Beyond Moore’s Law: The Hyper-Acceleration of Autonomous AI Cyber Capabilities
The UK’s AI Security Institute (AISI) has documented something that should reorder every CISO’s threat model and every board’s risk conversation: the length of complex cyber tasks that frontier AI models can autonomously complete is doubling every few months. That single data point deserves to land before anything else, because it represents a fundamental shift in the physics of technological risk.
For decades, Moore’s Law defined what “fast” meant in technology — transistor density doubling roughly every two years, a 24-month cadence that gave the industry time to absorb, adapt, and respond. AISI’s findings suggest that AI software capability now operates on an entirely different clock. In November 2025, AISI estimated the doubling period for autonomous cyber task completion at eight months. By February 2026, that figure had compressed to 4.7 months. Then GPT-5.5 and Claude Mythos Preview arrived and blew past even those revised projections, performing at levels that raise a genuinely uncomfortable question: are we watching a new, faster exponential emerge on top of the one we just mapped?
How AISI Measures the Unmeasurable
AISI quantifies this acceleration through what it calls “Cyber Time Horizons” — a measure of how long an AI model can autonomously sustain complex, specialized cyber operations compared to the time a human expert would require for the same task. The methodology tracks the task length at which a model maintains an 80% success rate, producing an exponential capability curve that can be plotted across model generations. These aren’t trivial tasks. They include reverse engineering, web exploitation, and sustained multi-step attack sequences against enterprise infrastructure.
Current frontier models now achieve near-100% success rates on the longest tasks in AISI’s narrow test suite — tasks AISI estimates would consume 12 hours of a skilled human analyst’s time. To prevent benchmarks from becoming immediately obsolete, AISI deliberately caps these models at a 2.5-million-token budget per task — a constraint that, by AISI’s own acknowledgment, significantly understates what these agents can do. In “cyber range” environments where models receive up to 100 million tokens, they demonstrate sustained, multi-step attack capability against simulated enterprise networks — scenarios that AI simply could not solve a short time ago.
Five Times Faster Than the Hardware It Runs On
The comparison to Moore’s Law deserves a moment of honest reckoning. Hardware doubles in capacity every 24 months. AISI finds that AI cyber and software autonomy doubles every four to five months. That means AI capability is advancing approximately five to six times faster than the silicon underneath it — a gap that should fundamentally alter how organizations think about technology risk timelines.
METR, the non-profit AI evaluation organization, independently corroborates this trajectory. Its research shows a consistent doubling time of roughly 4.2 months for AI software engineering tasks since late 2024, tracking closely with AISI’s findings across a different but adjacent capability domain.
Capability Jumps Without New Model Releases
One particularly disquieting finding from AISI involves the granularity of capability change. Significant advances don’t always require a new model. AISI observed that later checkpoints of the same underlying model can meaningfully shift capability estimates — sometimes dramatically. A newer checkpoint of Claude Mythos Preview became the first model to solve the “Cooling Tower” cyber range challenge, a task its predecessor could not complete. Organizations that calibrate their threat models to major model release cycles may be measuring the wrong cadence entirely.
A Closing Window for Defenders
AISI frames the implications clearly: frontier AI’s autonomous cyber capabilities are advancing in months, not years, and that compression creates a fast-moving target for defenders that conventional security planning cycles are not designed to track. Defenders can — and must — use these same models for vulnerability discovery and proactive security operations. But the offensive capability curve is moving faster than most organizations’ ability to build resilience against it, and AISI warns that access to these controlled capabilities will diffuse over time. The window for establishing strong security baselines before capability spreads broadly is open now, and it will not stay open.
To keep pace with this reality, AISI is developing tougher evaluations that incorporate active cyber defenses and reflect the genuine complexity of production environments. But the core finding from the current data doesn’t require a new benchmark to be actionable: the exponential curve of AI autonomy is no longer a theoretical projection. It is a measurable, accelerating reality that has already outrun our inherited frameworks for thinking about technological change.
