Google Identifies First AI-Developed Zero-Day Exploit in the Wild
Google Threat Intelligence Group discovered a zero-day exploit created with AI assistance, marking the first confirmed instance of an adversary using artificial intelligence to develop rather than simply discover a vulnerability. The exploit targeted a two-factor authentication bypass and was designed for mass exploitation.
The finding signals a shift in how attackers operate. Tasks that once required specialized expertise-vulnerability discovery, exploit development, code crafting-can now be performed faster, cheaper, and by less experienced threat actors.
What Security Leaders Say
Authentication is no longer a checkbox
Shane Barney, Chief Information Security Officer at Keeper Security, said the discovery confirms AI has moved from theoretical attack accelerator to operational threat. When AI can identify logic flaws in authentication systems at machine speed, the gap between deploying multi-factor authentication and actually securing it becomes critical.
Only 35% of organizations globally use phishing-resistant MFA methods like FIDO2 and passkeys, despite 46% naming AI-driven attacks as their greatest security pressure. That gap is where breaches happen. Barney said organizations must move beyond SMS codes and basic authenticator apps toward hardware-backed credentials.
Privilege access management shows a similar gap. Only 36% of organizations report full PAM deployment, leaving most enterprises exposed to the privilege escalation this exploit was designed to enable.
Speed is now the bottleneck
Diana Kelley, Chief Information Security Officer at Noma Security, said the real problem isn't the exploit itself-it's that organizations cannot remediate vulnerabilities faster than AI discovers them. The bottleneck is remediation capacity and operational execution, not detection.
This means security teams need to shift focus. Rather than trying to patch everything, organizations should prioritize attack surface reduction, asset visibility, identity controls, segmentation, and compensating controls for exposures that cannot be immediately fixed.
Kelley said this is likely an early signal, not an isolated event. The industry should expect AI-assisted vulnerability research and exploit development to become routine.
The arms race is now automated
Ronald Lewis, Head of Cybersecurity Governance at Black Duck, compared the current moment to the early days of computer viruses and antivirus software-an escalating cycle of offense followed by defensive adaptation. The difference is speed and scale. AI compresses timelines on both sides, turning what was once a reactive update cycle into a continuous automated arms race.
What makes this finding historic, Lewis said, isn't that the exploit enabled mass exploitation. WannaCry and Slammer did that. What matters is that the exploit's creation itself appears automated. This signals a shift from human-paced vulnerability discovery to machine-scaled weaponization.
Lewis warned that current AI guardrails are not stopping serious adversaries-only slowing unsophisticated ones. The real risk is humans handing operational control to autonomous systems that can act faster and adapt wider than anyone can stop.
Attackers have unfair access to AI
Nicole Carignan, Senior Vice President of Security & AI Strategy at Darktrace, said threat actors have built infrastructure to gain persistent, free access to premium commercial AI models. This gives them unlimited usage and time to develop sophisticated capabilities-an advantage defenders do not have.
More concerning is AI-enabled malware that understands its operating environment and adapts in real time. Today these attacks are noisy and detectable. As attackers improve, they will learn to hide these signatures. Defenders need to shift from signature-based detection toward behavioral anomaly detection.
Business logic flaws are the new frontier
Ram Varadarajan, CEO at Acalvio, said modern AI models can infer what developers intended software to do and spot contradictions humans missed. This creates a new category of vulnerabilities: hidden business-logic flaws, broken trust assumptions, and authorization errors that appear valid to conventional security tools but remain exploitable.
Early clues revealed the AI's fingerprints-fake vulnerability scores, oddly over-explained code. Those clues are temporary. Attackers will quickly learn to hide them.
Varadarajan said the best defense is AI-powered active defense inside the perimeter, fighting attacks bot-on-bot.
Close the action gap
John Gallagher, Vice President of Viakoo Labs at Viakoo, said AI is fundamentally altering offensive speed, especially for OT and IoT device fleets. The future depends on fighting AI-driven threats with AI-powered autonomous remediation.
Simply knowing a vulnerability exists is no longer enough. The speed of AI-driven exploits demands that organizations close the gap between discovery and remediation.
Gallagher said security teams should deploy platforms capable of safely automating remediation-pushing verified firmware updates to thousands of endpoints simultaneously. This should be as autonomous as possible while keeping humans in the loop for critical decisions. AI should serve up remediation options; human operators should approve them.
What IT and Development Teams Should Do
For developers and IT professionals, the immediate priority is understanding how AI changes threat modeling. Learn how AI impacts vulnerability discovery and detection to better anticipate what attackers can now accomplish.
Development teams should also review authentication flows and authorization logic for the kinds of business-logic flaws AI can now identify. Security testing needs to expand beyond conventional vulnerability scanning.
IT operations should assess remediation speed. Can your team patch critical systems in hours, not days? If not, your organization is at risk. Explore how AI can accelerate your development and operations workflows to match the speed of modern threats.
Your membership also unlocks:
