The defensive security playbook was built around an assumption that just stopped being true. Adversaries move at human speed. They don't anymore. And the disclosure cycles, patch SLAs, and threat models built on that assumption are about to start failing in ways most teams haven't planned for.
Two stories from this week make the shift concrete. Different attacks, different actors, same threshold crossed.
Story one: Apple MIE in five days
Apple's Memory Integrity Enforcement, which ships with M5 silicon, is the strongest mass-market memory defense ever built. It works at the hardware level: every memory chunk gets a tag, every pointer carries that expected tag, and the chip physically refuses access when they don't match. Built on Arm's Memory Tagging Extension specification, hardened with Apple-specific extensions, enforced in silicon. Apple invested roughly five years and billions of dollars in MIE. The point was simple: make memory-corruption exploits prohibitively expensive to write. And until last week, it worked. Every public iOS exploit chain through 2025 broke on MIE.
Last week, a small security firm called Calif (Vietnam-based, Palo Alto-affiliated) published the first public macOS kernel memory corruption exploit on Apple M5 silicon. The chain combines two vulnerabilities, uses only ordinary system calls, and ends with a root shell. It survives MIE by walking around the tag-check rather than fighting it directly: data manipulation, not pointer manipulation. Researchers Bruce Dang, Dion Blazakis, and Josh Maine started with no bugs in hand on April 25. A working exploit was running by May 1.
Five days. With substantial help from Claude Mythos Preview, Anthropic's restricted vulnerability-research model. The Calif team was explicit: Mythos identified bugs from known classes quickly, accelerating discovery, but the novel bypass technique against MIE came from human researchers. Mythos as collaborator, not as autonomous attacker. The team disclosed in person at Apple Park, laser-printed. Their framing of the result: "Apple built MIE in a world before Mythos Preview." Apple is reviewing.
Story two: the first AI-built zero-day in the wild
Until last week, AI's role in offensive security was incremental. Phishing copy that read more naturally. Reconnaissance at scale. Social-engineering scripts. The exploit code itself, the working attack against a specific vulnerability, still came from humans. Last Monday, Google Threat Intelligence Group documented the first case where that line got crossed.
GTIG disclosed that a criminal threat actor used an LLM to develop a working zero-day exploit intended for mass exploitation. The target was a widely deployed open-source web administration tool. The mechanism was a Python script that bypassed two-factor authentication via a semantic logic flaw. GTIG attributed authorship to an LLM based on three technical fingerprints: educational docstrings that explained the script's own logic step-by-step like training material, a hallucinated CVSS score embedded in the comments, and textbook Pythonic structure that read more like training data than attacker code.
The mass-exploitation campaign never produced a victim list. GTIG identified and disrupted it through proactive counter-discovery, then worked with the affected vendor on responsible disclosure. Worth noting: the criminals' AI made enough mistakes that experienced analysts could spot the tells. Frontier LLMs remain expensive, slow, and prone to hallucination in adversarial workflows. The first AI-built zero-day in the wild was a clumsy AI-built zero-day in the wild. But the threshold is still crossed. The line between general-purpose coding model and exploit-writing model turns out to be thin, contextual, and difficult to enforce. GTIG analyst John Hultquist's two-word framing: "It's here."
What it means
Both stories point at the same shift. AI is compressing the time from "vulnerability exists" to "working exploit" on both sides of the offense-defense line. Calif compressed five years of defensive engineering into five days of research. GTIG caught offense crossing from theory to wild. The acceleration runs in both directions.
The defensive security ecosystem, especially the disclosure-and-patch cycle, was built around one foundational assumption: adversaries move at human speed. A researcher finds a vulnerability. They responsibly disclose. The vendor gets ninety days. Patches ship. Defenders apply them. The whole timeline assumed vulnerability discovery was hard, rare, and expensive. The ninety-day window was calibrated to a human-speed adversary timeline.
That calibration just got disrupted from both ends. On the offensive side, the GTIG case demonstrates that LLM-assisted exploit development is now operationally viable. Not theoretical. Not research. Not a researcher's demonstration. A criminal threat actor shipped one against a real target. The trajectory of AI-assisted offensive tooling getting cleaner, faster, and more reliable from here is not in serious dispute. On the defensive side, the Calif case demonstrates that AI-assisted vulnerability research compresses what used to be months of work into days. Mythos Preview is restricted to a few major partners through Project Glasswing today. Whatever the most capable public AI security research model can do in twelve months will likely be available to a much broader set of actors than today.
Apple's MIE isn't bad engineering. It's some of the best defensive work ever shipped at consumer scale. It got walked around in five days because the attacker-timeline assumption was wrong. The same is true of every defensive system that assumes a slow attacker. They aren't bad. They're calibrated to an adversary that doesn't exist anymore.
What changes for defenders
A few specific things to look at this quarter, not next year.
Patch SLAs. Re-time your patching commitment against an assumption that disclosure-to-exploit is now days, not weeks. If your operational patch cadence is monthly, it's behind the curve. Track CVE-to-exploit-in-the-wild time as a measured metric, not an assumption.
Vendor disclosure expectations. Push your critical vendors on disclosure-timeline transparency. Ask what they ship when there's evidence of in-the-wild exploitation. Ask what their AI-assisted detection capabilities actually look like, not what's in their marketing.
Bug bounty triage. If you run a bug bounty, decide now whether your triage survives a 10x signal-to-noise drop from AI-generated reports. The Financial Times reported this week on programs already drowning in low-quality AI-generated submissions. The economics of crowdsourced disclosure aren't getting broken by AI accelerating real discovery. They're getting broken by AI generating volume without value.
CI/CD as attack surface. Audit which of your pipelines run agentic tools (Claude Code, Cursor CLI, Copilot CLI) against arbitrary PR branches. They're a uniquely high-leverage target for AI-assisted attacks because the attacker controls a malicious pull request and the LLM operates without a human in the loop. Gate agentic tools on post-merge branches instead.
Threat model assumptions. Most enterprise threat models still describe an attacker as a person with tools. When the attacker is an AI with tools, the rate, the patience, and the patterns all change. A persistent autonomous attacker doesn't sleep, doesn't get bored, and doesn't make calibrated risk judgments the way a human pen-tester does. Re-calibrate.
Where this goes
The disclosure model is the most exposed piece of the current playbook. Ninety days will come under pressure as more cases of compressed offense-defense timelines accumulate. Some vendors will prefer shorter windows. Some will prefer silent patching for AI-discovered vulnerabilities. The norms of the next eighteen months will be shaped by what happens in the next three.
Restricted access to advanced AI security tools is a temporary state. Mythos Preview is restricted to Project Glasswing partners today. Anthropic's own engineers have said publicly that Mythos is too good at finding exploits to release into the wild. That's the right call for now. It also isn't sustainable. Whatever Mythos can do today, the open ecosystem will be able to do within twelve to eighteen months.
The hardest assumption to unwind is the human one. Most defenders, including most security teams I respect, have internal mental models that still treat "attacker" as a person at a keyboard. That mental model has been getting quietly eroded for years by automation and scaling. The last week made the change concrete. The attacker isn't always a person anymore. The defensive playbook needs to reflect that.
Two AI attacks in one week is enough to mark a threshold. The next week is going to bring more. So is the one after that.
Sources
- Calif: First public macOS kernel memory corruption exploit on Apple M5
- Google Threat Intelligence Group: AI Threat Tracker
- Financial Times: AI-generated reports drowning bug bounty programs
- Tom's Hardware coverage of Calif and Mythos Preview