Become a TechRadar Insider
For years, cybersecurity was a numbers game. Find more vulnerabilities than attackers can exploit. Patch faster than they can move. Stay vigilant and stay ahead.
But what the latest generation of AI models has shown (especially Claude Mythos) is that AI has become dangerously good at understanding how systems actually work together.
It can trace connections across applications, APIs, identities, cloud services, and third-party components. It doesn’t just find bugs. It exploits hidden fault lines across the enterprise and waits for the right moment to trigger the quake.
VP Portfolio Marketing, Checkmarx.
Meanwhile, most organizations still operate as if shipping code with known security flaws is an acceptable risk. Last year, a staggering 81% of global AppSec leaders who responded to a Checkmarx study said they knowingly ship vulnerable code.
This happens not because the risk is small, but because the volume is overwhelming. Teams do not have the time, capacity, or resources to fix everything. Exposure is constantly deferred and absorbed into day-to-day operations. In practice, the complexities of the stack limit how often certain vulnerabilities are used in real attacks.
Until now.
Anyone Can Be a Hacker Now
AI is changing how quickly and easily vulnerabilities can be turned into working exploits. Tasks that once required deep technical knowledge can now be done with tools that guide, accelerate, and in some cases automate parts of the process.
This has direct implications for assessing risk. Many vulnerabilities have historically been deprioritized because exploiting them was impractical for hackers. But as the learning curve to wreak havoc drops, those same vulnerabilities are becoming viable entry points.
This puts pressure on the way we’ve always prioritized risk. Severity scores tell you how dangerous a vulnerability looks in isolation. They don’t tell you how easy it’s become to exploit in the real world. These are now two different calculations, and confusing them is exactly how attackers get ahead.
AI is a Double-Edged Sword
A small percentage of insecure code sounds manageable. But multiply it across millions of lines and it becomes a massive potential attack surface.
Every line of code generated at machine speed is another line that needs to be secured at machine speed. Coordinated disclosure and patch management efforts help at the margins, but don’t touch the mountain of vulnerabilities already sitting in production: dormant, deprioritized, and increasingly easy to reach.
Most organizations already face a backlog of unresolved vulnerabilities. But what’s new is the pressure to find them. As the new ADLC (Agentic Development Life Cycle) takes shape, the gap between identification and remediation is expanding fast. Security programs that focus heavily on finding vulnerabilities without improving how they are prioritized and fixed will struggle to keep pace.
This is Not Your Father’s AppSec
Traditional AppSec was designed for a world that no longer exists. What's needed now is security that's continuous, embedded directly into development workflows, and capable of assessing real-world exploitability and remediating it in real time. Fixed cycles and delayed feedback are luxuries the current threat landscape can't afford.
The attack surface in modern software development doesn't have a single-entry point, it has four:
● At the moment of code creation in the IDE, where agents generate code faster than any review process was designed to absorb. Security has to live where the code lives.
● In the build and CI/CD phase, where every commit, every dependency update, and every AI-generated change must be assessed for exploitability in context, not just flagged for existence.
● Across the AI supply chain: the models, SDKs, MCP servers, and third-party packages your teams are pulling in, often without realizing it. Deterministic discovery is the only reliable layer here, because AI models cannot audit their own supply chain.
● And at runtime, where deployed applications face live threats, security must close the loop between what was shipped and what is being actively exploited.
The Goal Was Never to Find Everything
Protecting these phases takes more than just bolting on another AI tool. One of the most critical actions an organization needs to take is to keep the security system structurally separate from the AI systems it’s meant to govern. When the same LLM writing your code is also the one judging whether it's safe, you've handed the student the answer key and asked them to grade their own exam.
What the AI era demands instead is a hybrid agentic security control layer, one that combines deterministic, rule-based analysis with AI-augmented reasoning, but where the deterministic layer remains the ground truth. That separation isn't a legacy constraint. It's the architectural property that makes the security signal trustworthy.
Even before AI, and now with AI, the goal was never to find every vulnerability. Rather, it was to stop the ones that matter before they're used against you. The organizations that understand that shift and act on it will be better defended and still standing when everyone else is explaining how it happened.
We list the best no-code platforms.
This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit