The AI arms race in cybersecurity has started. Most companies aren’t ready

In 2019, sophisticated hackers spent weeks targeting Coinbase employees with emails from compromised Cambridge University accounts. The attackers patiently built trust before deploying a pair of chained zero-day exploits—a term that describes undiscovered software vulnerabilities—that took aim at the Firefox browser. One exploit sought to break into the browser, and the other sought to execute malicious code on the host machine. At the time, it was among the most advanced attacks ever directed at the corporate sector. 

The Coinbase security team caught it within hours after an employee report and automated alerts fired simultaneously. This allowed us to identify the malicious behavior. Response times measured in minutes, no customer funds lost. But I think about that incident differently now. The attacker needed weeks of social engineering and rare zero-days to get one shot at us. An AI-driven adversary wouldn’t need weeks. It might not even need hours. And that’s the world I’m preparing for today.

The last few months have made something clear that security teams across industries have been quietly preparing for: AI is and will continue to change how cyberattacks occur. Since the form of this change is still taking shape, the hardest part of my job right now is planning for threat models that don’t fully exist yet.

Frontier AI models, such as those being built by Anthropic, OpenAI, and others, have crossed a capability threshold in cybersecurity that would have seemed speculative eighteen months ago. These systems can read a codebase the way an experienced auditor reads a codebase, but with the speed, memory and focus of a machine. One recent model found a 27-year-old bug in OpenBSD, one of the most audited codebases on the planet. That’s a structural shift in........

© Fortune