AI benefits/risks 5 ways to defend against vibe hacking May 12, 2026 Share By Vineet Edupuganti (Adobe Stock) COMMENTARY: I recently described the vibe hacker : the low-skill operator who uses AI to run attacks that would have been out of reach 12 months ago. The Mexico breach , the FortiGate campaign , the extortion actor who literally asked an LLM what to do with stolen data. AI raised the floor of offensive capability, and the evidence kept piling up. [ SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here . ] Since then, the ceiling moved, too. Anthropic's Mythos model found zero-day vulnerabilities autonomously across every major OS and browser family, then built a working browser exploit by chaining four of them together without human guidance. On a Firefox exploit-generation benchmark, the previous best model managed two successes out of hundreds of runs. Mythos hit 181. It also surfaced a bug in OpenBSD that had sat undetected for 27 years, missed by every researcher and automated tool that had looked at the codebase in that time. And just yesterday, Google reported the first AI-assisted zero-day exploited in the wild. Finding unknown vulnerabilities and building working exploit chains has historically required dedicated research teams with intelligence-agency funding. That barrier has eroded. What leading labs can do today, open-source models have tended to replicate within one to two years. When that window closes, organized crime groups gain access to a capability tier that used to separate them from state-sponsored operations. So the floor has been raised and so has the ceiling. Practitioners and security leaders are asking what to do about it. Here’s some insight: Reassess organizational risk: The economic constraint on attacking mid-market and smaller companies has always been labor. Recon, scanning, exploitation, and lateral movement all take human hours. A 200-person manufacturer that might pay a $50K ransom wasn't worth the effort when the same hours could target a company that would pay $2M. AI collapses that math. When the marginal cost of adding another target approaches zero, there's no economic reason to skip smaller organizations. The FortiGate campaign demonstrated this: one person, 600+ devices, 55 countries, five weeks. No target selection logic beyond "what's exposed." Vibe hackers exploit known vulnerabilities at volume. When autonomous zero-day discovery reaches criminal groups, even organizations with good patching discipline face a category of threat they weren't sized for. CISOs should reframe this for boards. The vibe hacker concept makes sense in these conversations because it's intuitive. Board members who don't track CVSS scores understand: "AI made it cheap enough that we're now facing the same volume of threats as organizations 10 times our size." The talent gap makes the math worse. Hiring alone won't close it, because the market can't produce analysts fast enough. Defenders need AI working on their side of the equation, or the asymmetry grows every quarter the models improve. Close the detection gap: Scanner vendors need to write a detection plugin before their tool can find anything, which usually takes 3-5 days after a CVE gets published. Meanwhile, time-to-exploit has dropped from 2.3 years in 2018 to less than 24 hours today. Nearly 25% of exploited CVEs see attacks on the day they're disclosed. The gap between when attackers can act and when our scanner knows to look now represents one of the most dangerous windows in any security program. How can we shrink that window? Stop relying on scanners as the first line of awareness. If we know what software runs across our environment, down to the component and version level, we can cross-reference a new CVE against our own inventory the moment it's published. That requires an SBOM practice that's actually maintained and asset records tagged with enough context to support rapid triage. Separately, scan continuously. Weekly or monthly scan cycles were designed for a threat tempo that no longer exists. Compress time to remediation: Knowing where we're exposed makes sense but insufficient if fixes still take weeks to reach production. Most patching workflows were designed around change management processes that prioritize stability over speed: testing queues, approval chains, maintenance windows. Each step exists for a good reason, but the cumulative latency creates exposure that AI-equipped attackers will find. Look at every stage between "vendor releases a patch" and "patch is live in production" and ask what we can compress or parallelize without sacrificing safety. Use automated regression testing and staged rollouts with rollback capability to move faster without flying blind. For critical patches on internet-facing systems, build a fast track that cuts through the standard queue while preserving an audit trail. Measure how long critical fixes actually take from disclosure to deployment, set targets, and hold the organization to them. Compensating controls like WAF rules can reduce exposure while a fix is in progress. And when a vulnerability sits open for months because nobody wants to own the remediation, that should require a deliberate risk acceptance with executive accountability. Turn AI toward defense: Traditional red team engagements simulate a skilled adversary working methodically against a specific target over a defined period. That model remains valuable, but it doesn't test what the vibe hacker actually does: broad, fast, opportunistic probing across an entire external attack surface, moving on when blocked, returning with a different approach. Security teams should apply AI to their own offensive testing. AI-assisted red teaming can continuously probe external exposure the way a vibe hacker would, identifying gaps in real time rather than producing a findings report once a quarter. The capability that makes attackers more productive is available on the defensive side too, and teams that wait for their next annual pen test cycle to consider it are already behind. Apply the same rethinking to incident response: Most incident response (IR) playbooks assume a single-skilled adversary trying to maintain persistence. The vibe hacker scenario is different: multiple simultaneous, noisy, AI-assisted intrusions from different operators running their own AI-generated playbooks in the same week. Most IR plans aren't built for that kind of concurrent, uncoordinated pressure. Today’s compliance frameworks weren't designed for this threat. An organization can pass its SOC 2 audit and still have exactly the exposure profile that made the FortiGate campaign successful, because the audit verifies that controls exist on paper, not that they hold under automated pressure at scale. Cyber insurance can become an important factor in solving this issue. If carriers start pricing policies based on how long critical vulnerabilities remain open and whether patching SLAs are met with evidence, rather than annual questionnaire answers, that creates an economic incentive that reaches organizations that compliance frameworks don't touch. And, standards bodies should update implementation guidance to reflect attacker tempo. The NIST CSF's capability structure is sound, but its guidance on patching timelines and assessment frequency was written for a world where exploitation took weeks, not hours. The skill floor in offensive cyber rose sharply over the past year, and the ceiling has risen. It requires a broad response spanning operational practices, organizational risk models, and the compliance and insurance structures around them. Every recommendation we’ve made here comes back to the same issue: the speed at which threats materialize has outpaced the speed at which most organizations can respond. Closing that gap has become the defining challenge for security teams over the next several years, and it will require defenders to adopt the same AI capabilities that created the gap in the first place. Vineet Edupuganti, co-founder and CEO, Cogent Security SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial. Vineet Edupuganti Related AI benefits/risks Why we need a ‘zero-trust for code’ behavioral approach to secure software Ken Ammon May 11, 2026 AI has broken down the old model for classifying code – here’s how a behavioral approach makes more sense today. AI/ML What OpenClaw revealed about the agent security model Goutham Nekkalapu May 11, 2026 OpenClaw exposed how insecure agent architectures can turn AI ecosystems into attack surfaces. Security Strategy, Plan, Budget Why boards must stop chasing buzzwords Jon David May 8, 2026 Here are three ways CISOs can guide board members to move beyond the buzzwords. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe You can skip this ad in 5 seconds