Even before Anthropic’s new model was released, it was already clear: AI is shifting the balance of power in cybersecurity in favor of attackers, forcing defenders to rethink a protection paradigm that relies on vulnerability monitoring and patching. Recently, a website called Zero Day Clock went online. It tracks the shrinking window between the public disclosure of a vulnerability — known as a Common Vulnerabilities and Exposures (CVE) — and its real-world exploitation by attackers (Time to Exploit). 

The data is dramatic: In 2020, it took attackers about 15 months to weaponize a vulnerability. In 2022, it dropped to 10 months. By 2024, it was 56 days—and now, it’s just over a day and a half. Within that timeframe, most organizations simply cannot investigate and remediate their environments, even under ideal conditions. Patching takes time: Testing, gradual rollout, and sometimes live system updates. According to estimates, by this year, it may take attackers just one hour to weaponize a vulnerability. 

The site also tracks true zero-days — cases where exploitation occurs before public disclosure (pre-CVE). As of this year, this accounts for a staggering 67% of all CVEs. 

And it’s not just about quality — it’s also about quantity. Anthropic recently partnered with Mozilla and used the Claude Opus 4.6 model to identify vulnerabilities in the latest version of Firefox. The model easily discovered 22 vulnerabilities — more than Mozilla typically finds in a standard month using traditional methods. Fourteen of these were classified as high severity. 

With the release of Anthropic’s next model — reportedly far ahead of others in cybersecurity capabilities — there are growing concerns about a surge in attacks. 

The direction is clear: AI enables superhuman-speed code scanning and vulnerability discovery. 

It is a powerful new weapon in the cyber domain, equally available to defenders and attackers. 

Attackers can now find more vulnerabilities, more severe ones, across more systems. Even niche targets are no longer ignored — AI makes everything worth scanning. 

As early as 2021, it was evident that the CVE race was unwinnable. Even before AI, keeping up was difficult. Today, it’s nearly impossible to outpace attackers with patching across an organization’s entire tech stack — no matter how skilled and diligent the IT team is. 

A Paradigm Shift

The current balance of power demands a move from passive defense to an active resilience strategy. Instead of a Sisyphean chase after CVEs, organizations must adopt an ” assume breach “ mindset and fortify their infrastructure from within. Rather than waiting for alarms to signal a breach, they must proactively prevent both known and unknown threats. 

How can this be done? 

Organizations must recognize that an attacker’s true success is not initial access — but access to critical assets. Defense should focus on preventing that. This means identifying weak configurations that allow access to sensitive resources and enforcing proper network segmentation to prevent lateral movement — even if one endpoint is compromised. 

Additionally, permissions should be minimized and aligned strictly with user identities and actual needs. Multi-factor authentication (MFA) must be enforced across all resources, especially sensitive ones. For high-risk actions (such as vendor payments), a “Four Eyes” principle should be implemented — requiring approval from a second person. This helps protect against compromised admin accounts. 

Finally, this entire framework must be continuously tested through penetration testing — ideally on an ongoing basis, which is now feasible thanks to AI.