The New Cyber Arms Race: AI-Powered Attacks for Under a Dollar

In today's digital landscape, cyber threats have evolved dramatically. Where it once took months to weaponize a software vulnerability, generative AI can now accomplish the same task in minutes for less than a dollar of cloud computing time. This rapid, cheap attack capability poses a significant challenge, but it also offers defenders new tools. Understanding the history of automated vulnerability discovery—like fuzzing—and how the security community responded can help us navigate this new era. Below, we explore key questions about AI-driven cyberattacks and the durable defenses that can counteract them.

1. How has AI changed the speed and cost of cyberattacks?

Generative AI has drastically reduced both the time and expense required to turn a software vulnerability into a working exploit. Previously, attackers needed months of manual effort to analyze code, craft an exploit, and test it. Now, large language models (LLMs) can analyze vulnerabilities and generate exploit code in minutes, often costing less than a dollar in cloud computing resources. This was highlighted by recent headlines about Anthropic's Project Glasswing, which demonstrated that AI can automate the entire process from discovery to exploitation. The result is a new class of low-cost, high-speed cyberattacks accessible to a wider range of malicious actors.

2. What role does generative AI play in both attacking and defending?

While LLMs present a clear cyberthreat, they also empower defenders. Anthropic's Claude Mythos preview model has already helped security teams discover over a thousand zero-day vulnerabilities proactively, including flaws in every major operating system and web browser. Anthropic coordinated disclosure to patch these flaws before they could be exploited. This dual-use nature creates a race: attackers use AI to find and exploit bugs faster, while defenders use similar tools to find and fix them before they are weaponized. The outcome is uncertain, but history suggests that organizations that integrate AI into their development lifecycle can tilt the balance in their favor.

3. How did the security community respond to the rise of fuzzing tools like AFL?

In the early 2010s, fuzzing tools such as American Fuzzy Lop (AFL) emerged as automated vulnerability finders. These tools bombarded software with random, malformed inputs—like a monkey at a typewriter—to uncover hidden flaws. They quickly found critical bugs in major browsers and operating systems. Rather than panicking, the security community industrialized their response. Organizations integrated fuzzers into continuous testing pipelines, catching vulnerabilities before software shipped. This proactive approach set a new security baseline and informed how we might handle AI-driven discovery today.

4. What is OSS-Fuzz and how does it help?

OSS-Fuzz is a Google-built system that runs fuzzers continuously, 24/7, on thousands of open source software projects. By automating vulnerability discovery at scale, it helps maintainers identify and fix bugs before attackers can exploit them. Since its launch, OSS-Fuzz has discovered tens of thousands of security flaws, significantly reducing the risk from unpatched software. This model of continuous, automated testing is now being adapted for AI-driven vulnerability discovery, where LLMs can be run similarly to find zero-day flaws across codebases.

5. What is the asymmetry between AI-driven bug finding and fixing?

While LLMs make finding vulnerabilities trivial—often requiring just a prompt—fixing those bugs remains a human-intensive task. Attackers can exploit code without technical sophistication, but defenders need skilled engineers to read, evaluate, and patch vulnerabilities. The cost of finding bugs may approach zero, but the cost of fixing them does not. This asymmetry is concerning, especially for open source projects maintained by small teams or volunteers. The real challenge is scaling the human effort required for remediation to match the speed of AI-driven discovery.

6. Why is open source software particularly vulnerable to AI-powered attacks?

Open source software forms the backbone of modern technology, yet much of it is maintained by small teams, part-time contributors, or individual volunteers without dedicated security resources. A single bug in a widely used open source library can cascade into vulnerabilities in countless downstream applications. With AI making bug discovery cheap and easy, attackers can target these under-resourced projects at scale. Defenders must therefore prioritize securing the open source ecosystem, perhaps by using AI to automate patching or by providing more support to maintainers.

7. How can defenders gain an advantage against AI-powered attacks?

History offers a playbook. When fuzzers democratized vulnerability discovery, defenders responded by integrating them into development pipelines and running them continuously. The same approach should apply to AI: organizations must embed AI-driven testing into their software development lifecycle, run it around the clock, and act on its findings. Additionally, collaboration—like coordinated disclosure and shared security resources—can help smaller teams keep pace. While AI may favor attackers initially, disciplined use of the same technology for defense can help maintain an edge.