How AI could unleash a flood of zero-day vulnerabilities CrowdStrike president Mike Sentonas warns that AI systems capable of rapidly finding software bugs could unleash an exponential growth in zero-day vulnerabilities, overwhelming security teams and forcing organizations to prioritize which flaws to patch. The speed of AI-driven discovery and weaponization will particularly affect banks, factories, hospitals, and utilities reliant on legacy systems, requiring greater use of compensating controls. More than 100 new vulnerabilities are publicly disclosed on an average day, according to Mike Sentonas, president of cybersecurity company CrowdStrike. What was once a trickle has become a torrent, threatening to overwhelm the organizations responsible for keeping critical systems secure. Sentonas, who has worked at CrowdStrike since 2016 and in cybersecurity for more than 20 years, believes the problem has grown so large that major organizations cannot test and install every available fix without risking outages of their own. Security teams are therefore forced to determine which handful of flaws pose the greatest threat. And the problem is likely to get worse. Within months, AI https://www.fastcompany.com/section/artificial-intelligence systems capable of finding software bugs at great speed could vastly expand that backlog, while giving attackers the same tools to turn newly discovered flaws into working attacks. “Theoretically, we all wake up and there is just an exponential growth in zero-day vulnerabilities, and there are no patches,” Sentonas says. The speed at which AI models can identify zero-day vulnerabilities—flaws that can be exploited before the software’s maker has issued a patch—may be good news for defenders searching their own systems. But it also means those vulnerabilities can go from hidden in a piece of software to discovered and weaponized far more quickly than before. “Frontier AI is going to drastically reduce the time between a floor existing and somebody discovering how to exploit it,” Sentonas says. The organizations that face those problems first may depend on how deeply cybersecurity is embedded in their operations. Banks, factories, hospitals https://www.fastcompany.com/91128296/change-healthcare-ascension-ransomware-breach-update-stop-future-cyberattacks , and utilities often rely on older machinery and legacy hardware that cannot be quickly upgraded without disrupting vital services. Sentonas expects them to be among the first affected. They will also face a problem of scale. “It was, ‘What are the 10 patches I need to roll out every week?,’” he says. “It’s going to be, ‘What are the 10 zero-days every week that I need to respond to?’” To manage the threat, firms will have to rely more heavily on “compensating controls,” or measures that reduce the danger posed by a flaw when no patch is available. These may include isolating parts of a network, restricting access to a system, monitoring for signs of exploitation, or removing standing privileges that allow users and software to operate with broad authority. AI can assist with that work as well, Sentonas says. “We can start to put that capability into our product so that customers have the ability to find vulnerabilities faster than they ever have before.” But, he warns, “You can’t outsource risk. You own the risk. It’s your network.” Workers’ adoption of AI is adding another layer of risk. “AI agent compromise, run time manipulation, credential theft, memory poisoning, agent-to-agent abuse, tool abuse—it’s a whole new world,” Sentonas says. The problem is compounded by the speed at which the technology changes. A security policy written for one model or agent can be outdated by the time it makes its way through the approval process. Sentonas says chief information security officers are already fielding alarmed calls from company boards asking what the latest systems mean and how they can be safely adopted. Those concerns intensified after the release of Mythos https://www.fastcompany.com/91525413/is-mythos-a-blessing-or-a-curse-for-cybersecurity-it-depends-who-you-ask , the cutting-edge model from Anthropic, maker of the Claude chatbot https://www.fastcompany.com/section/claude . “There’s not a CISO or a security manager on the planet that did not get a panicked call from their CEO or from a board member,” he says. Many firms remain focused on AI’s promise to reduce workloads, accelerate decisions, and make employees more productive https://www.fastcompany.com/section/productivity . Sentonas thinks its first effect may be increased complexity. “The mythical technology that was going to make our life easier actually made it a whole lot more complex in many ways,” he says. The rise of open models presents another challenge. Their capabilities are rapidly approaching those once limited to the most tightly controlled systems. Once such tools are widely available, attackers will no longer need to build advanced vulnerability-finding systems of their own. Security teams have a narrow window in which to map their organizations’ AI use, limit access rights, scan their own code, and prepare for a world in which the period between a flaw’s discovery and exploitation is measured in hours rather than weeks. The threat will continue to evolve, Sentonas suggests. “The complexity of the world we’re living in is going to change dramatically every month now,” Sentonas says.