Back to blog
From WormGPT to Mythos: AI in Cybersecurity 2021–2026
Written by
Brightside Team
Published on
From 2021 to 2026, AI changed cybersecurity in practical ways: who can run complex attacks, how fast social engineering can scale, how quickly vulnerabilities can be found, and how much work defenders can hand to automated systems. Attackers gained cheaper phishing, deepfake impersonation, AI-assisted malware development, and early autonomous exploitation. Defenders gained faster detection, automated response, AI-assisted patching, and threat intelligence that can keep up with attack volumes that human teams cannot handle manually.
April 2026 is the clearest break point. Anthropic disclosed Claude Mythos Preview and withheld it from public release because of its offensive cyber capability. The industry response was Project Glasswing: twelve major technology companies committing AI resources to defensive vulnerability discovery and patching.
Part I: The Five-Year Arc (2021–2026)
Phase 1: Machine Learning Matures for Defense (2021–2022)
Between 2021 and 2022, AI in cybersecurity was primarily a defensive technology rooted in classical machine learning, especially anomaly detection, malware classification, and behavioral analytics. Systematic literature analysis across 185 papers found that approximately 63% of all LLM security research at that time focused on software and system security, with network security comprising around 14% and information and content security around 12%. The dominant architectures were encoder-only models such as BERT and its variants, used to generate contextualized embeddings of code and network traffic for downstream classification tasks.
On the threat side, the same period saw the total annual count of in-the-wild zero-day vulnerabilities stabilize in the 60–100 range after rising sharply from pre-2021 levels, and state-sponsored actors from China, Russia, North Korea, and Iran expanded their targeting of supply chains and edge devices. AI tools were not yet a meaningful offensive instrument. Adversaries still relied on human expertise, established toolkits such as Cobalt Strike and Metasploit, and commodity phishing kits.
Phase 2: Generative AI Changes Offense (2023–2024)
The public release of ChatGPT in late 2022 and the spread of large language models through 2023 changed attacker behavior within a year. By mid-2023, dark web forums had their own market for generative AI tools. WormGPT, built on the open-source GPT-J model, appeared on dark web forums and was used extensively for business email compromise (BEC) campaigns. FraudGPT emerged shortly after, advertised as an "all-in-one" criminal toolkit offering malware generation, phishing page creation, and vulnerability research for subscription fees ranging from $200 per month to $1,700 per year, with over 3,000 confirmed sales as of July 2023. DarkBard, an equivalent based on Google's Bard, and XXXGPT for RAT and botnet tooling, followed within weeks.
The FBI issued a formal public service announcement warning that criminals were exploiting generative AI to manufacture synthetic text, images, audio, and video in support of financial fraud, romance scams, sextortion, and investment fraud. AI-generated text allowed foreign criminal actors to eliminate the grammatical and spelling errors that had historically served as warning signs of fraud, and AI-generated profile photos made fictitious social media personas nearly indistinguishable from real people.
The deepfake dimension became financially concrete in early 2024, when an employee at the engineering firm Arup was deceived by an AI-generated video call impersonating the company's CFO and transferred approximately £20 million to fraudsters. This case, widely reported globally, demonstrated that deepfake technology had crossed the threshold from a theoretical risk into a proven financial weapon. An Australian local government lost AUD 2.3 million to a similar deepfake voice-and-video impersonation attack targeting city officials. By the end of 2024, analysis indicated that a new deepfake-enabled scam was occurring on average every five minutes.
OpenAI's threat intelligence disruption team documented concrete adversarial misuse of ChatGPT by state-linked actors during this period. Russian threat actor Forest Blizzard used the platform for open-source research related to satellite and radar technologies. North Korean actor Emerald Sleet used it to research think tanks, generate phishing content targeting Korean Peninsula experts, and draft spear-phishing emails. Iranian actors Crimson Sandstorm and Charcoal Typhoon used it for social engineering lures and drafting communications. Chinese actors Salmon Typhoon and Cicada used it for translation, technical research, and information gathering on defense and intelligence topics.
Phase 3: AI Becomes Part of the Attack Lifecycle (2025)
By 2025, AI had become embedded in the full attack lifecycle, and the scale of its impact was measurable in hard numbers. Over 51% of all spam email was being written by AI by April 2025, up from near-zero two years prior. Approximately 14% of BEC attack emails were AI-generated. Phishing attacks linked to generative AI had surged by 1,265% compared to the pre-generative-AI baseline, with phishing incident reports jumping 466% in a single quarter due to automated phishing kits. AI-written phishing emails achieved a 54% click-through rate in lab settings compared to 12% for traditional phishing.
Deepfakes now accounted for an estimated 6.5% of all fraud attacks — a 2,137% increase since 2022 — and synthetic identity fraud losses crossed $35 billion in 2023, with nearly 25% of all bank fraud losses attributed to synthetic identities by early 2025.
Google's Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although below the 2023 record of 100, the figure was higher than 2024's count of 78 and showed that annual zero-day exploitation had settled into the 60-100 range, well above pre-2021 levels. Forty-eight percent of 2025 zero-days targeted enterprise technologies, an all-time high, reflecting the strategic shift toward edge devices, security appliances, and interconnected enterprise platforms. Commercial surveillance vendors (CSVs) exceeded state-sponsored groups in zero-day attribution for the first time ever.
The Microsoft Digital Defense Report 2025, drawing on over 100 trillion security signals processed daily, reported that identity-based attacks rose 32% in the first half of 2025, with research and academia accounting for 39% of all identity compromise incidents. Over 40% of ransomware attacks now involve hybrid components spanning both on-premises and cloud environments, compared to less than 5% two years earlier. Microsoft observed data collection activity in 80% of reactive incident response engagements, while confirmed exfiltration occurred in 51%.
GTIG's updated threat tracker identified a qualitative shift within this period: for the first time, adversaries deployed malware that uses AI capabilities during execution rather than solely during development. The PROMPTFLUX dropper, written in VBScript, interacted with the Gemini API to request obfuscation code and rewrite its own source code on an hourly basis, creating a recursive cycle of self-mutation designed to evade static signature-based detection. PROMPTSTEAL, attributed to Russian APT28 and reported by CERT-UA as LAMEHUG, queried an open-source LLM (Qwen2.5-Coder-32B-Instruct) via the Hugging Face API to dynamically generate Windows commands for data theft. This was the first confirmed instance of malware querying an LLM in live operations. Additional malware families were documented, including PROMPTLOCK (ransomware), QUIETVAULT (credential stealer), and FRUITSTEAL (reverse shell), across experimental and operational stages.
State-sponsored actors across all four major nation-state groups used Gemini throughout 2025 to support the full attack lifecycle. A confirmed China-nexus actor used Gemini to conduct reconnaissance, research phishing techniques, support lateral movement, obtain C2 assistance, and enumerate Kubernetes containers and pods in cloud environments they were unfamiliar with. APT28 (Russia) deployed PROMPTSTEAL operationally. Iranian state actor TEMP.Zagros used Gemini to develop custom web shells and a Python-based C2 server, impersonating a university student to bypass safety guardrails; the actor inadvertently exposed hard-coded C2 infrastructure to Gemini, which helped disrupt the campaign. APT42 (Iran) attempted to build a Data Processing Agent capable of converting natural language queries into SQL to extract information from sensitive personal data, including linking phone numbers to individuals and tracking travel patterns. North Korean actor UNC4899 researched exploits for edge devices and modern browsers, while UNC1069 used deepfake video lures to distribute the BIGMACHO backdoor in cryptocurrency social engineering campaigns.
The underground market for AI-powered offensive tooling matured significantly in 2025. GTIG identified multiple purpose-built tools on English- and Russian-language forums offering phishing kit creation, malware generation, deepfake-based identity document forgery, and vulnerability exploitation, many with subscription pricing tiers and advertising language mirroring legitimate AI vendors.
On the defensive side, Microsoft processed 100 trillion security signals daily with 34,000 full-time security engineers and 15,000 partners. AI agents became deployable for automated threat response, including suspending suspicious accounts, initiating password resets, and containing breaches before encryption could occur. OpenAI launched Codex Security, which contributed to over 3,000 critical and high-severity fixed vulnerabilities in open-source projects within months of launch.
Part II: Mythos and the Frontier Capability Threshold
Claude Mythos Preview: The First Withheld Frontier Cyber Model
In April 2026, Anthropic disclosed Claude Mythos Preview alongside its decision not to release the model publicly. The UK AI Security Institute (UK AISI) independently evaluated the model and found it to be the first frontier model to complete their corporate network attack simulation ("The Last Ones," or TLO) end-to-end. TLO is a 32-step simulation spanning four subnets and approximately twenty hosts, requiring reconnaissance, credential theft, lateral movement across Active Directory forests, a CI/CD supply-chain pivot, and exfiltration of a protected database. UK AISI estimated the full chain would take roughly 20 hours for a human expert. Mythos Preview completed TLO in 3 of 10 attempts; GPT-5.5 subsequently completed it in 2 of 10 attempts at a comparable capability level.
On expert-level narrow cyber tasks, GPT-5.5 achieved a 71.4% average pass rate versus 68.6% for Mythos Preview, 52.4% for GPT-5.4, and 48.6% for Opus 4.7. This confirmed that rapid improvement on offensive cyber tasks is a general trend across frontier models from different developers, not an artifact specific to one system. A demonstration task illustrates the magnitude: a custom virtual machine reverse-engineering challenge that an expert human solved in approximately 12 hours using professional tooling was solved by GPT-5.5 in 10 minutes and 22 seconds at an API cost of $1.73.
Project Glasswing, announced alongside the Mythos disclosure, brought together Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks to use Mythos Preview for defensive vulnerability scanning. Within weeks, the model identified thousands of zero-day vulnerabilities, including a 27-year-old flaw in OpenBSD that allowed remote crash of any machine running the OS by simply connecting to it, a 16-year-old vulnerability in FFmpeg in a line of code that had been hit five million times by automated testing tools without detection, and a Linux kernel privilege escalation chain exploiting several chained vulnerabilities. The model found them autonomously, without human steering. Anthropic committed $100 million in model usage credits to the initiative, plus $4 million in direct donations to open-source security organizations.
The political and regulatory response was immediate. Microsoft, Google, and xAI agreed to give the US government early access to new AI models for national security testing through the Center for AI Standards and Innovation (CAISI) at the Department of Commerce, fulfilling a pledge made in July 2025. The European Commission opened contact with Anthropic regarding Mythos. The White House raised concerns about Anthropic's plans for expanding access to the model.
GPT-5.5 Confirms the Trend
OpenAI's GPT-5.5 system evaluation by UK AISI confirmed that frontier cyber capability is now a cross-model phenomenon. UK AISI identified a universal jailbreak for GPT-5.5's cyber safeguards, including in multi-turn agentic settings. The jailbreak required six hours of expert red-teaming to develop before OpenAI implemented additional updates to the safeguard stack. The evaluation noted that "cyber-offensive skill is emerging as a byproduct of more general improvements in long-horizon autonomy, reasoning, and coding," suggesting further capability increases from frontier models in rapid succession. GPT-5.5 was unable to complete the industrial control system (ICS) attack simulation "Cooling Tower", a 7-step simulation targeting a power plant environment. That result suggests OT-specific exploitation capabilities remain significantly below general IT network attack capabilities.
OpenAI responded by launching its Trusted Access for Cyber (TAC) program, scaling to thousands of verified individual defenders and hundreds of teams responsible for defending critical software. GPT-5.4-Cyber, a fine-tuned variant with reduced refusal boundaries for legitimate cybersecurity work, was made available to vetted security vendors, researchers, and organizations, including binary reverse engineering capabilities not available in standard deployments.
Part III: Attack Trends in Detail
Social Engineering and Fraud at Machine Scale
The combination of AI-generated text, voice cloning, and deepfake video has effectively industrialized social engineering. The FBI's Internet Crime Complaint Center formally documented the full taxonomy of AI-enabled financial fraud: AI-generated text for romance schemes and investment fraud; AI-generated images for fictitious social media profiles and fraudulent identification documents; AI-generated audio for grandparent scams and voice impersonation of bank clients; and AI-generated videos for real-time video conference impersonation of executives and law enforcement.
BEC losses, already $2.7 billion in 2022, are projected to accelerate further as AI removes the scaling constraints that previously limited these operations. In Q1 2025 alone, reported deepfake incidents jumped 19% compared to all of 2024. The 72% of organizations that report increased cyber risk due to generative AI capabilities as surveyed by the World Economic Forum primarily cite social engineering and fraud.
CrowdStrike's 2025 Global Threat Report documented GenAI's acceleration of social engineering specifically: AI can generate context-aware phishing content in multiple languages, impersonate known internal contacts based on scraped communication data, and A/B test different social engineering hooks automatically, iterating toward maximum effectiveness without human involvement.
Zero-Days, Vulnerability Exploitation, and the Collapsing Patch Window
GTIG's 2025 zero-day review found that the window between vulnerability disclosure and active exploitation has already shrunk to days in many cases. The UK National Cyber Security Centre (NCSC) assessed that AI will "almost certainly" reduce this further by 2027, placing critical systems under greater pressure as defenders race to patch faster than adversaries can weaponize. The NCSC assessment, released at the CYBERUK conference, warned that a digital divide is emerging between organizations that can keep pace with AI-enabled threats and those that cannot, and that this divide will heighten overall cyber risk to UK critical national infrastructure (CNI) by 2027.
The BRICKSTORM campaign in 2025, attributed to PRC-nexus espionage operators, showed a different objective. Rather than simply exfiltrating sensitive client data, the actors targeted intellectual property, including source code and proprietary development documents from technology companies. That IP could support long-term zero-day development against downstream customers of those vendors. In this model, one intrusion supplies material for future attacks against different targets.
The PRC-nexus group UNC3886 and UNC5221 continued to dominate traditional state-sponsored espionage zero-day exploitation, with just over half of all attributed state-sponsored zero-day exploitation by these groups focused on edge devices and security appliances. Financial motivation also drove zero-day exploitation to near-record levels: nine zero-days in 2025 were attributed to confirmed or likely financially motivated threat groups, matching the 2023 high.
Criminal AI Tool Markets
The underground market for AI attack tools lowered the cost of offensive capability. Beyond the early WormGPT and FraudGPT tools, GTIG documented multiple multifunctional platforms in 2025 offering phishing, malware development, vulnerability research, deepfake generation, and code obfuscation, with pricing tiers, support channels, and upgrade paths that resemble legitimate SaaS products. Many tools explicitly advertise their ability to bypass safety guardrails of mainstream models, and some use stolen API keys to access frontier models covertly.
Microsoft's Digital Crimes Unit tracked Storm-2139, a global network that exploited stolen API keys from multiple AI services, including Azure OpenAI, to bypass risk governance measures and produce thousands of abusive AI-generated images, including celebrity deepfakes and nonconsensual content. The DCU disrupted the network through a civil complaint filed in December 2024, followed by criminal referrals to the DOJ, FBI, UK NCA, and Europol in March 2025.
Part IV: The Defensive Response
AI-Powered Defense Architecture
Attackers use these capabilities, and defenders now use them too. Microsoft's security AI stack processes over 38 million identity risk detections daily and blocks 4.5 million novel malware files per day, with AI systems identifying slow password spray attacks by recognizing coordinated patterns across extended durations that would evade traditional rate-limit rules. AI-driven identity protection systems analyze billions of sign-ins, evaluate each against dozens of risk factors, including impossible travel, unfamiliar devices, and abnormal access times, and assign risk scores in milliseconds.
Microsoft deployed "guardian agents": dedicated security AI systems designed specifically to protect other AI systems from prompt injection, model context protocol (MCP) exploitation, and Agent2Agent (A2A) attacks. These agents use Small Language Models (SLMs) for high-speed surface screening, with suspicious signals escalating to LLMs for deep analysis that correlates tool invocations, reasoning traces, and state changes before issuing an allow/rewrite/block verdict.
In May 2025, Microsoft's Digital Crimes Unit, in coordination with the DOJ, Europol, Japan's Cybercrime Control Center, and private sector partners including ESET, Bitsight, and Lumen, disrupted Lumma Stealer, the most prevalent infostealer of the period, by seizing or blocking over 2,300 malicious domains through a US court order. The operation shows how AI-enabled threat intelligence, coordinated legal action, and technical intervention can disrupt malicious infrastructure quickly.
Google's Big Sleep AI agent, developed by DeepMind and Project Zero, found its first real-world security vulnerability and identified a flaw that was imminently going to be exploited by threat actors, allowing GTIG to cut it off in advance. Google also introduced CodeMender, an experimental agent using Gemini models to automatically fix critical code vulnerabilities.
OpenAI's Codex Security automated monitoring and vulnerability fixing across codebases, with over 3,000 critical and high-severity vulnerabilities fixed since launch. Anthropic committed $100 million in model usage credits through Project Glasswing specifically to bring Mythos-class vulnerability discovery capabilities to defenders, including open-source maintainers who historically lacked access to expensive security teams.
LLM Applications Across Defensive Security Domains
A systematic review of 185 papers on LLM applications in cybersecurity identified six primary defensive security domains where these models deliver measurable value:
Software and System Security (63% of research output): LLMs are most extensively deployed for vulnerability detection, vulnerability repair, bug detection, program fuzzing, reverse engineering, and malware detection. Static vulnerability detection using LLMs shows significant performance improvements over traditional graph neural network and rule-based approaches. Frameworks like SCALE, VulLLM, and VulAdvisor use fine-tuned LLMs with multi-task instruction training for simultaneous detection, localization, and explanation. For vulnerability repair, 50% of vulnerabilities have lifecycle exceeding 438 days. LLM-automated patching could reduce this figure dramatically.
Network Security (14%): LLMs support web fuzzing, intrusion and anomaly detection, cyber threat intelligence generation, and penetration testing automation. PentestGPT, combining three self-interacting LLM modules, demonstrated strong performance on a 13-scenario, 182-subtask penetration testing benchmark. LLM-guided fuzzers show significant improvements in code coverage and vulnerability discovery compared to baseline tools.
Information and Content Security (12%): Detection of AI-generated phishing, deepfakes, harmful content, and disinformation. Multi-agent debate frameworks like PhishDebate assign agents to analyze URL structure, text content, and screenshot analysis independently before debating conclusions, significantly reducing false positives compared to single-agent approaches.
Hardware, Blockchain, and Emerging Domains (11%): LLMs are being applied to smart contract vulnerability detection, hardware security verification, and blockchain transaction anomaly detection. Frameworks like BugWhisperer use fine-tuned models to detect vulnerabilities at the Register-Transfer Level in System-on-Chip designs.
The most significant emerging architectural pattern is the LLM-based autonomous security agent — systems that orchestrate classical tools (debuggers, static analyzers, fuzzing frameworks) through an LLM reasoning core, enabling complex multi-step workflows that would previously require experienced human analysts.
Trusted Access Programs and Responsible Deployment
OpenAI's Trusted Access for Cyber (TAC) program operationalized a key principle: cyber capabilities are inherently dual-use, and risk management depends not on restricting the model universally but on granting calibrated access based on verified user identity, trust signals, and accountability. The program scales across individual practitioners via identity verification, enterprise teams, and specialized cyber-permissive model variants for vetted security vendors. The philosophy explicitly rejects centralized gatekeeping in favor of automated, evidence-based expansion of access to legitimate defenders.
OpenAI's updated Preparedness Framework introduced two clearly defined threshold levels: "High capability" (could increase existing pathways to severe harm) and "Critical capability" (could create new pathways). Each threshold has mandatory safeguard requirements before deployment, and a Safety Advisory Group makes recommendations to leadership. Cybersecurity is classified as a "Tracked Category" alongside biological, chemical, and AI self-improvement capabilities, with mature evaluation frameworks and ongoing safeguard investment.
Top 5 Security Awareness Training Platforms for AI-Era Threats
Technical defenses address the infrastructure layer, but the fastest-growing attack vectors in the current threat environment target people directly: AI-generated phishing, voice-based social engineering, and deepfake impersonation. The following platforms were selected for their coverage of these three attack vectors specifically, as each has been measurably accelerated by generative AI since 2023. This list is published by Brightside AI, which appears first.
1. Brightside AI
Brightside is a Swiss cybersecurity awareness platform built around simulation realism across all three AI-era attack vectors: email phishing, vishing, and deepfake impersonation. Its vishing simulator uses generative AI to conduct live, adaptive phone calls rather than voicemail scripts, with support for custom executive voice cloning to replicate CEO fraud scenarios. What distinguishes the platform operationally is the balance between AI automation and admin control: AI suggests caller personas, attack strategies, psychological tactics, and opening messages at each step of template creation, while admins retain full visibility and override capability at every point. Automated follow-up training triggers immediately when an employee fails a simulation, closing the loop between exposure and remediation without manual intervention.
2. Adaptive Security
Adaptive Security focuses on AI-powered human risk management, with simulations spanning phishing, voice, and text-based social engineering. The platform's strongest differentiator is enterprise posture automation: it monitors executive digital exposure and surfaces organizational risk signals continuously rather than relying solely on periodic simulation campaigns. It is particularly well suited for security teams that need to connect employee behavior data to a broader risk posture dashboard.
3. Proofpoint Security Awareness
Proofpoint brings the depth of its threat intelligence network directly into its training layer. Because Proofpoint processes a significant share of global enterprise email traffic, its simulation content reflects live phishing campaigns actively targeting organizations in the same industry or geography. Its risk-based adaptive learning paths adjust training content based on individual employee behavior, and suspicious message reporting integrates directly with security operations workflows. It is the strongest choice for organizations already operating within the Proofpoint security stack.
4. Riot
Riot delivers security awareness training through the collaboration tools employees already use, primarily Slack and Microsoft Teams, via its AI assistant Albert. This removes the adoption friction that causes completion rates to collapse in traditional LMS-based programs. Beyond phishing simulation, Riot extends into breach monitoring and employee security posture scoring, giving security teams a continuous signal on individual risk rather than a snapshot from a quarterly campaign. It is best suited for modern, distributed workforces where engagement in a separate training portal is realistically low.
5. Arsen
Arsen is a Paris-based simulation-first platform covering phishing, smishing, and vishing across a European customer base. Its approach combines multi-channel social engineering simulations with threat monitoring and strong compliance-oriented reporting, making it a credible choice for organizations operating under NIS2 and similar regulatory frameworks. Arsen's executive protection messaging and collaboration-tool delivery options give it particular relevance for mid-market European buyers evaluating simulation depth alongside regulatory coverage.
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 5100 5100" xmlns="http://www.w3.org/2000/svg"><path d="M 2500.024 0 C 2553.328 0 2595.834 43.879 2595.834 97.125 L 2595.834 1876.506 L 3119.201 176.066 C 3134.891 125.086 3188.553 96.12 3239.425 112.351 C 3290.111 128.521 3317.762 183.113 3302.122 233.925 L 2779.762 1931.097 L 3779.21 461.931 L 3779.21 461.931 C 3809.253 417.765 3869.112 406.54 3912.791 437.34 C 3956.212 467.961 3966.827 528.293 3936.952 572.213 L 2940.571 2036.873 L 4325.625 929.91 C 4367.382 896.541 4427.806 904.057 4460.434 946.369 C 4492.863 988.434 4485.764 1049.285 4444.263 1082.452 L 3060.321 2188.526 L 4709.544 1539.817 C 4759.253 1520.266 4814.696 1545.603 4833.629 1595.492 L 4834.055 1596.658 C 4852.106 1646.063 4827.965 1701.593 4778.86 1720.913 L 3133.595 2368.073 L 4897.112 2235.63 C 4950.287 2231.63 4995.887 2272.239 4999.739 2325.374 L 4999.739 2325.374 C 5003.591 2378.46 4964.398 2425.357 4911.272 2429.348 L 3146.284 2561.899 L 4871.594 2956.552 C 4923.482 2968.425 4955.466 3020.57 4943.999 3072.498 C 4932.513 3124.564 4881.447 3157.944 4829.411 3146.042 L 3104.198 2751.408 L 4635.446 3637.4 C 4681.451 3664.017 4697.226 3723.193 4671.331 3769.585 L 4671.331 3769.585 C 4645.308 3816.215 4586.707 3832.86 4540.454 3806.104 L 3005.937 2918.221 L 4209.67 4218.413 C 4245.476 4257.082 4244.03 4317.683 4206.57 4354.549 L 4205.679 4355.411 C 4167.427 4392.128 4107.211 4390.593 4070.811 4352.262 L 4069.949 4351.351 L 2863.424 3048.138 L 3632.211 4648.15 C 3655.046 4695.671 3636.222 4753.253 3589.443 4777.295 L 3588.334 4777.86 C 3540.507 4801.675 3483.064 4781.335 3459.942 4733.221 L 2689.559 3129.881 L 2954.004 4888.23 C 2961.916 4940.841 2926.469 4990.659 2873.852 4998.868 C 2821.132 5007.086 2772.499 4970.211 2764.574 4917.511 L 2500.003 3158.32 L 2235.433 4917.511 C 2227.506 4970.211 2178.874 5007.086 2126.154 4998.868 C 2073.538 4990.659 2038.091 4940.841 2046.004 4888.23 L 2310.449 3129.871 L 1540.054 4733.221 C 1516.934 4781.335 1459.495 4801.675 1411.666 4777.86 C 1364.085 4754.154 1344.776 4696.048 1367.789 4648.15 L 2136.531 3048.237 L 930.091 4351.351 C 893.789 4390.564 832.92 4392.415 794.361 4355.411 C 756.039 4318.634 754.286 4257.389 790.37 4218.413 L 790.37 4218.413 L 1994.186 2918.132 L 459.517 3806.104 C 413.263 3832.86 354.662 3816.215 328.639 3769.585 C 302.745 3723.193 318.529 3664.017 364.525 3637.4 L 1895.723 2751.438 L 170.629 3146.042 C 118.603 3157.944 67.537 3124.564 56.04 3072.498 C 44.584 3020.57 76.568 2968.425 128.455 2956.552 L 1853.763 2561.899 L 88.728 2429.348 C 35.602 2425.357 -3.591 2378.45 0.261 2325.364 C 4.103 2272.239 49.713 2231.63 102.888 2235.621 L 1866.342 2368.063 L 221.081 1720.903 C 171.59 1701.435 147.458 1645.18 166.322 1595.487 C 185.106 1545.988 239.826 1520.657 289.238 1539.361 L 290.397 1539.811 L 290.397 1539.812 L 1939.997 2188.674 L 555.875 1082.452 C 514.375 1049.285 507.275 988.434 539.705 946.369 C 572.333 904.057 632.766 896.541 674.514 929.91 L 2059.407 2036.744 L 1063.117 572.213 C 1033.242 528.293 1043.857 467.961 1087.279 437.34 C 1130.957 406.54 1190.816 417.766 1220.86 461.932 L 2220.177 1930.909 L 1697.876 233.925 C 1682.237 183.113 1709.887 128.521 1760.574 112.351 C 1811.446 96.12 1865.108 125.086 1880.799 176.066 L 2404.214 1876.665 L 2404.214 97.125 C 2404.214 43.879 2446.718 0 2500.024 0 Z" fill="rgb(165, 140, 255)" height="5000.014289657591px" id="KrZEL4sI2" stroke-dasharray="" stroke-linecap="round" stroke-linejoin="bevel" stroke-width="50" stroke="rgb(165, 140, 255)" transform="translate(50 50)" width="5000px"/></svg>)
Try our vishing simulator
Experience the most advanced voice phishing simulator built for security teams. Create scenarios, test voice cloning, and explore automation features.
Part V: The Privacy-Security Tension
As AI-powered cybersecurity systems spread, the tension between security effectiveness and privacy rights has become harder to ignore. A March 2026 interdisciplinary analysis documents the conflict clearly: AI cybersecurity tools operate on logs, metadata, user behavior, and anomaly signals, while GDPR requires data minimization, purpose limitation, and proportionality.
The EU's regulatory architecture addressing this tension is multi-layered but functionally fragmented: the GDPR governs data processing lawfulness; the AI Act provides risk-based control of AI systems; the Data Act governs data access; NIS2 imposes cybersecurity obligations; eIDAS 2 strengthens digital identity. These instruments coexist without a unified regime specifically for AI-powered cybersecurity, creating interpretive uncertainty for both deployers and oversight bodies.
Automated decision-making presents a specific challenge under GDPR Article 22: when AI security systems restrict access, categorize users as high-risk, or activate alerts without human involvement, they may constitute legally significant automated decisions over individuals. That requires transparency of logic, subject rights, and real (not merely formal) human control. The admissibility of AI-generated logs and alerts as criminal evidence introduces further complexity: authenticity, integrity, chain of custody, and verifiability of the algorithmic model must all be demonstrable in court.
Part VI: What to Expect Beyond 2026
Autonomous and Agentic Attacks
The UK NCSC's authoritative assessment projects that by 2027, AI will have "almost certainly" continued making cyber intrusion operations more effective and efficient, though the development of fully autonomous end-to-end advanced attacks remains "unlikely" within this timeframe. Skilled actors will remain in the loop. The most significant near-term AI cyber development will "highly likely" come from AI-assisted vulnerability research and exploit development (VRED), enabling faster discovery and exploitation of flaws in underlying code and configurations.
GTIG's 2026 zero-day forecast anticipates that AI will "accelerate the ongoing race between attackers and defenders," with adversaries using AI to automate reconnaissance, vulnerability discovery, and exploit development, compressing the time between discovery and weaponization still further. At the same time, AI-enabled defensive agents will proactively discover and help patch previously unknown security flaws before exploitation.
Microsoft identifies five principal emerging threats for the near term: AI-enhanced social engineering and autonomous malware capable of real-time lateral movement and payload rewriting; expanded supply chain compromise through MSPs, CI/CD pipelines, and third-party deployment vendors; covert decentralized networks built on blockchain or dark web overlays to survive infrastructure takedowns; increasing cloud identity abuse through malicious OAuth apps and device code phishing; and growth in high-stakes commercial intrusion markets where cyber mercenaries offer zero-click implants capable of disabling critical infrastructure.
The Digital Divide
One of the most important risks beyond 2026 is the gap between organizations that adopt AI-enhanced security operations and those that cannot. The NCSC explicitly warns that "there will almost certainly be a digital divide between systems keeping pace with AI-enabled threats and a large proportion that are more vulnerable," and that this divide poses a "realistic possibility" that critical systems will become more vulnerable to advanced threat actors by 2027, assuming no change to current security mitigations. The divide includes budget, workforce expertise, and willingness to adopt zero-trust architectures quickly enough.
AI as Attack Surface
As AI systems become embedded across enterprise and critical national infrastructure, they represent a growing attack surface in their own right. Techniques including direct and indirect prompt injection, model context protocol exploitation, supply chain poisoning of training data, and adversarial examples designed to manipulate model outputs have all been demonstrated in operational contexts. Microsoft reports that its Frontier Governance Framework specifically monitors for the emergence of new AI model capabilities that could be misused against national security, and that engineering guidance for agentic systems is being developed as a priority given the expanding autonomy of deployed AI agents.
Regulation Becomes More Concrete
The regulatory environment will consolidate significantly over the 2026–2028 period. The EU AI Act's staggered compliance deadlines impose new requirements on AI system providers; GDPR enforcement against AI-powered security tools is intensifying; NIS2 requires strengthened cybersecurity obligations in essential sectors; and the UK Cyber Security and Resilience Bill, referenced in UK AISI's GPT-5.5 assessment, is progressing through Parliament. The US Committee on National Security Systems Policy 15 mandates quantum-safe algorithms in all new products for national security systems by January 2027. CAISI (the Center for AI Standards and Innovation) has completed over 40 model evaluations and is building toward a structured pre-deployment testing regime for all frontier models with national security implications.
Post-Quantum Cryptography
Quantum computing's threat to public-key cryptography is classified by Microsoft as requiring immediate action before quantum advantage becomes operationally available. Microsoft notes that the US deadline for quantum-safe algorithms in national security systems is January 2027, while Canada and the UK target 2031. Organizations are advised to inventory all encryption usage now and plan upgrades to NIST-standardized post-quantum algorithms proactively, using cloud migration as an accelerator for the transition.
The Defensive Advantage
Despite the growth in offensive capability, defenders now have something they did not have before 2025: access to the same frontier AI capabilities that make attacks more powerful. Project Glasswing is the first systematic attempt to give the defensive community, including historically under-resourced open-source maintainers, access to Mythos-class vulnerability discovery. The Linux Foundation, a Glasswing partner, explicitly noted that "open source software constitutes the vast majority of code in modern systems" and that AI-augmented security can become "a trusted sidekick for every maintainer, not just those who can afford expensive security teams".
CrowdStrike's Chief Technology Officer summarized the operational reality succinctly: "The window between a vulnerability being discovered and being exploited by an adversary has collapsed — what once took months now happens in minutes with AI. Claude Mythos Preview demonstrates what is now possible for defenders at scale, and adversaries will inevitably look to exploit the same capabilities. That is not a reason to slow down — it's a reason to move together, faster".
Key Findings at a Glance
Dimension | 2021 State | 2026 State | Beyond 2026 Trajectory |
|---|---|---|---|
Zero-day volume | Below 60/year | 90/year (2025)[^3] | AI to compress disclosure-to-exploit window further[^17] |
AI phishing share | Near zero | >51% of spam[^6] | Continued growth; AI detection arms race |
Deepfake fraud | Experimental | $25M+ single incidents; 6.5% of all fraud[^6] | Standard-issue attack vector across all sectors |
State actor AI use | Absent | Full attack lifecycle augmentation (all major groups)[^10] | Autonomous AI-enabled malware in operational deployment |
Frontier model cyber capability | N/A | 20-hour corporate attack chain completed autonomously[^12] | Cross-model capability proliferation; agentic exploitation |
Defensive AI deployment | Rule-based ML | 100T signals/day; autonomous response agents[^9] | AI-vs-AI at model speed; guardian agents for AI systems |
Regulatory framework | Fragmented | EU AI Act, NIS2, TAC programs underway | More concrete rules; mandatory pre-deployment evaluations |
Post-quantum urgency | Low | US national security deadline 2027[^9] | Migration programs must begin now |
Conclusion: Cybersecurity Is No Longer Mostly Human-Speed
For most of the past decade, cybersecurity was a race between human teams, with AI helping at the edges. The period from 2021 to 2026 changed that. The contest is increasingly between AI systems: defensive agents on one side, autonomous offensive tools on the other, with humans moving into supervisory roles.
The organizations, governments, and open-source communities most likely to do well after 2026 will treat AI security adoption as required infrastructure, not an optional upgrade. They will need zero-trust architectures, teams that can operate AI-driven tools, active intelligence sharing, and enough regulatory literacy to work within the rules forming around frontier AI. Waiting while the digital divide widens is not a stable position.
Claude Mythos Preview and Project Glasswing give the same warning from opposite sides. Models that can find and exploit thousands of zero-days can also help close those vulnerabilities before attackers reach them. The central question for the next decade is whether defensive deployment moves faster than offensive spread.
