





















Prof. Dr. Dennis-Kenji Kipker is a cybersecurity expert and works as Scientific Director of the cyberintelligence.institute.

getty
Anyone following the news of the past few weeks will sense that we're crossing a line from which there's no return. With the arrival of AI models such as Mythos from Anthropic, unveiled in early April 2026, a class of artificial intelligence has emerged that can "identify thousands of zero-day vulnerabilities (that is, flaws that were previously unknown to the software’s developers), many of them critical, in every major operating system and every major web browser" within a matter of weeks. In some cases, this code has been in production for decades, including a 27-year-old flaw in OpenBSD. Anthropic itself is deliberately keeping the model under wraps because it would tilt the balance between offense and defense.
This aligns with my own strategic assessment over the past several years advising on digital resilience: We're no longer witnessing a technical evolution but a structural break with a system we long accepted as our baseline.
Of course, we'll continue to talk about technical and organizational safeguards, about management systems and about binding cybersecurity regulatory regimes from governments. That remains necessary. But from my advisory work with public institutions and critical infrastructure operators, I conclude that this is only one side of the coin. The more troubling side is that the products on which our critical infrastructures run are, in too many cases, inherently insecure, and that we as users have little influence over them.
The software supply chain has been deeply vulnerable for years, is regularly exploited and is, in many cases, anything but securely designed. We're managing systems built on sand while the flood of threats keeps rising faster.
Security by design, meaning the integration of security requirements directly into product development, is without a doubt the right principle. But given the speed at which the threat landscape is shifting, it increasingly feels like a drop in the ocean. We're only now beginning to implement it, while our critical infrastructures still run on legacy architectures that were conceived decades ago without any digital security ambition, some of which never even anticipated network connectivity.
Regulation binding manufacturers to meaningful security requirements arrives when the fire is already burning. What was intended as a shield feels more and more like a late, helpless reflex in a situation that worsens by the day.
For years, we debated whether, on balance, AI favors attackers or defenders. That debate is now largely closed. With models like Mythos, IT systems can be disrupted and destroyed faster than we can prevent through laborious manual work. What used to be painstaking manual labor, finding, chaining, exploiting and even monetizing vulnerabilities, is becoming automatable, scalable and available to anyone without deep expertise.
The conclusion I draw is uncomfortable but unavoidable: Cyber insecurity is being industrialized. The attacker gains time, the defender loses it. And time is one of the few currencies that truly matters in cybersecurity—one we have always had too little of.
The temptation to rein in or outright ban such models through regulation is understandable. Yet, it leads nowhere, because Anthropic is by no means the only forge working on this frontier. Other Western labs are developing comparable systems under the pressure of competition and venture capital. State actors such as the People's Republic of China are investing not only in compute but in entire energy networks to sustain ever more powerful AI. Logan Graham, who leads offensive cyber research at Anthropic, has stated publicly that capabilities comparable to Mythos could be broadly distributed within six to 12 months.
Even if offensive AI were criminalized worldwide, which would itself be a civilizational achievement, states will use these tools, openly or in secret. From my perspective, this can no longer be prevented via regulatory means, but it might be able to still be actively shaped through coordination and defensive investment.
From this follows a change in how we handle vulnerabilities. When flaws are no longer identified through weeks of research but generated at scale by AI, they cease to be a scarce good and become commodity output. Bug bounty programs, responsible disclosure and the entire economy built around the careful handling of vulnerabilities—all of it gradually loses its foundation.
Whoever controls the most capable AI systems controls the vulnerabilities and therefore the security of the digital space as a whole, globally and across systems, because so many products are deployed across borders and political blocs. This is a power shift whose magnitude we're only beginning to grasp, and it unfolds not over years but over months.
From this, I conclude that AI is far more than a question of industrial sovereignty or national value creation, the frame to which political debate so often reduces it. It's a major factor in national and international security, at a time when security, even without AI, is becoming an ever scarcer good. The geopolitical landscape, from Ukraine to the Middle East, demonstrates how thin the load-bearing layer beneath our societies has become. AI adds a second fault line.
Whoever controls the models in the years ahead will control a central lever of state, economic and societal capacity to act. For those of us who've spent our careers arguing that cybersecurity is a core dimension of the constitutional state, this moment is a watershed. What's beginning now isn't another cycle but a contest over the foundations of our digital space, and with it, over our physical existence.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。