Last August in Las Vegas, elite cybersecurity teams brought their AI bug-hunting systems to DARPA's Artificial Intelligence Cyber Challenge. The setup was straightforward: scan 54 million lines of code that DARPA had deliberately filled with security flaws.
The AI tools performed as expected, catching most of the planted bugs. But then something interesting happened. These automated systems found over a dozen real vulnerabilities that DARPA's own experts had never inserted or noticed.
This was before Anthropic dropped Claude Mythos earlier this month, a model that appears to find security vulnerabilities with alarming efficiency. The timing matters because we're watching the balance shift in real time.
For anyone building products or managing systems that use AI, this creates a new threat model. The same AI capabilities that help you write code faster can now be used to find weaknesses in that code just as quickly.
The "script kiddie" used to be someone copying exploit code they barely understood. Now they might be someone with access to Claude or a similar model, capable of finding zero-day vulnerabilities in your application without deep security expertise.
DARPA's competition showed that AI security tools work. The problem is they work for everyone, and the gap between defensive and offensive capabilities is narrowing fast. If your security strategy still assumes attackers need specialized knowledge, it's time to update that assumption.
