AI is changing vulnerability discovery. Here's what that means for defenders.
Anthropic published research this month showing that their latest AI model, Claude Opus 4.6, found over 500 high-severity vulnerabilities in well-tested open source software - some of which had gone undetected for decades, surviving millions of hours of automated testing.
What's notable about this isn't just the volume of vulnerabilities, it's how the model found them.
Unlike traditional fuzzers that throw random inputs at code and hope something breaks, the AI reasoned about code the way a human security researcher would - studying commit histories, spotting patterns in past fixes, and then looking for similar unpatched flaws elsewhere in the codebase.
Here’s an example. The model was analysing CGIF, a library for processing GIF files. GIF uses the LZW compression algorithm, and the library had assumed that compressed output would always be smaller than the input - which is almost always true. But the AI understood the algorithm well enough to recognise that if you could force the LZW symbol table to fill up repeatedly, the compressor would insert "clear" tokens that made the output larger than the input, overflowing a buffer. It then constructed a proof-of-concept file that triggered the overflow. This isn't a bug that a fuzzer would stumble on through random mutation. It required understanding how the compression algorithm works and reasoning backwards to craft a specific input. That's a real shift in what automated tools can do.
Anthropic is using this capability responsibly, reporting bugs and working with open source maintainers to patch them. But as we know the same underlying capability doesn't stay in responsible hands for long. Attackers have access to increasingly powerful AI models too, and the barrier to discovering exploitable vulnerabilities is dropping fast.
The data already shows how quickly the threat landscape is moving. Verizon's 2025 Data Breach Investigations Report found that vulnerability exploitation as an initial access vector grew 34% year-on-year, now accounting for 20% of all breaches - nearly level with stolen credentials. And the median time from public disclosure to exploitation for critical edge vulnerabilities was zero days. Not weeks. Not days. Zero.
Meanwhile, remediation hasn't kept pace. For vulnerabilities in custom or third-party application code, industry data consistently shows remediation timelines of 4-6 months, and nearly half of critical vulnerabilities are never fixed at all. Even for edge devices, where the urgency is well understood, the 2025 DBIR found only 54% were fully remediated over the course of the year. Application vulnerabilities - often buried in complex codebases with competing development priorities - typically fare worse.
The gap between how fast vulnerabilities are discovered and exploited versus how fast they're fixed is where risk lives. AI-driven vulnerability discovery is about to widen it considerably, on both sides. Defenders will find more bugs. Attackers will too. The difference will come down to who can act on what they find, and how quickly.
At RedShield, this is the problem our application security service was built to solve. Our in-flight security patching mitigates application and API vulnerabilities in real time, even addressing complex logic bugs - without touching source code and without waiting for development cycles. When a vulnerability is identified, we can have a shield in place in hours, not months. As AI compresses the time between discovery and exploitation, the organisations that are protected will be the ones that can match that speed on the remediation side.
