Lydia Zhang, President and Co-founder of Ridge Security.
Every few months, cybersecurity gets a new AI headline that promises to change everything. The latest is Anthropic’s preview of Claude Mythos, an AI system capable of discovering vulnerabilities in production software. It joins a growing list of AI-driven offensive security milestones.
Most of the conversation has focused on one question: Can AI find vulnerabilities? The answer is yes.
The bigger issue is what happens when AI can continuously discover flaws, generate exploits and move through attack paths at machine speed. That shifts the economics of cyber offense in a very real way.
For defenders, it should also change the conversation.
AI is speeding up both attackers and risk.
The same AI systems that help identify vulnerabilities also generate insecure code. Research from Veracode, Apiiro and others has shown that AI-generated code frequently introduces common security flaws, usually at higher rates than human-written code. And attackers only need one path into an environment.
Meanwhile, defenders are expected to manage thousands of findings across cloud infrastructure, applications, APIs, endpoints and third-party suppliers.
AI widens that gap by enabling attackers to move faster than traditional security programs are designed to respond. For years, the industry’s answer has been more visibility: scanners, dashboards and alerts.
But most teams are already overwhelmed, and visibility by itself does not show which risks are truly exploitable. And that distinction matters more than ever.
Finding vulnerabilities is not the same as defending against them.
Traditional vulnerability management focuses on discovery. Scan the environment, identify CVEs, assign severity scores and prioritize remediation. The problem is that severity scores rarely tell the whole story.
Many organizations see thousands of vulnerabilities but lack clarity on which ones an attacker could realistically use. A critical vulnerability may not be reachable, while lower-severity weaknesses can be chained into a real attack path.
Instead of another long list of findings, validation platforms safely simulate attacker behavior inside authorized environments. In practice, this means testing whether vulnerabilities are actually reachable in context, identifying chained attack paths and retesting systems continuously as environments change. In recent validation work, we’ve seen critical issues that, on their own, appeared low-risk only to become exploitable when combined with other weaknesses. This reinforces the need for continuous, automated validation to surface real-world exposure before attackers do.
Continuous testing matters because infrastructure changes constantly. Traditional penetration testing gives organizations a snapshot in time, while cloud updates, integrations and configuration drift keep shifting exposure. A path that didn’t exist last quarter may exist today.
Attackers understand this. Many defenders still operate as though annual or quarterly assessments are enough. That’s why the industry has shifted toward continuous threat exposure management (CTEM), which emphasizes continuous discovery, validation and remediation.
But CTEM only works if validation happens continuously and at scale. Without automation, most teams can’t keep up.
AI is changing the economics of offensive testing.
AI is also changing the economics of adversarial testing. Historically, offensive testing was expensive, manual and often outdated by delivery. AI-driven penetration testing changes that model.
Systems like Claude Mythos, along with broader agentic security research, show how quickly automated reasoning is being applied to attack simulation. The same capabilities can just as easily be turned toward continuous validation of defensive controls and environments. Testing that once happened quarterly can now happen on an ongoing basis.
The defender’s disadvantage still exists, but the gap is narrowing.
Organizations can identify exploitable paths faster, prioritize remediation based on real risk and continuously verify improvements. The goal is no longer the largest possible list of vulnerabilities, but reducing realistic attack paths.
AI models alone are not security products.
Every major AI security breakthrough raises the same question: Will frontier AI models eventually replace cybersecurity platforms? Not likely.
AI models are becoming capable reasoning engines, but enterprise security requires more than reasoning. Security platforms still need governance, auditability, workflow integration and operational safeguards. Organizations can’t simply point a general-purpose AI model at production systems. Real-world testing still requires scope controls, attack-path tracking, remediation workflows and protections around sensitive data. For regulated industries and critical infrastructure, those controls are essential.
The future will likely involve purpose-built platforms that embed AI inside secure operational frameworks.
The model may be the engine, but the platform provides the structure enterprises need.
What should security leaders focus on now?
The question is no longer whether AI will change cybersecurity. It’s whether security programs can operate at the speed of AI-driven attackers.
Three questions matter:
• How often are environments tested?
• Are organizations validating exploitability or just collecting findings?
• How quickly can teams move from discovery to remediation?
If these processes still rely on periodic assessments and slow remediation cycles, the gap will continue to grow. The AI era is not reducing the need for security validation. It’s making continuous validation essential.
For years, cybersecurity programs were built around visibility and detection. That is no longer enough. Organizations need proof that exposures are actually exploitable.
And that shift—from visibility to validation—may define the next decade of security.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
