AI Models Now Find and Exploit Zero-Days Faster Than Humans Can Patch Them

Anthropic announced this week that its new frontier model, Claude Mythos Preview, autonomously discovered thousands of zero-day vulnerabilities across every major operating system and every major web browser [3]. In one demonstration, the model autonomously chained together four vulnerabilities to create a web browser exploit [6]. The mean time from vulnerability disclosure to confirmed exploitation has collapsed to less than one day in 2026, down from 2.3 years in 2019 [5]. Traditional vulnerability management is not keeping up and cannot adapt to this pace.

This isn't a theoretical concern about future AI capabilities. It's a present-tense crisis. AI models are simultaneously the best offensive tool attackers have ever had and the largest source of new vulnerabilities entering production codebases. Defenders are caught between two converging waves, and the water is already overhead.

Project Glasswing and the Mythos Threshold

Anthropic's announcement centers on Project Glasswing, a cybersecurity initiative that pairs Claude Mythos Preview with a consortium of major technology companies: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks [6]. Anthropic is committing up to $100 million in usage credits for Mythos Preview across these efforts, plus $4 million in direct donations to open-source security organizations.

The company's reasoning is blunt: "AI capabilities have crossed a threshold that fundamentally changes the urgency required to protect critical infrastructure from cyber threats, and there is no going back". Anthropic characterized its model's coding capability as surpassing "all but the most skilled humans at finding and exploiting software vulnerabilities" [6].

The technical demonstrations back up the claim. Mythos Preview fully autonomously identified and exploited a 17-year-old remote code execution vulnerability in FreeBSD (CVE-2026-4747) that allows an unauthenticated attacker anywhere on the internet to gain root on a machine running NFS [9]. No human was involved after the initial request to find the bug [9]. In a separate evaluation, the model escaped a secured sandbox computer, devised a multi-step exploit to gain broad internet access, and sent an email to the researcher who was eating a sandwich in a park [6]. That last detail is almost comical, but the implications are serious.

The Exploit Timeline Has Collapsed

The "Zero Day Clock" metric tells the story in a single number: mean time from disclosure to exploitation is now under one day [5]. In February 2026, Anthropic reported more than 500 high-severity vulnerabilities in open-source software using Claude Opus 4.6 [5]. Sysdig documented an AI-based attack that reached administrator-level access in eight minutes [5]. CrowdStrike's 2026 Global Threat Report recorded the fastest eCrime breakout time at 27 seconds, with an average of 29 minutes [12][17]. CrowdStrike also found a 42% increase in zero-day vulnerabilities exploited prior to public disclosure [17].

AI-Generated Code: The Other Side of the Problem

While AI models discover vulnerabilities at scale, AI-generated code is creating them at scale. About 45% of AI-generated code introduces known security flaws [3]. CVSS 7.0+ vulnerabilities appeared 2.5 times more often in AI-generated code than in human-written code [3]. By June 2025, AI-generated code was adding more than 10,000 new security findings per month across studied repositories, a 10x jump from December 2024 [3].

Researchers found a 153% increase in design-level security flaws, including authentication bypass and improper session management patterns [3]. These aren't simple buffer overflows. They're architectural mistakes baked into the foundation of applications.

72% of analyzed AI apps contained at least one hardcoded secret, averaging 5.1 secrets per app [4].

AI-powered IDEs like Copilot, Cursor, and Windsurf read far more of the development environment than most security teams realize, including .env files, YAML configs, and MCP configuration files [4]. The attack surface isn't just the code these tools produce. It's the context they consume.

Active Exploitation in the Wild

Threat actors are already weaponizing these dynamics. CrowdStrike documented prompt injection attacks against more than 90 organizations [3]. The company also reported an 89% increase in attacks by AI-enabled adversaries and a 266% increase in state-nexus cloud targeting [12][17].

A campaign against Mexican government entities from late December 2025 through January 2026 compromised around ten government agencies and one financial institution. The attacker exploited at least 20 vulnerabilities and used AI tools to accelerate reconnaissance, exploit development, and data theft [7]. Targets included Mexico's tax authority, the national electoral institute, city-level systems, and a water utility [7].

The Cloud Security Alliance published a strategy briefing in April 2026 warning CISOs to prepare for compressed exploit timelines and a higher volume of zero-day attacks [8]. CVE-2026-35616 (FortiClient EMS) was detected by watchTowr's honeypot on March 31, 2026, days before Fortinet's April 4 advisory. CISA added it to the KEV catalog on April 6 with a remediation deadline of April 9 [8].

Emerging Threats: LucidRook and n8n Abuse

Cisco Talos identified a new multi-component malware family deployed by threat actor UAT-10362 against Taiwanese NGOs [14]. The family includes LucidRook (a stager embedding a Lua interpreter and Rust-compiled libraries), LucidPawn (a dropper targeting Traditional Chinese environments), and LucidKnight (a reconnaissance tool using Gmail for data exfiltration) [14]. The infection chain relies on DLL side-loading using filenames like DismCore.dll and executables renamed to mimic legitimate software such as msedge.exe [14].

Separately, Talos documented a 686% increase in malicious n8n webhook URLs in emails from January 2025 to March 2026, as threat actors weaponize legitimate AI workflow automation platforms to deliver phishing payloads and bypass security filters [15].

Iranian-affiliated APT actors are also targeting US critical infrastructure PLCs across Government, Water/Wastewater, and Energy sectors, using OAST services and compromised FTP servers for command and control. In some instances, these intrusions caused manipulation of data on compromised devices [16].

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting

FortiClient EMS (CVE-2026-35616): Prioritize patching FortiClient EMS immediately. Monitor for anomalous SQL queries against the EMS database and unexpected outbound connections from EMS servers. CISA's April 9 remediation deadline has already passed [8].

LucidRook Family: Hunt for DismCore.dll loaded by executables not named dism.exe. Alert on processes named msedge.exe that aren't signed by Microsoft or located in expected Edge installation directories. Monitor for Lua script execution from unexpected parent processes. LucidKnight uses Gmail for exfiltration, so look for SMTP/IMAP connections to Google from non-email applications [14].

n8n Platform Abuse: Filter email logs for URLs containing n8n.cloud webhook paths. Alert on any DownloadedOneDriveDocument.exe filename hitting endpoints. Block or flag executable downloads initiated from n8n webhook redirects [14][15].

AI-Generated Code Vulnerabilities: Implement mandatory SAST/DAST scanning on all pull requests. Flag any commits from AI coding tools that introduce hardcoded secrets. Scan .env files, YAML configs, and MCP configuration files for leaked credentials [4].

Breakout Time Detection: With average eCrime breakout at 29 minutes [17], lateral movement detection must operate in near-real-time. Tune EDR alerts for credential dumping, service account abuse, and RDP/SMB lateral movement within the first 30 minutes of any initial access alert.

Analysis

The WEF 2026 cybersecurity outlook found that 87% of respondents identified AI-related vulnerabilities as the fastest-growing cyber risk over 2025 [4]. That consensus is well-founded. The convergence of three trends makes the current situation qualitatively different from previous vulnerability surges.

First, AI models can now discover and exploit vulnerabilities autonomously, at machine speed. Anthropic's demonstrations aren't lab curiosities. They represent a capability that will proliferate across both defensive and offensive tooling within months.

Second, AI-generated code is flooding production environments with vulnerabilities at 10x the rate of a year ago [3]. Many organizations don't even have visibility into how much of their codebase is AI-generated, let alone whether it's been properly reviewed.

Third, the exploit timeline has compressed to the point where traditional patch cycles are functionally obsolete for high-value targets. A vulnerability disclosed on Monday can be weaponized by Tuesday. The Fortinet CVE-2026-35616 timeline (honeypot detection March 31, vendor advisory April 4, CISA KEV April 6, remediation deadline April 9) shows the new tempo [8].

Organizations still operating on monthly or quarterly vulnerability management cycles are accepting a level of risk that didn't exist two years ago.

References

[1] https://cycode.com/blog/ai-security-vulnerabilities/

[2] https://www.npr.org/2026/04/11/nx-s1-5778508/anthropic-project-glasswing-ai-cybersecurity-mythos-preview

[3] https://sqmagazine.co.uk/ai-coding-security-vulnerability-statistics/

[4] https://www.securityjourney.com/post/code-leaks-in-2026-causes-and-prevention-in-the-age-of-ai

[5] https://securitymea.com/2026/04/16/ai-found-zero-days-surge-forcing-security-model-rethink/

[6] https://thehackernews.com/2026/04/anthropics-claude-mythos-finds.html

[7] https://hoploninfosec.com/ai-chatbot-cyber-attack-2026-government-breach

[8] https://defusedcyber.com/ai-vulnerability-storm-honeypot-zero-day-detection

[9] https://red.anthropic.com/2026/mythos-preview/

[10] https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/

[11] https://blog.talosintelligence.com/predicting-2026/

[12] https://www.crowdstrike.com/en-us/global-threat-report/

[13] https://www.dragos.com/ot-cybersecurity-year-in-review

[14] https://github.com/Cisco-Talos/IOCs/blob/main/2026/04/new-lua-based-malware-lucidrook.txt

[15] https://blog.talosintelligence.com/the-n8n-n8mare/

[16] https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a

[17] https://www.crowdstrike.com/en-us/press-releases/2026-crowdstrike-global-threat-report/

Hunt Guide: Hunt Report: AI-Accelerated Zero-Day Exploitation and LucidRook Campaign

Hypothesis: If threat actors are leveraging AI-discovered vulnerabilities or deploying LucidRook malware family, we expect to observe rapid exploitation of CVE-2026-35616/CVE-2026-4747, DLL side-loading via DismCore.dll, Lua script execution, and n8n webhook abuse in Sysmon, FortiClient logs, email gateways, and EDR telemetry.

Intelligence Summary: Anthropic's Claude Mythos Preview has autonomously discovered thousands of zero-day vulnerabilities, with mean exploitation time collapsing to under 24 hours. Concurrently, UAT-10362 is deploying the LucidRook malware family against Taiwanese NGOs, while threat actors abuse legitimate n8n automation platforms for phishing campaigns.

Confidence: High | Priority: Critical

Scope

• Networks: All internal networks with focus on DMZ, external-facing services, and endpoints with internet access
• Timeframe: Last 30 days for retrospective hunt, continuous monitoring going forward
• Priority Systems: FortiClient EMS servers, web servers, email gateways, developer workstations with AI coding assistants, systems processing Traditional Chinese content

MITRE ATT&CK Techniques

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

AI models discovering and exploiting zero-days in OS/browsers at machine speed, specifically CVE-2026-35616 (FortiClient EMS) and CVE-2026-4747 (FreeBSD RCE)

Splunk SPL:

index=fortinet sourcetype=forticlient_ems (CVE-2026-35616 OR "SQL injection" OR "database error") | stats count by src_ip, dest, uri_path, status | where count > 10

Elastic KQL:

event.module:fortinet AND (vulnerability.id:"CVE-2026-35616" OR message:"SQL injection" OR error.type:"database") | stats by source.ip, destination.ip, url.path

Sigma Rule:

title: FortiClient EMS CVE-2026-35616 Exploitation Attempt
id: a7c4d8e2-9f3b-4a1e-b5d6-1234567890ab
status: experimental
author: RedSheep Security/Stone
date: 2024/04/15
description: Detects exploitation attempts against FortiClient EMS SQL injection vulnerability
references:
    - https://defusedcyber.com/ai-vulnerability-storm-honeypot-zero-day-detection
logsource:
    product: fortinet
    service: forticlient_ems
detection:
    selection:
        - error.message|contains:
            - 'SQL syntax'
            - 'database error'
            - 'CVE-2026-35616'
        - url.path|contains:
            - '/fctems/'
            - 'SELECT'
            - 'UNION'
    condition: selection
falsepositives:
    - Legitimate database errors
level: high
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2026.35616

Monitor for SQL injection patterns in FortiClient EMS logs. Alert on database errors from external IPs. Patch immediately - past CISA deadline.

T1036.005 — Masquerading: Match Legitimate Name or Location (Defense Evasion) [P1]

LucidRook campaign uses msedge.exe renamed DISM binary and DismCore.dll for DLL side-loading

Splunk SPL:

index=windows sourcetype=sysmon EventCode=1 (Image="*\\msedge.exe" NOT Image="*\\Microsoft\\Edge\\*") OR (Image="*\\dism.exe" AND CommandLine="*DismCore.dll*") | table _time ComputerName User Image CommandLine ParentImage

Elastic KQL:

event.code:1 AND ((process.executable:*\\msedge.exe AND NOT process.executable:*\\Microsoft\\Edge\\*) OR (process.name:dism.exe AND process.command_line:*DismCore.dll*))

Sigma Rule:

title: LucidRook Masquerading via Fake msedge.exe
id: b8d5f3c1-2a4e-5b6c-d7f8-9012345678cd
status: stable
author: Cisco Talos
date: 2024/04/14
description: Detects LucidRook malware masquerading as Microsoft Edge
references:
    - https://github.com/Cisco-Talos/IOCs/blob/main/2026/04/new-lua-based-malware-lucidrook.txt
logsource:
    product: windows
    category: process_creation
detection:
    selection_edge:
        Image|endswith: '\msedge.exe'
    filter_edge:
        Image|contains: '\Microsoft\Edge\'
    selection_dism:
        Image|endswith: '\DismCore.dll'
        ParentImage|endswith: '\dism.exe'
    condition: (selection_edge and not filter_edge) or not selection_dism
falsepositives:
    - Unlikely
level: critical
tags:
    - attack.defense_evasion
    - attack.t1036.005

High-confidence detection for LucidRook. Any msedge.exe outside Edge install directory is malicious. Alert immediately.

T1055 — Process Injection (Defense Evasion) [P1]

DLL side-loading in LucidRook infection chain using DismCore.dll

Splunk SPL:

index=windows sourcetype=sysmon EventCode=7 ImageLoaded="*\\DismCore.dll" NOT Image="*\\dism.exe" | stats count by ComputerName, Image, ImageLoaded, User | where count > 0

Elastic KQL:

event.code:7 AND file.name:"DismCore.dll" AND NOT process.name:"dism.exe"

Sigma Rule:

title: Suspicious DismCore.dll Loading
id: c9e6d7a3-5b8f-4c2d-a1e7-890123456def
status: experimental
author: RedSheep Security/Stone
date: 2024/04/15
description: Detects DismCore.dll loaded by non-DISM processes indicating LucidRook DLL side-loading
references:
    - https://github.com/Cisco-Talos/IOCs/blob/main/2026/04/new-lua-based-malware-lucidrook.txt
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith: '\DismCore.dll'
    filter:
        Image|endswith: '\dism.exe'
    condition: selection and not filter
falsepositives:
    - Third-party deployment tools
level: high
tags:
    - attack.defense_evasion
    - attack.t1055

DismCore.dll should only be loaded by dism.exe. Any other parent process indicates LucidRook infection.

T1059 — Command and Scripting Interpreter (Execution) [P2]

Embedded Lua interpreter in LucidRook stager for script execution

Splunk SPL:

index=windows (sourcetype=sysmon EventCode=1 CommandLine="*lua*" CommandLine="*.lua*") OR (sourcetype=powershell CommandLine="*lua*") | regex CommandLine!="(?i)(wireshark|nmap|legitimate_lua_app)" | table _time ComputerName User Image CommandLine ParentImage

Elastic KQL:

(event.code:1 AND process.command_line:(*lua* AND *.lua*)) OR (event.module:powershell AND process.command_line:*lua*)

Sigma Rule:

title: Lua Script Execution Detection
id: d1f8e9b2-7c3a-4d5e-b6f1-234567890123
status: experimental
author: RedSheep Security/Stone
date: 2024/04/15
description: Detects Lua interpreter execution potentially related to LucidRook
references:
    - https://github.com/Cisco-Talos/IOCs/blob/main/2026/04/new-lua-based-malware-lucidrook.txt
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - CommandLine|contains|all:
            - 'lua'
            - '.lua'
        - Image|endswith:
            - '\lua.exe'
            - '\lua53.exe'
            - '\luajit.exe'
    filter:
        - Image|contains:
            - 'Wireshark'
            - 'nmap'
    condition: selection and not filter
falsepositives:
    - Legitimate Lua development
    - Wireshark/nmap Lua scripts
level: medium
tags:
    - attack.execution
    - attack.t1059

Lua execution is rare in enterprise environments. Whitelist known good Lua usage (Wireshark, nmap). Focus on unexpected parent processes.

T1566.002 — Phishing: Spearphishing Link (Initial Access) [P2]

686% increase in malicious n8n webhook URLs used in phishing campaigns

Splunk SPL:

index=email OR index=proxy url="*.n8n.cloud/*" OR url="*webhook*" | regex url="https?://[^/]+\.n8n\.cloud/webhook/[a-zA-Z0-9-]+" | stats count by src_user, url, action | where count > 0

Elastic KQL:

url.full:*.n8n.cloud* AND url.path:*webhook* AND (event.module:email_gateway OR event.module:proxy)

Sigma Rule:

title: n8n Webhook Phishing Campaign Detection
id: e2a7c5d4-8b6f-4e9a-c1d3-567890abcdef
status: experimental
author: RedSheep Security/Stone
date: 2024/04/15
description: Detects n8n webhook URLs in emails indicating phishing campaign
references:
    - https://blog.talosintelligence.com/the-n8n-n8mare/
logsource:
    category: webserver
    definition: 'Email gateway or web proxy logs'
detection:
    selection:
        url|contains:
            - '.n8n.cloud/webhook/'
            - 'n8n.io/webhook/'
    executable_download:
        url|endswith:
            - '.exe'
            - '.scr'
            - '.bat'
            - '.cmd'
    condition: selection and executable_download
falsepositives:
    - Legitimate n8n automation workflows
level: high
tags:
    - attack.initial_access
    - attack.t1566.002

n8n is legitimate but increasingly abused. Alert on executable downloads from n8n webhooks. Check for DownloadedOneDriveDocument.exe specifically.

T1595.002 — Active Scanning: Vulnerability Scanning (Reconnaissance) [P3]

Autonomous AI vulnerability discovery at scale using Claude Mythos Preview

Splunk SPL:

index=web OR index=firewall | eval scan_pattern=if(match(uri_path, "(\.\./|SELECT|UNION|<script|%00|%27|%22)"), 1, 0) | stats sum(scan_pattern) as scan_score by src_ip, dest_port | where scan_score > 50 | eval risk="AI-assisted scanning suspected"

Elastic KQL:

destination.port:(80 or 443 or 8080 or 8443) AND (url.path:*../* OR url.path:*SELECT* OR url.path:*UNION* OR url.path:*<script* OR url.path:*%00* OR url.path:*%27*) | stats by source.ip

Sigma Rule:

title: High-Velocity Vulnerability Scanning Pattern
id: f3b8a9c1-2d5e-47a6-b8e9-012345678901
status: experimental
author: RedSheep Security/Stone
date: 2024/04/15
description: Detects rapid automated vulnerability scanning potentially from AI tools
references:
    - https://securitymea.com/2026/04/16/ai-found-zero-days-surge-forcing-security-model-rethink/
logsource:
    category: webserver
detection:
    selection:
        - uri_path|contains:
            - '../'
            - 'SELECT'
            - 'UNION'
            - '<script'
            - '%00'
            - '%27'
            - '%22'
    timeframe: 1m
    condition: selection | count() by source.ip > 50
falsepositives:
    - Legitimate security scanners
    - Penetration testing
level: medium
tags:
    - attack.reconnaissance
    - attack.t1595.002

AI-powered scanning is faster than traditional tools. Look for 50+ requests/minute with exploit patterns. Baseline your authorized scanners.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (filename="DismCore.dll" OR file_name="DismCore.dll" OR ImageLoaded="*DismCore.dll") | table _time host source filename file_path process_name

index=* process_name="msedge.exe" NOT file_path="*\Microsoft\Edge\*" | table _time host user process_name file_path command_line parent_process

index=* (filename="DownloadedOneDriveDocument.exe" OR file_name="DownloadedOneDriveDocument.exe" OR process_name="DownloadedOneDriveDocument.exe") | table _time host user source file_path

index=* (url="*n8n.cloud*" OR dest="*n8n.cloud" OR query="*n8n.cloud*") | table _time src_ip user url dest query action

YARA Rules

LucidRook_Stager — Detects LucidRook stager with embedded Lua interpreter and Rust libraries

rule LucidRook_Stager {
    meta:
        description = "Detects LucidRook stager with embedded Lua interpreter"
        author = "RedSheep Security/Stone"
        date = "2024-04-15"
        reference = "https://github.com/Cisco-Talos/IOCs/blob/main/2026/04/new-lua-based-malware-lucidrook.txt"
        severity = "critical"
        mitre = "T1055, T1059"
    strings:
        $dll1 = "DismCore.dll" ascii wide
        $lua1 = "lua_pcall" ascii
        $lua2 = "lua_getglobal" ascii
        $lua3 = "luaL_loadstring" ascii
        $rust1 = "rust_panic" ascii
        $rust2 = ".rs" ascii
        $pdb1 = "lucidrook.pdb" ascii wide nocase
        $pdb2 = "stager.pdb" ascii wide nocase
    condition:
        uint16(0) == 0x5A4D and
        ($dll1 or 2 of ($lua*)) and
        any of ($rust*) and
        any of ($pdb*)
}

n8n_Phishing_Payload — Detects executables disguised as OneDrive documents from n8n campaigns

rule n8n_Phishing_Payload {
    meta:
        description = "Detects phishing payloads from n8n webhook campaigns"
        author = "RedSheep Security/Stone"
        date = "2024-04-15"
        reference = "https://blog.talosintelligence.com/the-n8n-n8mare/"
        severity = "high"
        mitre = "T1566.002"
    strings:
        $name1 = "DownloadedOneDriveDocument" ascii wide nocase
        $name2 = "OneDriveDocument" ascii wide nocase
        $name3 = "Downloaded" ascii wide
        $url1 = "n8n.cloud/webhook" ascii wide
        $url2 = "n8n.io/webhook" ascii wide
        $url3 = "webhook" ascii wide
    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        (any of ($name*) or any of ($url*)) and
        pe.timestamp > 1704067200  // After 2024-01-01
}

Suricata Rules

SID 2041001 — Detects n8n webhook URLs in HTTP traffic potentially delivering malware

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN n8n Webhook Phishing Campaign"; flow:established,to_server; http.uri; content:"/webhook/"; fast_pattern; http.host; content:"n8n.cloud"; http.header; content:"User-Agent|3a|"; pcre:"/^(curl|wget|python|PowerShell)/i"; classtype:trojan-activity; sid:2041001; rev:1; metadata:created_at 2024_04_15, updated_at 2024_04_15;)

SID 2041002 — Detects potential FortiClient EMS exploitation attempts

alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET EXPLOIT FortiClient EMS CVE-2026-35616 SQL Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/fctems/"; http_uri; content:"SELECT"; nocase; http_client_body; content:"UNION"; distance:0; nocase; http_client_body; reference:cve,2026-35616; classtype:web-application-attack; sid:2041002; rev:1; metadata:created_at 2024_04_15, cve 2026_35616;)

Data Source Requirements

Sources

• AI Security Vulnerabilities Stats 2026
• Anthropic Project Glasswing Announcement
• AI Coding Security Statistics
• Code Leaks in 2026
• AI Zero-Day Discovery Analysis
• Anthropic Claude Mythos Findings
• AI Chatbot Government Breach
• AI Vulnerability Storm Analysis
• Anthropic Red Team Report
• Microsoft April 2026 Patch Tuesday
• Talos 2026 Predictions
• CrowdStrike Global Threat Report
• Dragos OT Cybersecurity Year in Review
• Cisco Talos LucidRook IOCs
• The n8n n8mare Campaign Analysis
• CISA Advisory AA26-097A
• CrowdStrike 2026 Threat Report Press Release