Evolving Cyber Security Strategy to keep pace with AI-Driven Vulnerability Discovery

AI is having a significant impact within the cyber security landscape, particularly in vulnerability discovery.

Traditional cyber security strategies already have their challenges with addressing vulnerabilities and are typically built around periodic assessment, fixed remediation windows and manual investigation. Experts believe that AI will make it easier, faster and cheaper for attackers to discover and exploit vulnerabilities, meaning this traditional approach does not align to the shifting threat landscape. 

With AI accelerating attacker capabilities, it also presents opportunities to defenders with improved detection and automated responses. As organisations continue to adopt AI across their environments, their cyber strategies must also evolve from reactive and human-paced to continuous, adaptive and intelligence-led. 

The Shift 

The global market size for AI is predicted to increase substantially over the coming years, with an increase of market size from $280bn in 2024 to a projected $3.5 trillion by 2033. The World Economic Forum’s 2026 Global Risk Report has listed Adverse outcomes of AI technologies and Cyber insecurity as the 5th and 8th biggest global risks over a 10 year period. 

The consequences of AI adoption spreads far greater than just the cyber security landscape, however, with cyber insecurity becoming more problematic than ever, companies must adopt a strategy that aligns to the rapidly changing threat landscape we are seeing. 

Within the software development landscape, the 2025 developer survey by Stack Overflow identified that 84% of respondents are already or plan to use AI tools within their development process. Interestingly, 81% of respondents have concerns about security and privacy of data when using AI agents and only 28% of respondents stated that their company’s IT / InfoSec team had strict requirements on AI agent tools or platform usage. Although this survey provides more insights than just those responses, it’s clear that AI usage is common but there is an element of concern, however not much guidance is provided to address such concerns developers have. With how quickly the AI landscape is advancing and increased pressure to adopt, we can imagine the 2026 edition of this survey having very different results. 

Concerns

The increased pressure for companies to provide market-leading AI models or integration within existing applications uncovers a risk that these accelerated release schedules might skip over traditional security measures. 

Furthermore, an increased attack surface is presented for adversaries to exploit, due to this increased adoption of AI models and systems. The NCSC raises in particular concerns around critical national infrastructure having a larger attack surface as a result.

Where traditional cyber security strategy does not align

Traditional cyber security strategies such as annual penetration testing / audits and risk assessments, alongside 14 day SLAs for critical / high patch remediation and weekly / monthly vulnerability assessments are all examples of fixed interval and point-in time security activities. These produce a snapshot of the risk at that moment in time. These strategies operate at human speed, whereas adversaries with AI capabilities now operate at a much quicker pace. Dr Richard Horne, CEO at the National Cyber Security Centre within the UK states that “AI will make it easier, faster and cheaper to discover and exploit weaknesses that previously required more time, skill or resource for attackers to identify”. 

Dr Horne also argues that frontier AI models help provide the capabilities to find vulnerabilities in code, which can be a good thing for cyber security as it allows suppliers of technologies to identify and fix vulnerabilities throughout the product and service lifecycles. Anthropic’s frontier red team are already showing how their models such as Claude Mythos and Claude Opus are increasing capabilities of identifying zero day high-severity vulnerabilities. 

What do we do - The changes organisations should consider

Although AI is accelerating  capabilities for cyber attackers, this also creates capabilities for defenders. This is increasingly becoming an AI vs AI dynamic, where organisations that effectively adopt AI-enabled defences will be better positioned to keep pace. The NCSC believes that defenders have the ability to shape their environment, using AI to understand expected behaviour, detect anomalies and distinguish genuine threats from normal activity.

Strengthen and continuously enforce Cyber fundamentals

• As Technical Director at the NCSC, Paul J describes it “AI won’t compensate for weak security foundations, it will amplify both strengths and weaknesses”. Core cyber controls become even more fundamental. Frameworks like Cyber Essentials should be treated as a baseline, with accurate asset inventories, access control and secure configuration but maintained continuously rather than periodically. 

Shift from static remediation SLAs to real-time, risk-based prioritisation

• Move away from fixed remediation timelines (e.g. patch criticals in 14 days) toward a continuous prioritisation based on exploitability and exposure. This involves integrating asset visibility, threat intelligence and AI-driven analysis that focuses on vulnerabilities more likely to be exploited now, not just with the highest severity scores. As AI models like Mythos are rapidly identifying vulnerabilities at scale, the window for remediation continues to reduce. Prioritisation becomes even more fundamental.

Reduce attack surface aggressively

• Harden systems, remove unused services, and minimise exposed assets to limit what AI can find. Utilise dark web scanning and threat intelligence tooling to discover any exposed assets and shadow IT. 

Adopt AI for defence

• Use AI-enabled tools (e.g. OpenAI Codex and emerging tools like Google CodeMender) for continuous testing, code analysis, and vulnerability discovery. This will help introduce the capability to identify issues within the workflow earlier and at scale.

Automate detection and response

• Invest in capabilities that can detect, triage, and contain threats in near real-time, not hours or days. This will help reduce a gap between compromise and response.

Encourage AI adoption but securely

• Capture your organisation's AI usage and provide staff with the encouragement and knowledge to use it effectively, reducing the likelihood of shadow AI. Do so in a safe manner, don’t allow it to bypass well established security measures like segregation of duties. 

If you have any security concerns about your organisation's AI adoption or any other queries from our security consultants, you can contact us here.