Analysis April 20, 2026 • 10 min read • By Security News

Is AI speeding up cyber attacks?

What the numbers actually show about zero-day exploitation, phishing, and BEC since 2019 — and what it means for defenders in the NIS2 era.

Short answer

Yes for phishing, not yet for zero-days. AI has already transformed phishing and business email compromise — volume up 1,265% since ChatGPT, click-through rates 4.5× higher, FBI now tracking AI-enabled fraud as a distinct category ($893M in 2025). But on the vulnerability side the data is more nuanced: zero-days per year have been stable at 60–100 since 2021, with no clear post-ChatGPT jump.

Exploit speed has collapsed — from 63 days (2019) to 5 days (2023) to −7 days (2026, exploited before patch) — but most of that speed-up came from automated scanners and N-day exploit markets, not AI. The first confirmed AI-driven automated attack chains only appeared in late 2025.

Dataset 1 — Our live data

CISA KEV additions per month

Each bar = CVEs that CISA added to the Known Exploited Vulnerabilities catalog that month. These are vulnerabilities with confirmed in-the-wild exploitation.

What it shows

The two big spikes (Nov 2021: 291, Mar 2022: 226) are CISA's initial backfills of historic exploits — not real acceleration. Once CISA caught up, the steady-state rate settled at 15–25/month and has stayed there since. 2025 was slightly higher (~20/month avg) but not dramatically so.

Dataset 2 — Google Project Zero / TAG + Mandiant

Zero-days exploited in the wild, per year

A zero-day is a vulnerability exploited before a patch exists. Google tracks every case they can confirm.

What it shows

The jump happened in 2021 — a year before ChatGPT. Counts have oscillated 60–100 since then with no clear upward trend. 2023 was the record (97); 2024 dipped to 78; 2025 was 90. If AI were broadly accelerating zero-day discovery, we would expect a steep ramp starting in 2023. We don't see it in the data.

Dataset 3 — Mandiant M-Trends 2019–2026

Time-to-exploit: average days from CVE disclosure to active exploitation

This is the metric that has actually changed. Pulled from Mandiant's annual incident response data (~500,000 hours of IR in 2025 alone).

What it shows

Time-to-exploit fell from 63 days in 2019 to 32 days in 2022 to 5 days in 2023 — a single year (2022→2023) accounted for most of the multi-year collapse. Industry consensus attributes the speed-up to automated scanning (Shodan, Censys), the explosion of public proof-of-concept exploits on GitHub, and N-day exploit marketplaces — not AI. The 2026 figure of −7 days means attackers are increasingly hitting vulnerabilities before the vendor publishes a patch.

When AI actually enters the picture

Early AI-era signals (2025–2026)

These are the first publicly confirmed cases of AI meaningfully participating in real-world exploitation — not research demos, but actual incidents:

2025-08 DARPA AI Cyber Challenge AI agents found 54 vulnerabilities across 54 million lines of code in 4 hours. Proof of capability, not attack.
2025-11 Anthropic — state-sponsored AI attack A China-linked group used Claude to autonomously run full attack chains against ~30 global targets, from reconnaissance through data exfiltration. First documented case.
2026-02 APT31 + HexStrike AI + Gemini Google TAG confirmed APT31 using HexStrike AI with Gemini for automated vulnerability discovery. Reconnaissance and exploit adaptation, not full attack automation.
2026-04 SANS/CSA emergency briefing SANS Institute, Cloud Security Alliance, and OWASP GenAI jointly warned that AI-driven vulnerability discovery is compressing exploit timelines "from weeks to hours." A warning, not yet a measured trend.

Where AI has already measurably changed the game

Phishing and business email compromise

Unlike zero-day exploitation, phishing is the one area where AI has produced a clear, measured step-change. The shift began in late 2022 and has been documented by Microsoft, FBI IC3, APWG, and Proofpoint telemetry.

Global phishing volume per quarter (APWG)

Measured by the Anti-Phishing Working Group. Each bar is total observed attacks that quarter. Volume has settled above 1 million/quarter as a new baseline, versus 300–400K/quarter pre-2021.

Phishing volume since ChatGPT

+1,265%

Nov 2022 – 2024 baseline

AI click-through multiplier

4.5×

54% vs 12% control (Microsoft)

Phishing emails using AI content

82.6%

2025 threat intel analysis

FBI BEC losses 2025

$3.05B

+ $893M AI-enabled fraud (new category)

Deepfake share of BEC

40%

Q1 2026 (up from ~0% in 2022)

Deepfake hiring scam losses

$13M

FBI 2025 (voice/video on interviews)

Attack channel evolution: vishing, smishing, quishing

Email is no longer the only delivery path. AI makes voice cloning, fake SMS campaigns, and QR-code lures cheap and scalable.

Vishing H2 2024 vs H1 2024

+442%

voice phishing surge

Deepfake vishing Q1 2025 vs Q4 2024

+1,600%

largest single-quarter jump on record

Vishing share of phishing IR cases

60%+

of incident-response engagements (2025)

QR phishing growth 2023→2025

+400%

12% of all phishing in 2025 (up from 0.8% in 2021)

Smishing share of mobile phishing

70%

30–40% QoQ growth in Q4 2025

Multi-channel phishing incidents

41%

combine email + SMS + QR + voice

The 3-second rule

Modern voice-cloning models need just three seconds of audio to produce a convincing replica of anyone's voice. Every public interview, podcast, earnings call, and YouTube video of an Icelandic CEO or public figure is now sufficient training data. A Hong Kong firm lost $25M in February 2024 when an employee was deceived by a deepfake video call featuring cloned voices of the company's executives. This is no longer a hypothetical threat — it is actively being used against organisations of every size. If your CFO's voice exists publicly, an attacker can clone it for the price of a coffee.

Why this matters here

The old defense — "look for bad grammar and typos" — is dead. AI-generated Icelandic phishing now reads like it was written by a native speaker, with correct declensions and cultural references (e.g. impersonating Íslandsbanki, Skatturinn, Pósturinn, or a named CEO). Awareness training based on spotting linguistic tells no longer works. Defense has to shift to: verification of the sender channel, out-of-band confirmation for any financial action, and MFA that can't be phished (hardware keys, not SMS).

Practical response to −7-day TTE

How defenders adapt when exploitation beats the patch

If the window between vulnerability disclosure and active exploitation is now measured in hours, traditional monthly patch cycles are no longer adequate. The core shift is from "patch fast" to "assume compromise, contain blast radius."

Automated vulnerability pipelines Continuous scanning (Tenable, Qualys, Nessus) + CI-integrated patch rollout. Target emergency-patch SLA under 72 hours for KEV-listed CVEs, under 24 hours for active-exploit advisories.
Zero Trust and microsegmentation Assume any internet-facing system will be compromised. Isolate workloads so a breach on one server cannot pivot laterally. NIST SP 800-207 is the reference architecture.
Attack surface reduction Get legacy VPNs, unmanaged edge devices, and exposed admin interfaces off the public internet. Mandiant's 2025 IR data shows edge devices (VPN, router, firewall) are the #1 initial access vector precisely because they lack EDR telemetry.
Virtual patching at the WAF/IPS layer CrowdSec AppSec, Cloudflare WAF, or F5 can block exploitation attempts hours after a PoC is public — even before the vendor releases a patch.

AI is not only offensive

AI on the defender side

The same capabilities that speed up attackers are being deployed in SOCs. Gartner's October 2025 research marks the shift: AI SOC agents have moved from concept to production.

Anomaly detection and auto-baselining Modern SIEMs (Microsoft Sentinel, Google SecOps, Splunk) use ML to learn normal user and system behavior, surfacing outliers humans would miss. Reduces alert fatigue while catching low-and-slow attacks.
AI-assisted triage and enrichment Gartner's core finding: "Augmentation beats automation." AI handles repetitive triage, log enrichment, and initial investigation so analysts focus on judgment calls. Typical payoff: 3–5x more alerts handled per analyst.
Automated incident response SOAR playbooks combined with LLM-driven decision support can isolate compromised hosts, revoke credentials, and initiate forensics within seconds of detection — matching attacker tempo.

The caveat: AI defense creates its own risks — prompt injection in logs, hallucinated incident reports, over-trust in ML verdicts. Treat AI output as a hypothesis, not a conclusion.

Regulatory pressure

NIS2 collides with faster exploitation

Iceland's NIS2 transposition (amendment to lög 78/2019; the full mechanics and 2026 status are in the defender handbook) brings 3,000–4,000 Icelandic entities under mandatory cyber risk and incident-reporting rules. The collision with the time-to-exploit numbers above is the point of this section:

24-hour early warning, 72-hour formal notification When exploitation happens in hours and regulators demand notification within 24, detection tooling is no longer optional — it's a compliance requirement.
Penalties are material Essential entities: up to €10M or 2% of global turnover. Important entities: up to €7M or 1.4%. Daily fines up to ISK 10M/day. Supervisory authorities can publicly name non-compliant entities and ban directors from management positions.
Board-level accountability NIS2 explicitly holds senior management personally accountable for cyber risk oversight. Boards must approve risk-management measures and undergo regular training. This is new in Icelandic law.

Executive checklist

Next steps by role

For the board / C-suite:

Confirm NIS2 scope applicability.
Approve cyber risk-management framework, review annually.
Verify cyber insurance covers AI-accelerated intrusions.
Budget 24/7 detection coverage.

For IT / security leadership:

KEV/CERT-IS feed subscriptions + tight patch SLA.
Inventory internet-facing services; minimize exposure.
WAF/IPS with virtual patching capability.
Network segmentation; limit blast radius.
Tabletop exercise: NIS2 24h/72h reporting.
Evaluate AI triage tools; keep humans in the loop.

For every organization, this week:

CISA KEV vs. asset inventory.
MFA on all admin accounts.
Test offline backup restore.
Out-of-band verification for payment changes.
Hardware MFA keys for money/mail/admin accounts.

Methodology & caveats

Chart 1 (CISA KEV monthly): our own count from the full CISA KEV JSON catalog, 1,577 entries from Nov 2021 to today. Only vulnerabilities CISA confirms are exploited in the wild. CISA is a lagging indicator — VulnCheck's private catalog is 27 days faster and tracks 173% more entries, but requires a paid subscription.

Chart 2 (annual zero-days): Google Project Zero + Threat Analysis Group + Mandiant collaboration. They only count confirmed in-the-wild cases, so the real number is higher — but the trend is what matters.

Chart 3 (time-to-exploit): Mandiant's annual M-Trends reports, based on incident response engagements. The −7 days figure for 2026 is from the M-Trends 2026 report published March 2026.

What we did not do: no causal inference. Correlation between AI model releases and these trends is not shown — we removed the LLM timeline markers from earlier drafts because they suggested a causation the data does not support.

← All analysis Next: The ransomware shift Back to News Email the author