AI Will Exploit What Businesses Refuse to Fix

About 50 thousand vulnerabilities were discovered last year and many are either not being fixed or the patching is purposely delayed. The next generation of AI-powered tools will abuse this weakness. Emerging offensive AI models like Anthropic’s Mythos will break current vulnerability management practices, not because of technical reasons, but because the rate of change far exceeds what businesses are willing to absorb.

There are technical, process, and behavioral issues to address when managing vulnerability risks. Technically, they must be detected, validated, understood, a fix created, tested, and deployed. That is the straightforward part, and while difficult, these technical challenges are often easier to address than the organizational and business constraints.

The process to get all those resources, who likely have day-jobs building the next feature-set or product, is a different story. It requires justification to reallocate those people, systems, and compute, thus becoming a burden on future revenue generation.

Then there are the behavioral aspects, which may be the most challenging. Customers don’t want downtime, performance hits, or updates that they must test and compensate with adjustments. This leads to unhappiness, complaints, a higher cost of ownership, and being less competitive. So, disruption must be minimized because the market demands it. Patches for the most critical vulnerabilities are bundled and pushed on a relative cadence, while lesser perceived vulnerabilities are bundled and delayed as part of major updates.

Industry data highlights this reality. Cobalt and the Cyentia Institute surveyed 450 security professionals on why not all vulnerabilities are fixed, with the most cited reason being the unacceptable disruption to the business. This is an important discussion that increases in relevance with AI models like Mythos, which possess accelerated capabilities of finding vulnerabilities and creating exploits to weaponize them. The full results can be found in the Cobalt 2026 State of Pentesting Report.


This is why the next generation of vulnerability exploitation, powered by new AI models, will shatter the existing system. It is not just the technical problems that must be overcome, but also the business value impacts that must be justified.

To adapt, organizations must adopt new defensive tools, embrace new remediation processes, dedicate supporting resources for oversight, and reset business expectations around operational disruption. Ironically, the vulnerability management defenses will be based in part on the same tools that attackers will use. These new AI models won’t just find more vulnerabilities, they will exploit them at scale at speeds well beyond our established protection cycles.

Such a change is momentous, and most organizations currently lack the understanding, vision, or willpower to proactively address the risks. As in the past, it often takes incidents, breaches, and significant near-misses to convince decision makers to pursue a more committed path of strategic security with conviction. Pain and consequences are strong motivators.

Victimization and impacts will engender new perspectives, innovation, and tolerances as reflected in the First Axiom of Cybersecurity: “Cybersecurity is not relevant, until it fails”. Foresight is irrelevant if a commitment to action is ignored. Those organizations that act with conviction early, to manage the risks while supporting business value, will benefit substantially, as will their customers.