As frontier AI models accelerate cyber capabilities, organisations need to rethink how quickly they identify, prioritise and respond to risk.
Artificial intelligence (AI) has been part of cyber security for years. What is changing now is the speed, autonomy and sophistication of the latest generation of frontier AI models.
Recent attention has focused on Anthropic's Claude Mythos model, one of several advanced AI systems demonstrating increasingly capable cyber skills. OpenAI, Anthropic and others continue to advance these models at a rapid pace, with leadership positions changing regularly as new versions emerge. While Mythos has attracted significant media coverage, the broader trend matters more than any single model: cyber-focused AI capabilities are improving quickly and becoming more accessible.
For CIOs and CISOs, this development raises an important question: Are existing security operating models keeping pace with the changing threat environment?
A shift in attacker capability
The UK's AI Safety Institute (AISI) recently evaluated leading frontier AI models against a series of cyber security capture-the-flag scenarios designed to test whether a model could successfully chain together multiple actions to achieve a cyber objective. The highest-performing models demonstrated expert-level performance, with Mythos reportedly achieving a 73% success rate.
These results do not mean AI can independently conduct large-scale cyber campaigns without human involvement. They do, however, demonstrate that advanced models can increasingly support complex technical tasks that previously required significant expertise.
This matters because many cyberattacks depend on activities such as:
- Reverse engineering software
- Identifying security weaknesses
- Analysing exploit techniques
- Understanding complex technical environments
- Accelerating vulnerability research
As AI becomes more capable in these areas, the barrier to entry continues to fall. Activities that once required highly specialised skills may become accessible to a much broader range of threat actors.
The threat landscape is already moving faster
The growth of AI capability is occurring alongside a broader acceleration in cyber threats.
According to the CrowdStrike 2026 Global Threat Report, attacks conducted by AI-enabled adversaries increased by 89% year over year. The report also highlighted a 42% increase in zero-day vulnerabilities exploited before public disclosure. Perhaps most strikingly, the fastest observed breakout time, the period between initial access and lateral movement within a network, was just 27 seconds.
Taken together, these developments suggest a future in which vulnerabilities are identified, understood and weaponised much faster than many organisations are prepared for today.
For organisations operating on monthly patch cycles, the challenge is clear. A process that was once considered acceptable may no longer provide sufficient protection for internet-facing or business-critical systems.
The UK's National Cyber Security Centre (NCSC) has also highlighted the need for organisations to prepare for a significant increase in remediation activity as long-standing technical debt is addressed.
Why this matters to business leaders
Cyber security discussions often focus on technology. The real issue for business leaders is risk.
Many organisations have built their security operating models around assumptions that vulnerabilities take time to discover, analyse and exploit. Frontier AI challenges those assumptions.
As attack timelines shorten, organisations need greater confidence in their ability to:
- Identify critical assets and vulnerabilities
- Prioritise remediation activities
- Detect malicious activity earlier
- Contain incidents faster
- Recover services more effectively
The question is no longer whether AI will influence cyber risk. It already is. The question is whether security governance, operational processes and investment priorities are evolving quickly enough in response.
What organisations should do now
There is good news.
Most organisations do not need entirely new security frameworks. Many of the most effective responses are rooted in well-established cyber security practices. The difference is that they must be applied with greater urgency and discipline.
- Prioritise your most exposed systems
-
Not all systems present equal risk.
Maintain a detailed inventory of systems, software and dependencies. Work across technology, business and security teams to identify the systems where a successful compromise would have the greatest operational, financial or data impact.
Particular attention should be given to internet-facing services, identity platforms, remote access solutions, unsupported technologies and critical third-party dependencies.
- Reduce unnecessary exposure
-
Every unnecessary service, feature or integration creates potential attack surface.
Review environments to identify functionality that can be removed, disabled or isolated. Prioritise efforts around systems with the highest levels of exposure and business criticality.
- Reassess patching and vulnerability management
-
Organisations should evaluate whether existing remediation timelines remain appropriate in a world where vulnerabilities may be weaponised much faster.
Where accelerated patching is not feasible, compensating controls should be clearly defined. These may include additional monitoring, network segmentation, access restrictions and documented risk acceptance.
- Strengthen identity and privileged access controls
-
As technical discovery becomes easier, identity remains one of the most effective routes to operational impact.
Organisations should continue to focus on least-privilege principles, phishing-resistant multi-factor authentication (MFA), privileged access management and tighter control of administrative accounts.
- Improve software development practices
-
AI is not only changing how vulnerabilities are discovered. It is also changing how they can be prevented.
Organisations should evaluate AI-enabled security tooling within software development pipelines to identify and remediate weaknesses before code reaches production. Security reviews should remain aligned with established software assurance practices and governance requirements.
- Enhance monitoring and response capabilities
-
Security operations teams need visibility of emerging vulnerabilities, adversary behaviours and exploitation techniques.
Organisations can improve detection and response by integrating cyber threat intelligence, automating containment activities where appropriate and increasing monitoring around critical or legacy systems.
- Practise for disruption
-
As attack timelines shorten, recovery becomes increasingly important.
Regularly exercising incident response, crisis management and service restoration plans helps organisations understand whether they can recover critical services under pressure. Recovery confidence is becoming as important as prevention.
A particular challenge: legacy systems
Many organisations continue to rely on legacy platforms that are difficult to modernise, replace or secure.
In some cases, vulnerabilities cannot be fully remediated due to technical limitations, operational constraints or cost considerations. These environments often require a careful balance between business continuity and risk reduction.
Understanding that balance requires informed decision-making, supported by clear visibility of threats, vulnerabilities and business impact.
The opportunity for action
Many technology and outsourcing agreements were established before AI-enabled cyber threats became a significant consideration. As a result, existing controls, operating models and governance arrangements may no longer reflect the current threat environment.
For CIOs and CISOs, this creates an opportunity to reassess security priorities, strengthen resilience and engage business stakeholders in conversations about risk, investment and accountability.
The organisations that adapt earliest are likely to be best positioned to manage both the risks and opportunities that advanced AI presents.
AI is changing the cyber security landscape for attackers and defenders alike. While no organisation can eliminate risk entirely, those that combine strong security fundamentals with faster decision-making, improved visibility and greater operational resilience will be better prepared for what comes next.
The challenge is not simply keeping pace with AI. It is ensuring that security practices evolve at the same speed as the threats they are designed to address.