TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources CYBER RISK THREAT INTELLIGENCE VULNERABILITIES & THREATS COMMENTARY The Boring Stuff is Dangerous Now AI agents capable of discovering and exploiting obscure vulnerabilities are emerging alongside developers producing vast amounts of potentially flawed AI-generated code, forcing defenders to adapt accordingly. Shlomie Liberow,Founder and CEO,aisy May 18, 2026 4 Min Read SOURCE: YURI ARCURS VIA ALAMY STOCK PHOTO OPINION Are you freaking out? It feels like the entire industry is losing its head over the collision of two huge security pressures. First, every development team has suddenly been mandated to use AI coding tools, resulting in thousands of new bugs and misconfigurations. This has coincided with the announcement that, if Claude Mythos was unleashed, it would exploit every unknown vulnerability out there. It’s enough to make everyone from triagers and CISOs want to give up. Let’s consider how both scenarios play out, and what it means for vulnerability discovery, vulnerability management, and actual risk reduction. When Claude Code Security was announced earlier this year, there was a lot of hype around it being the silver bullet for insecure code. Cybersecurity stocks dropped, think pieces questioned if we’d all be out of a job. Enterprises were excited though by the massive improvements and possibilities offered by the models. In the past few weeks, mandates have swept through businesses, requiring all developers to use AI coding tools. Now, there’s no denying these tools are good, and the code they create is high quality and secure in itself. But that’s not where the security issues lie. It’s in the implementation where the risk sits; a broken assumption about how an API validates input or the same misconfigured permission pattern, repeated everywhere because developers are working fast and the feedback loop between "code shipped" and "vulnerability found" constantly shrinks. You’ve got a situation where developers are shipping at incredible speed, and CISOs are just expected to manage the risk. The question becomes: how can we build more security into the development and implementation process without putting more pressure on developers? Related:SecurityScorecard Snags Driftnet to Level Up Threat Intelligence Enter Anthropic’s Project Glasswing Previously, the implicit assumption in enterprise security was that obscurity offered partial protection. Attackers weren’t wasting their time on onerous discoveries. It took days of tedious recon to map a target's third-party ecosystem, such as which regional SaaS provider handles compliance, which internal tool has read access to production, or which open-source library sits six levels deep in the dependency tree. That friction acted like accidental insurance. Anthropic's Project Glasswing removes that barrier. Models like Mythos don't need creative genius, they just need reach. They have it, and that changes what counts as an attractive target. An agent can follow a trust graph systematically without fatigue and without distraction; the boring path through a forgotten vendor becomes highly exploitable, especially because nobody's watching it. Attackers don’t need a zero day when an agent can map your third-party ecosystem, identify which provider runs a known-vulnerable framework version, resolve the trust path to production, and chain it together. Related:Checkbox Assessments Aren't Fit to Measure Risk So, we have this perfect storm of an explosion of new and poorly implemented code, with agents that can find the most obscure vulnerabilities, and chain them together to deliver maximum impact. What does this mean for organizations? Until now, they’ve been focused on locking down their most critical applications while legacy integrations and vendor tooling keep broad access quietly in the background. This is longer tenable. You have a situation where security teams are going to be more overwhelmed by vulnerability reports than ever. They essentially have the same problem — how do we know what to prioritize — just multiplied by a hundred. You can’t go to engineering teams with every reported vulnerability. You lose credibility if everything is urgent, when they don’t have time and patience to fix everything either. My advice to organizations is to start with focusing on what you’re most worried about. A critical vulnerability in a system that doesn’t hold any PII or provide privileged access isn’t as important as a combination of low-level vulnerabilities that result in actual high business impact. What do you need to protect against? Then go looking for everything that threatens it. If you start identifying common recurring themes, this intelligence can then be fed back into those AI coding tools so developers can be prompted at the moment of implementation that a common issue arises at this point and then mitigate for it. Overall, this reduces friction between security and engineering teams. Related:Research Hub Bridges Cybersecurity Gap for Under-Resourced Organizations There are three things to consider when working out where your risk lies: Track transitive dependencies, data flows, permissions and the common patterns there. If you cannot answer "why does this keep happening?" quickly, you have a context gap. Prioritize patching the root causes based on the trust-path risk rather than asset prestige. The internal service nobody cares about can be higher risk than a flagship app if it sits on a more privileged path. Double down on remediating patterns of vulnerabilities. Over time, the focus should be enough pattern standardization that the AI tooling used to build learns from each mistake. This will help target the real risk and avoid overwhelming engineering at exactly the moment security teams need their trust. Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now! Read more about: Opinion About the Author Shlomie Liberow Founder and CEO, aisy Shlomie is the founder and CEO of aisy. He spent nearly a decade as a hacker and head of Hacker R&D at HackerOne, working alongside Zoom, Salesforce, Capital One, and the Pentagon to find and triage thousands of vulnerabilities, making judgment calls on over $20 million in verified findings. Prior to this, Shlomie protected some of the world's most high-profile personalities from cyber threats, anticipating risks before they materialized and taking proactive measures to secure against them. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars How Security Teams should apply Threat Intelligence into their Defenses Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars How Security Teams should apply Threat Intelligence into their Defenses THURS, JUNE 11, 2026 AT 1PM EST Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? WED, JUNE 3, 2026 AT 1PM EST The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MAY 26, 2026, AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS Discover More Black Hat Omdia Working With Us About Us Adve