenders are moving.
The business and money angle
For companies, this is a balance-sheet issue, not just an IT one. Confidential data, trade secrets and operations are exposed to a larger pool of capable attackers, which is feeding rising demand for cybersecurity products and services — and, by industry accounts, higher cyber-insurance premiums as insurers price in AI-driven risk. Many executives report feeling under-protected. The practical takeaways are familiar but newly urgent: patch quickly, train staff against ever-more-convincing phishing, and assume attackers now have automation on their side.
The bottom line
The honest framing avoids both complacency and panic. AI has genuinely lowered the barrier to capable cyberattacks and sped them up — that much the threat data supports. But it has also handed defenders powerful new tools, and the contest is being decided less by who has AI than by who deploys it faster and patches sooner. For investors and operators, the signal is clear: cyber risk is rising in step with AI's spread, and the spending to contain it is climbing too.
