Enterprises should brace themselves for an explosion of vulnerabilities as AI accelerates the discovery of software flaws, according to a senior Forescout figure.
Daniel dos Santos, VP of research at the cybersecurity firm, told ITPro that recent advances in AI mean organisations could face a torrent of vulnerabilities – and many could struggle to keep pace.
Dos Santos' comments come in the wake of a recent study by Forescout highlighting marked AI-driven gains in vulnerability detection. Testing conducted by the cybersecurity firm last year found that more than half (55%) of AI models failed basic vulnerability research, for example, while 93% failed to exploit software flaws. Fast forward a year, and the situation has changed dramatically. In a follow-up study, Forescout found that all tested models were able to successfully identify vulnerabilities.
Dos Santos said this signals a step change in how cybersecurity professionals can react to – and mitigate – vulnerabilities at a rapid pace, and they've been rising even prior to the generative AI boom.
"The reality is we have been seeing an increase in CVEs anyway, even pre-AI. The thing is that it typically required very specialized knowledge to find these things," he said. "And now with AI, it requires less specialized knowledge.
Dos Santos highlighted the recent Project Glasswing announcement by Anthropic, a gated release of its cybersecurity-focused Claude Mythos model.
The new AI model was found to excel in vulnerability identification and is an exciting development for security professionals worldwide. But while security teams will reap the rewards of increased capabilities on this front, the potential volume of vulnerabilities could prove troublesome.
As it stands, dos Santos said the CVE identification process is extensive. Researchers approach vendors, who have to confirm it, and who thereafter have to assign it a CVE ID. This process can take up to around three months, though AI has the potential to shorten that, which is a blessing and a curse.
"I'm wondering what will happen with the much larger number of reports that will come into vendors' hands," he said. "Are they going to delay things? Are they going to accelerate things?"
Vendors are already struggling with rising vulnerability reports, dos Santos noted, and that's just for legitimate reports. As ITPro previously reported, open source projects have been forced to shut down bug bounty programs due to an onslaught of "AI slop" bug reports.
"The volume of findings is much larger, but also the volume of not real findings, let's say right findings that are reported by AI, but they are not real vulnerabilities, so vendors have to triage those as well, and that's not an easy task," dos Santos told ITPro.
What agents can do for threat actors
Despite facing a potential onslaught of vulnerability reports, security professionals will benefit from more powerful AI tools, enabling them to counter threats more efficiently.
But these gains will also benefit threat actors. Forescout's research found that more than half of the AI models tested were capable of generating exploits autonomously.
A slew of studies over the last 18 months have highlighted the increased use of AI among cyber criminals. Trend Micro analysis showed threat actors were using the technology to dissect threat intelligence reports, while researchers identified what they believed to be the first "AI-powered" ransomware strain.
Dos Santos told ITPro that tracking of underground community forums shows cyber criminals are increasingly warming to the use of AI tools in operations. More experienced operators, for example, are going so far as to mentor others in how to maximize their use of the technology – helping to lower the barrier of entry.
This same process is unfolding with agentic AI, he added, which marks a step change in attackers' capabilities.
"It lowers the barriers for finding vulnerabilities, also for threat actors to definitely exploit targets. I think the main change that we have seen in making these tools much more powerful in the past year, more or less, was the rise of agents," he said.
"The fact that they can do some things autonomously, it's not just somebody talking to a machine. I think we are at the point where threat actors are exploring the capabilities of what agents can do for them, and that's also something that will lead to an explosion into other types of attacks."
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromise
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerability
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourself
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaught
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to know
Experts welcome EU-led alternative to MITRE's vulnerability tracking scheme
Veeam patches Backup & Replication vulnerabilities, urges users to update
Two Fortinet vulnerabilities are being exploited in the wild – patch now
