How worried should CISOs be?

"We can comfortably presume that if someone acting as a defender in the infosec community has come up with this idea, then someone in the attacker world has also set such tooling in motion," said Mike Wilkes, CISO at cybersecurity vendor Aikido Security. But while CISOs should take the news seriously, he added, they don't need to panic.

We can comfortably presume that if someone acting as a defender in the infosec community has come up with this idea, then someone in the attacker world has also set such tooling in motion.

Trevor Horwitz, CISO at cybersecurity vendor TrustNet, agreed, adding that AI worms are not a new category of risk. Rather, they represent an evolution of challenges CISOs already know and understand, such as automated malware, lateral movement, weak segmentation and poor identity controls.

There is also a vast difference between a secure lab environment and a real-world corporate network, Horwitz added, making it far from certain that we will see a similar AI worm in the wild soon.

"Real enterprise networks are messy," he said. "They have inconsistent configurations, legacy systems, security tooling, partial visibility and a lot of operational friction. That makes real-world propagation harder than a lab demo."

In a more likely near-term scenario, according to Horwitz, attackers use AI to improve pieces of the attack chain: reconnaissance, exploit selection, phishing, credential abuse and lateral movement.

"The significance of this research isn’t the worm itself -- it's the emergence of more autonomous attacks," agreed Martin Reynolds, field CTO at DevSecOps vendor Harness. "AI gives attackers greater speed, scale and adaptability, often against the same vulnerabilities and misconfigurations security teams have faced for years."

How to defend against AI worms

The Toronto researchers' agentic AI worm can find only known weaknesses. With internet access, however, it could ingest real-time public updates about newly discovered zero-day vulnerabilities and exploit them before organizations have a chance to patch. During the POC, the malware reportedly exploited three vulnerabilities based on recently released public advisory information, on which the LLMs that the agentic worm was using had not been trained.

In other words, to wreak havoc, AI worms don't need the superpowers of Anthropic's Claude Mythos or OpenAI's Daybreak. Known vulnerabilities, weak passwords and misconfigurations could be enough for them to propagate.

"That should worry CISOs because those are precisely the areas large enterprises tend to have drift, exceptions, legacy systems and unmanaged edge devices," Wilkes said. "The practical lesson is that all the boring controls remain the path to mitigation."

Don't waste resources on any products or services billed as anti-AI malware, he warned. Rather, focus on fundamentals such as the following:

• Continuously inventory assets and know what is on the network at all times.
• Centralize security logging.
• Detect and contain anomalous behaviors as quickly as possible.
• Adopt a fast-path and slow-path dual approach to vulnerabilities -- mitigating them within hours and patching within days.
• Kill default credentials, or set up canary tokens and credentials to trigger early warning telemetry.
• Aggressively segment environments and processes.
• Apply the principle of least privilege to human and non-human identities.
• Limit machine-to-machine trust and harden MCP servers -- which Wilkes called "breach gateways."
• Watch for abnormal use of local GPU compute.
• Treat all endpoints -- including printers, cameras, HVAC equipment, forgotten appliances and even firewalls -- as part of the attack surface.

"AI-powered threats do not make these controls obsolete," Horwitz agreed. "They make weak execution more expensive."