Basith Ahamed is the head of defensive engineering at State Street. Writing on AI, cyber threats and what they demand of security leaders.
The New Threat Actor
The conversation about AI in security has focused almost entirely on the defender side—AI-powered detection, AI-assisted SOC triage, AI for threat intelligence enrichment. That conversation is not wrong. But it is only half the story.
Frontier models (Claude, GPT-4o, Gemini and their successors) have introduced a capability on the offensive side that fundamentally breaks existing vulnerability management assumptions: the ability to scan an attack surface, identify clusters of individually low-severity vulnerabilities and chain them into critical exploit paths at machine speed, with minimal human direction.
What previously required a seasoned red team operator, days of reconnaissance and significant manual effort can now be initiated by anyone with API access and an afternoon. The skill floor for sophisticated exploitation has dropped. The throughput has increased by orders of magnitude. This is the new baseline—and most organizations are still operating against the old one.
The CVSS Collapse
CVSS scores measure individual vulnerability severity in isolation. They were never designed to account for AI-assisted chain discovery—where three medium-rated vulnerabilities on the same attack path combine into a full account takeover. The model doesn’t read your tickets. It reads your topology. And it finds paths your risk team never modeled.
Here’s an example of what your vulnerability queue might say:
• CVE-XXXX CVSS 4.2 Medium – Deferred, Q3 patch cycle
• CVE-YYYY CVSS 3.8 Medium – Deferred, Q3 patch cycle
• CVE-ZZZZ CVSS 5.1 Medium – Deferred, Q4 patch cycle
And here’s what a frontier model can find in under 60 seconds:
• CVE-XXXX exposes internal service endpoint
• CVE-YYYY leaks session token from that endpoint
• CVE-ZZZZ escalates that token to admin via misconfigured RBAC
• Effective chain severity: CRITICAL. None appeared on your P1 list
Every vulnerability sitting in a deferred queue is one AI-assisted reconnaissance pass away from becoming your next incident. The severity rating on the ticket is no longer a reliable proxy for the actual risk it carries.
This forces two things simultaneously. Patching velocity must increase materially, not incrementally. Yes, patches break things. Yes, ops teams will manage incidents. That operational cost is real, and it is the correct trade-off, because the alternative is a deferred backlog being silently mapped by AI-assisted threat actors 24 hours a day. And where patches are unavailable—vendor delay, legacy architecture, business constraint—compensating controls must be explicit, named owned and monitored. A compensating control that isn’t documented and reviewed is not a control. It is a gap with a label on it.
Security teams need to be able to walk their CISO through this picture clearly: “Here is what we cannot patch, here is why, here is what stands in its place and here is the condition that changes our response.” That narrative—specific, evidence-based, escalation-aware—is what converts unpatched risk from a liability into a managed position.
The Coming Wave
Here is what makes the frontier model risk feel almost manageable by comparison: It exists within a constrained environment. Anthropic, OpenAI and Google invest heavily in safety research and guardrails designed specifically to limit the offensive cybersecurity capabilities of their models.
Open-source models operate under no such constraints. And the capability trajectory of open-source AI is well established. The gap between “what a frontier model can do with guardrails” and “what an unconstrained open-source model will be able to do” is closing—faster than most security programs are evolving.
Frontier models such as Claude Mythos, Claude Opus, GPT-5.5 and Gemini come with an API rate limit ceiling, and that ceiling is exactly what open-source local deployments remove.
Getting Ahead
Chain-aware vulnerability analysis replaces CVSS-only triage. Any cluster of vulnerabilities sharing an attack path is treated as a compound risk regardless of individual scores. This is a mindset shift before it is a tooling investment.
AI-assisted red teaming against your own estate runs continuously. If frontier models can find chains offensively, they can find them defensively. Use them. You need to discover the exploit paths before an adversary does.
The organizations that navigate this will not be the ones that bought the most tools. They will be the ones that changed how they think about vulnerability risk, patching trade-offs and the story they tell to leadership about what they cannot fix—and crucially, the visibility into every compensating control that stands in its place.
The Bottom Line
The organizations least prepared for what is coming are treating frontier model risk as emerging and open-source model risk as distant. Neither is true. Instead, here’s what organizations should be doing:
• Assume Your Deferred Backlog Is Being Mapped: Every Medium you deferred is a link in a chain a frontier model is looking for right now.
• Accept The Operational Cost Of Faster Patching: App crashes are recoverable. A breach enabled by a deferred chain is not. This is the correct trade-off. Make it deliberately, not by default.
• Build The Compensating Controls Narrative: Owner. Rationale. Evidence. Escalation trigger. If it is not written down and reviewed, it is not a control.
• Use AI Offensively Against Your Own Estate: Continuous chain analysis. AI-assisted attack path discovery. Find the paths before the adversary does.
• Watch Open-Source Model Capability: The guardrails that limit frontier model misuse will not exist in the open-source ecosystem. Plan against the unconstrained version—not the API-limited one.
Frontier models changed the exploitation equation. Open-source models will remove the last friction that remains. The question is not whether this becomes the dominant threat pattern. The question is whether your security program is ready before it does. The clock is running. The question is whether your program is.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
