AI is changing the economics of hacking. Tools built to find security flaws are getting faster and more capable, and experts cited in the source warn that the same progress could make exploitation easier for people with little technical skill.
The concern sharpened after Anthropic introduced Claude Mythos, described in the source as a new AI model that appears able to find vulnerabilities across software. But the article makes clear that Mythos is not the beginning of the trend. It is a visible sign of a broader shift that was already underway.
Automated bug finding is already proving itself
At DARPA’s Artificial Intelligence Cyber Challenge (AIxCC) in Las Vegas, some of the strongest cybersecurity teams demonstrated AI systems designed to find bugs. The tools scanned 54 million lines of real software code that DARPA had seeded with artificial flaws.
The systems found most of those inserted bugs. More importantly, they also found more than a dozen bugs that DARPA had not added. That result matters because it shows that automated systems are not merely matching expected test cases. They can surface flaws that were already present in complex code.
Another warning sign came in June 2025, when the autonomous offensive security platform XBOW topped the leaderboard of HackerOne, a bug bounty platform, ahead of human hackers. According to the source, that showed major progress in AI’s ability to find bugs.
Dan Guido, CEO and cofounder of Trail of Bits, said that by the time AIxCC arrived, there were already "10 to 20 different bug-finding systems that could find orders of multitude more bugs than we could patch." His conclusion was blunt: "This is actually not a new problem."
Why script kiddies are part of the risk
The source focuses on an old category of attacker: the script kiddie. For decades, script kiddies have caused damage by running code they found online or copied from exploit tool kits. They did not need to understand the tools deeply to deface websites or spread viruses.
AI could make that problem larger. A simple script gives a low-skill attacker a fixed capability. An AI system can help search, adapt, and iterate. That changes the role of the attacker from someone who merely runs a downloaded tool into someone who can direct an automated system toward a target.
Guido summarized the concern in the article with a short warning: "Mythos or not, this is coming." The point is not that one model alone creates the risk. It is that model capability, automation, and attacker access are moving in the same direction.
The source describes this as a major escalation because people without technical backgrounds may be able to use AI to improve their hacking capabilities in ways that simple scripts never allowed. That could widen the pool of people able to find and exploit weaknesses.
Finding flaws is getting cheaper
AI is especially useful for pattern matching, according to the source. That makes it easier to identify variants of known bugs, as well as bugs that have not yet been discovered. The harder question is what happens when tools that find flaws also help produce working exploits.
Tim Becker, senior security researcher at Theori, said that AI tools can, with very little or even no human guidance in some cases, find a zero day in widely used software. He also described a dramatic change in his own work. Before using AI for automatic bug finding, he said it could take weeks or months to find a high-impact vulnerability in a new codebase. Now, he said, it can take hours.
His process, as described in the article, is to put code into an AI bug-finding tool and receive a report with candidate vulnerabilities within a couple of hours. He said most of those candidates end up checking out as real issues. He also noted, "The bar to diving into a new million-line codebase and finding a bug is so much lower than it used to be."
That falling bar has consequences. If effort becomes cheap, attackers may look beyond widely used software and begin targeting narrower systems. The article warns that bad actors could use AI to find bugs in uncommon software that previously would not have justified the work.
Open-weight models add another challenge
The source also points to open-weight models as a risk. These are models whose trained parameters, or weights, are publicly available. Becker said sophisticated threat actors would be more likely to run their own deployments so that exploits would not be exposed on Anthropic or OpenAI servers.
That matters because a company can try to monitor abuse on its own systems. The source notes that Anthropic may retain data to monitor abuse. But if an attacker runs a capable model independently, platform-level oversight becomes harder.
Anthropic is trying to limit misuse. A week after announcing Mythos, the company released Claude Opus 4.7 with safeguards meant to block malicious cybersecurity requests. Security professionals who want to use the model for defensive work can apply to Anthropic’s Cyber Verification Program.
Still, the source warns that other model creators may not be as cautious as Anthropic. If powerful tools are released directly to the public, the industry may face the same underlying capability without the same safeguards.
The defensive race is getting tighter
The same AI capability that worries security experts can also help defenders. Researchers are already using more available models to report vulnerabilities to vendors before those flaws are exploited in the wild. That is the constructive side of automated bug discovery.
But the source’s central tension is that offense and defense are improving together. If defenders can find more bugs, attackers may be able to do the same. If defenders can move faster through a large codebase, attackers may also move faster through unfamiliar targets.
Guido framed the stakes around 2026, saying, "2026 is the year when all security debt comes due… 2026 is the make-it-or-break-it year." The phrase points to accumulated weakness in software systems meeting a new generation of tools that can search for those weaknesses at speed.
The practical implication is simple: organizations cannot assume that obscure software, unusual configurations, or limited attacker expertise will protect them. As AI bug-finding tools improve, vulnerabilities that once required scarce skill and patience may become easier to locate, test, and exploit.