The Cybersecurity Gap Is No Longer Talent—It’s Tempo

It sounds like an exercise in theory: what if a researcher could prompt an AI to reverse-engineer a vulnerability, locate the patched commit, and generate a working exploit—all in a single afternoon? But that’s exactly what security researcher Matt Keeley demonstrated when he used GPT-4 to produce a working proof-of-concept for a critical Erlang/OTP SSH vulnerability just hours after it was disclosed.

We’re in a new reality. With the rapid advancement of generative AI, exploit development has shifted from elite craftsmanship to prompt engineering. And that means the threat landscape just got radically flatter.

For years, defenders took some comfort in knowing that building a weaponized exploit was hard. Even when a CVE went public, adversaries needed days, often weeks, to develop something operational. That window, however small, gave defenders time to patch, prepare, or isolate affected systems.

That window is gone.

Now, the moment a CVE hits the wire, the clock starts ticking, and attackers aren’t wasting a single second. Adversarial agents are moving 47 times faster than human operators. The asymmetric advantage we thought we had—people, process, tools—is eroding because the adversary has something more powerful: tempo.

Machine-Speed Adversaries

AI doesn’t get tired. It doesn’t need sleep. And it doesn’t forget the syntax for a rarely-used exploit module.

Large language models are streamlining every step of the offensive kill chain: reconnaissance, misconfiguration discovery, privilege escalation, and lateral movement. It’s no wonder that AI-enabled cybercrime is surging across the globe.

To combat these brutally efficient new attacks, organizations are trying to patch faster, monitor harder, and triage more alerts. They’re throwing all their time and labor into covering the bases and patching every hole they can spot, without considering which potential breaches could actually inflict the most damage. But that mindset assumes their biggest problem is visibility, when really, it’s decisiveness.

Traditional cybersecurity scanners are stretched across a rapidly distending attack surface, burying defenders under extraneous findings and non-critical alerts. But it’s not the tool that’s the problem. Defenders need to use the technology at their disposal with confidence and speed. That means thinking like an attacker and focusing remediation efforts on the most critical weaknesses, as fast as possible.

A scanner won’t tell you what will actually get exploited tomorrow, but a simulated, thinking adversary will. For example, look at the NSA CCC CAPT (Continuous Autonomous Penetration Testing), a vulnerability management program freely available to all Defense Industrial Base (DIB) suppliers, which have found themselves on the front lines of modern cyber warfare. F-35 schematics, space telemetry, logistics infrastructure—they all rely on small suppliers who are targeted daily and rarely equipped to defend themselves. With the NSA CCC CAPT program, these vendors can now employ adversarial tactics to secure their operations against today’s AI-powered attackers.

Paired with a commercial offensive security platform, the NSA’s approach to shoring up defenses in their supply lines delivers something defenders have been begging for: proof, not hope.

Fighting AI with AI

Most organizations realize that if AI can be used to create weapons, it must also be used to harden defenses. More than 70% of large companies are actively looking to invest in AI cybersecurity tooling, if they haven’t already. But application is everything. AI won’t give defenders the advantage if we’re still defining readiness as audits, checklists, or once-a-year tabletop exercises.

Organizations need cyber strategies that operate at machine speed, prioritize real-life attack paths, intelligently prioritize risks, and exercise continuous validation to ensure their fixes work. AI can help in these respects, but any AI augmentations should be vetted like any other technology: with rigorous scrutiny. After all, even sophisticated LLMs can be a major cybersecurity risk without proper oversight and good data hygiene.

We’re not in the age of zero-days anymore. We’re in the age of zero hours. And the organizations that will thrive in this new environment won’t be the ones with the most dashboards. They’ll be the ones with the fewest assumptions—and the discipline to validate them, every single day.