AI models crack software security in a fraction of the time required by human experts. According to research by Palo Alto Networks, cyberattacks now take four times less time than last year, with open-source software posing the greatest risk.
Recent findings from UNIT 42, the research arm of Palo Alto Networks, highlight the impact of advanced AI models on software security. Among others, Mythos, Anthropic’s new AI model, appears to excel at finding security vulnerabilities and significantly accelerates the pace of attacks.
AI discovers and exploits vulnerabilities
UNIT 42 tested various AI models on their ability to detect software flaws. The result is striking: where human penetration testers normally need up to a year, AI analyzes the source code, finds vulnerabilities, and builds working attacks in less than three weeks. Furthermore, AI combines minor flaws into critical attack paths, a process that is very time-consuming for humans.
Researchers note that open-source software is particularly vulnerable. Because open-source components are present in almost all business applications, they form an attractive target. Recent incidents with tools like LiteLLM and Trivy illustrate that supply chain attacks are becoming increasingly common, bypassing multiple layers of defense simultaneously.
Time to exploit shortened
Traditionally, the time between discovering a vulnerability and the first exploit was expressed in N-days. Due to the use of AI, UNIT 42 now speaks of N-hours: in some cases, attackers needed only 72 minutes to steal corporate data, whereas last year this took nearly five hours.
AI significantly lowers the barrier for less experienced hackers. What previously required years of expertise can now be achieved with limited knowledge. According to researchers, the number of zero-day and N-day attacks will increase sharply in the coming months.
Jesper Olsen, CSO Northern Europe at Palo Alto Networks, emphasizes the importance of rapid detection and response. He advises companies to automate patching, inventory and monitor open-source components, and invest in real-time detection systems. According to him, weekly security scans fall short in the current AI landscape.