Negative Seven Days: Part 2 of 3

Neil

Neil

8 min read
Share
Negative 7 Days
Negative 7 Days

Part 2 of the AI & Cybersecurity Series

How AI Broke the Defender's Clock

In 2017, the average time between a vulnerability's discovery and its exploitation in the wild was 771 days. Two years and change. You patched on a sprint cycle, slept at night, and took vacations.

In 2025, Mandiant pegged the mean time-to-exploit at -7 days; exploitation now routinely occurs before a patch is available. CrowdStrike clocked initial-access-to-exfiltration handoffs as fast as 22 seconds.

The patch cycle didn't get slower. The attacker got a brain transplant.

This is what happened, in five moves.

1. The Era When Defenders Had Time

Pre-2015 offensive security was honest, boring labor. Manual code review. Binary analysis. Fuzzers threw garbage at programs while a human nursed coffee and interpreted the crashes.

The automation that existed was sharp but stupid. Static analysis flagged suspicious patterns. Symbolic execution traced possible code paths. Neither could reason. Neither could look at a half-understood bug and decide, "I should chain this to that CVE from three months ago through that misconfigured S3 bucket."

That cognitive gap was the defender's best friend. Discover, disclose, patch, and deploy was a workable timeline because the attacker, however skilled, ran on coffee and sleep.

Then ML showed up.

From 2016 to 2022, machine learning gave attackers a productivity bump on the boring parts. Phishing got more personalized not because someone read your LinkedIn, but because a model did, at scale, in milliseconds. Credential stuffing got more precise. Reconnaissance compressed from hours to minutes.

But the thinking layer was still human. ML could automate known techniques. It couldn't design a novel lateral movement path that evaded current detection. Throughput went up; intelligence didn't.

That created a false comfort. AI in security felt like a tool, something that made humans faster, not something that replaced them.

That comfort is gone.

2. The Single-Hacker, Nine-Government Problem

Late 2025. Not a nation-state. Not an APT crew with a logo and a Wikipedia page.

One person, working alone, used Claude Code and GPT-4.1 to compromise nine Mexican government agencies over roughly 2.5 months.

Claude executed about 75% of the remote commands directed at government systems. When Claude pushed back, the operator pivoted to ChatGPT and kept going. The human wasn't typing exploits. The human was directing the strategy, pointing the AI at targets and reviewing what it brought back.

Booz Allen's research formalized what was already in the field: initial access to full compromise in under 30 minutes on average, sometimes in seconds. Small groups are now running campaigns that previously required coordinated nation-state infrastructure.

But even here, late 2024 into 2025, the human was still in the loop. Still making judgment calls when the model hits a wall. The AI could autocomplete the attack. It couldn't yet own one end-to-end.

That's the part that just changed.

3. The Reasoning Revolution

Pattern matching has a ceiling. Earlier LLMs, even capable ones, were excellent at remixing the millions of exploit writeups and security papers in their training set. Give them a multi-step problem where each step depended on the previous step's uncertain outcome, and they fell apart. They couldn't plan under uncertainty. They couldn't recover mid-attack.

Reasoning-class models: Anthropic's Claude Mythos Preview and OpenAI's GPT-5.5 differ in architecture. They run explicit multi-step inference before producing output. They model future states. They hold an objective across dozens of decision points, adapt when something fails, and continue pursuing the goal without human re-prompting.

The UK's AI Security Institute built a corporate-network attack simulation, a multi-step exercise they estimate would take a human expert about 20 hours end-to-end. Mythos was the first model to complete it. GPT-5.5 became the second, finishing the chain in 2 of 10 attempts versus Mythos's 3 of 10.

The AISI's framing is the part to underline: this isn't one model getting weirdly good at hacking. It's "an outcome of broader enhancements in long-term autonomy, reasoning, and programming." Translation: every frontier model released from now on arrives with elevated offensive capability baked in, whether the lab marketed it that way or not.

What this unlocks, specifically:

  • Novel exploit chaining. Reasoning models combine known CVEs into sequences that no human has previously documented, are not pattern-matched from training data, and are logically derived from the parts.
  • Adaptive lateral movement. When one technique fails within a target environment, the model assesses the response and tries something else autonomously, mid-attack, without re-prompting.
  • Real-time social engineering. Spear-phishing campaigns that mutate based on how the target replies, adjusting tone and urgency as the conversation unfolds.

This breaks traditional defense in a specific way. Behavioral and signature-based detection assumes attacks follow patterns, because historically, attacks did. Reasoning-class models generate organic, novel chains that look to a detection system like unusual but plausible user behavior. By the time the pattern resolves, the data is already gone.

XBOW had early access to GPT-5.5. They found that it cut the vulnerability miss rate from 40% (GPT-5) to 10%. It also developed what XBOW called "Persist or Pivot" behavior, recognizing failure faster and abandoning dead ends. Sounds simple. It's the difference between an attacker who wastes a week on the wrong door and one who tries every door on the floor before lunch.

4. The Open-Source Wildcard

The Mythos and GPT-5.5 story is about commercial frontier models with guardrails, usage logging, and gated access. Anthropic keeps Mythos under "Project Glasswing." OpenAI runs a "Trusted Access for Cyber" pilot. Real safety teams, real audit trails.

Threat actors aren't waiting for Mythos to leak. They're running open-source models on consumer hardware with zero restrictions.

Within days of DeepSeek-R1 and Qwen's public releases, Check Point Research documented threat actors using both to develop malware, build infostealers, optimize spam pipelines, and bypass anti-fraud systems without complex jailbreaks, just creative prompting. CrowdStrike found that specific trigger words prompt DeepSeek to produce more vulnerable and dangerous code, even without malicious intent on the part of the person prompting it.

Then there's the scale problem. SentinelOne and Censys identified over 175,000 internet-accessible open-source LLM hosts across 130 countries. Many with guardrails stripped. Many are running outside any monitoring infrastructure at all. Researchers estimated 7.5% of system prompts on these exposed hosts could cause significant harm.

That's not a rounding error. That's a parallel-attack-capability infrastructure that grows every week as local LLM deployment becomes cheaper.

The asymmetry is the point. GPT-5.5 has safety controls and OpenAI logs queries. A locally run DeepSeek-R1 has no guardrails and no oversight. Any threat actor with a $500 GPU now runs a reasoning-capable model with no audit trail, no usage policy, and no upper limit on volume.

The "responsible release" debate around frontier models is only half the picture. Open-source proliferation isn't a future risk. It's deployed, in use, and harder to walk back every month.

5. The AI vs. AI War (and the Asymmetry Nobody's Pricing In)

ISACA's 2026 analysis describes the cybersecurity landscape as "captivated by the vision of machine-driven battles between Autonomous Red Teams (ARTs) and Autonomous Blue Teams (ABTs)." That vision is now operational.

ARTs don't sleep. They probe attack surfaces continuously, adapt their techniques based on what defensive systems reveal in their error messages, and run privilege-escalation campaigns that don't stop at 5pm. ABTs respond with real-time telemetry, automated containment, and threat workflows that execute without waiting for a human to wake up.

Sounds like equilibrium. It isn't.

The ABT is reactive by design. The ART chooses when to attack. The fundamental asymmetry of offense over defense, the one that has existed in security since defense exists, is amplified, not balanced, when both sides operate at machine speed.

Buzz, a Sequoia-backed security research firm, made the asymmetry concrete. By chaining models from Anthropic, OpenAI, and Google into a single autonomous agent, they showed existing commercially available AI is already sufficient to exploit Known Exploited Vulnerabilities, the publicly documented flaws CISA explicitly tells everyone to patch first, faster than organizations can deploy patches.

KEVs are the easy ones. AI is winning the easy ones.

Rapid7's 2025 numbers quantify the slope:

  • Confirmed exploitation of newly disclosed high- and critical-severity vulnerabilities: up 105% year-over-year
  • Median time from publication to KEV inclusion: 8.5 days to 5.0 days
  • Mean time-to-exploit: 61 days to 28.5 days

When two AIs are fighting at machine speed, the question isn't who wins. It's where does human oversight actually fit? The decisions are happening faster than any human can review them.

The Defender Timeline Collapse
The Defender Timeline Collapse

Why This Matters

The standard cybersecurity prescription patch faster, train employees on phishing, and layer defenses isn't wrong. It's just structurally insufficient against what's already deployed.

The patch cycle has been broken at the level of physics. Mandiant's data showing routine -7-day exploit windows isn't a resourcing problem. No security team, however well-staffed, closes a gap measured in negative days by hiring more people.

What this means in practice:

  • Pre-authorized automated containment becomes mandatory. Booz Allen is explicit: containment workflows need to activate during an intrusion, not after a human reviews the alert. Human-in-the-loop is fine for production change windows. It's fatal as the primary incident response mechanism.
  • Behavioral detection assumes patterns; reasoning AI generates novel ones. Tools built on historical baselines miss attacks in which every individual step appears normal. Defenders need systems that evaluate intent trajectories rather than isolated actions.
  • Open-source AI exposure is a first-order threat. The 175,000+ unguarded LLM hosts are an attack surface that grows independently of anything Anthropic or OpenAI chooses to do with their flagship models. Threat models that assume "the bad guys can't get a reasoning model" are already wrong.
  • The "small group" problem is real. A single motivated person with moderate skills and a consumer GPU now runs campaigns that previously required state-level coordination. Adjust accordingly.

What's Coming Next

The AISI's finding that GPT-5.5 reaching Mythos-level cyber performance is a general trend rather than a single-model anomaly is the forward-looking signal that matters. If improvements in long-horizon autonomy and coding lead to cybersecurity capability as a side effect, every frontier model from any lab arrives loaded with it.

Researcher projections put time-to-exploit at literal minutes by 2028. Given the trajectory, that's looking conservative.

Watch agentic AI deployment inside the enterprise next. Organizations are wiring AI agents into internal data, APIs, and infrastructure at speed. Every capability granted to a defensive AI agent is a new attack surface for an offensive one. Compromised internal agents through prompt injection, supply-chain attacks on model weights, or manipulation of tool-call outputs represent a threat class that the industry is still formalizing. OWASP's Q2 2026 AI Security Solutions Landscape calls this "lifecycle-wide" adversarial testing, meaning everything before traditional pen testing is now table stakes.

The race isn't between AI offense and AI defense in some abstract future. It's running in production in your environment right now, whether you've authorized it or not.

The Closing Thought

The question for every security team is no longer "Are we prepared for an AI-assisted attack?" Almost every meaningful attack from 2025 forward is AI-assisted in some form.

The harder question:

Are we prepared for an attack we will never see the human fingerprints of?

An attack where no human decided to probe that port at that moment because no human made the decision at all. Where the reconnaissance, the exploit chaining, the lateral movement, and the exfiltration were designed and executed by a reasoning model that held its objective across 32 decision points, adapted when techniques failed, and generated attack patterns no signature database had ever seen because no human had ever thought to try them.

The cognitive ceiling for automated offense is gone.

The ceiling for automated defense is the next thing that has to be built. We're going to find out, in production, how high it goes.

Watching the Machine Horizon
Watching the Machine Horizon

Part 3 covers what surviving in this environment actually looks like, and the architectural, operational, and organizational shifts that meaningfully close the gap when zero-days are weaponized faster than any patch cycle can address them.

Read more