At Certitude, we have always been active in vulnerability research. We have found new zero-days during pentests or in independent research projects. This included products from large vendors such as Microsoft, IBM, Red Hat, Citrix, and Cloudflare. Traditionally, discovering zero-days or working on CVEs required a mix of deep expertise, time, and persistence. Now, the baseline has changed. With newer AI systems, we\u2019re seeing:<\/p>\n\n\n\n
- \n
- Dramatically increased efficiency<\/li>\n\n\n\n
- Automation of large parts of the workflow<\/li>\n\n\n\n
- End-to-end support \u2014 from idea generation to exploit development to reporting<\/li>\n<\/ul>\n\n\n\n
Over the past two months, we have reported more vulnerabilities than in the previous two years<\/strong> combined. Not because we suddenly became more capable \u2014 but because AI agents handled roughly 80% of the work, allowing us to identify significantly more vulnerabilities within the same time. For example, the agent automatically generated a working proof-of-concept exploit and a structured vulnerability report, reducing manual effort to validation and refinement.<\/p>\n\n\n\n
However, this capability is<\/strong> not exclusive to defenders<\/strong>. As with dual-use tools in the past, they will also help attackers. This accelerates the cat-and-mouse dynamic we have experienced in cybersecurity for the last few decades.<\/p>\n\n\n\n
Risks Caused By Acceleration<\/h2>\n\n\n\n
Official data from the National Vulnerability Database (NVD) shows that the rate of Common Vulnerabilities and Exposures (CVE) disclosures has accelerated significantly. This acceleration in vulnerability discovery has prompted the National Institute of Standards and Technology (NIST) to fundamentally alter its operations, moving from analyzing every CVE to a risk-based prioritization model.[1]<\/a> Between 2020 and 2025<\/strong>, the average daily disclosure rate was approximately 86 CVEs per day<\/strong>. In early 2026, the disclosure velocity escalated dramatically. Between January 1 and April 29, 2026<\/strong>, the NVD recorded an average of ~184 CVEs per day<\/strong>, an increase of 113%<\/strong> over the average of the previous years, effectively breaking the agency’s capacity to enrich every vulnerability.<\/p>\n\n\n\n
\n\n\n\n![\"\"](\"https:\/\/certitude.consulting\/blog\/wp-content\/uploads\/2026\/05\/Daily-CVE-Disclosure-Rate-1.png\")
Own visualization based on data from the
National Vulnerability Database (NVD), nvd.nist.gov<\/figcaption><\/figure>\n\n\n\nTriage Bottlenecks<\/strong><\/h3>\n\n\n\n
Because of the large number of vulnerabilities that have been published in recent weeks, we see a triage bottleneck<\/strong> at large software manufacturers. This results in longer delays for patch development<\/strong>. We expect them to catch up at some point, due to more adoption of AI in these teams as well, but the transition could take some time.<\/p>\n\n\n\n
Resource Constraints<\/strong><\/h3>\n\n\n\n
Current frontier AI models are accelerating vulnerability discovery on both sides<\/strong>, but most organizations don\u2019t have the skills or resources to be an early adopter of AI in cybersecurity. If they are lucky, they have some IT staff savvy with AI, but typically it\u2019s not enough to bring rapid improvements to all the different aspects of cybersecurity.<\/p>\n\n\n\n
Growing Asymmetry Between Attackers And Defenders<\/h3>\n\n\n\n
And it\u2019s not just about resources; it\u2019s also about quality. Whereas attackers can just try out new exploits without much risk if they fail (they can simply try repeatedly until it works somewhere), defenders probably will not allow AI to act autonomously within the corporate network, if it is not as reliable as human professionals. Who takes responsibility if the agent takes wrong actions or misbehaves? Who wants to have service outages because it disabled a critical service in response to an open vulnerability on the server? While these questions are discussed, the asymmetry between attackers and defenders is growing: a larger attack surface and faster exploitation speed favor the offense.<\/p>\n\n\n\n
Risks From AI Usage<\/h2>\n\n\n\n
The rise of agentic AI doesn\u2019t just improve productivity \u2014 it introduces entirely new risks.<\/p>\n\n\n\n
Governance Risks<\/h3>\n\n\n\n
One key question is: How do we control what autonomous agents do?<\/strong><\/p>\n\n\n\n
One example out of our vulnerability research is an agent used to research exploits which had been explicitly instructed to operate transparently, but sometimes attempted to disguise its behavior \u2013 effectively simulating evasive tactics. It was not deterministic when it would behave as instructed and when not. That\u2019s not just a technical issue; it\u2019s a governance problem.<\/p>\n\n\n\n
We\u2019re dealing with systems that:<\/p>\n\n\n\n
- \n
- May act autonomously<\/li>\n\n\n\n
- Interact with sensitive data and systems in our corporate networks<\/li>\n\n\n\n
- Might have access to the Internet<\/li>\n\n\n\n
- May behave in unintended ways<\/li>\n<\/ul>\n\n\n\n
A dangerous mix.<\/p>\n\n\n\n
Prompt Injection: Still Unsolved<\/h3>\n\n\n\n
Despite all progress, prompt injection remains an open problem<\/strong>.
This keeps AI systems inherently susceptible to manipulation \u2014 particularly in environments where they interact with external or untrusted inputs. In an attempt to solve a problem, the AI agent might research online, find an instruction manual and execute the commands described. What if this instruction manual was manipulated? An attacker could gain code execution on our system, exfiltrate data or gain control over internal IT systems.<\/p>\n\n\n\nIdentity Is Breaking: Voice & Video Spoofing<\/h3>\n\n\n\n
Humans are biologically wired to trust faces and voices \u2013 a capability refined over millions of years. And now, within months, AI is breaking that trust model. Voice spoofing is already highly convincing and video impersonation is rapidly improving. Within months, organizations\u2014and society at large \u2013 will need to retrain people<\/strong> and establish new methods of identity verification for phone or video calls.<\/p>\n\n\n\n
What\u2019s The Outlook?<\/h2>\n\n\n\n
Cybersecurity has always been asymmetric:<\/p>\n\n\n\n
- \n
- Defenders need to secure all possible attack vectors. Attackers only need to find one.<\/li>\n<\/ul>\n\n\n\n
Agentic models add another asymmetry:<\/p>\n\n\n\n
- \n
- Defenders require accuracy and stability (no outages). Attackers can tolerate failure and noise. In other words: Defenders need human-in-the-loop validation<\/strong>. Attackers don\u2019t. That difference matters more as speed increases.<\/li>\n<\/ul>\n\n\n\n
This creates a (hopefully temporary) but critical imbalance\u2014where attackers adopt faster than defenders can respond. We are likely entering a temporary phase of chaos<\/strong> where attackers effectively leverage AI and defenders are still adapting.<\/p>\n\n\n\n
What About Guardrails?<\/h3>\n\n\n\n
There\u2019s an ongoing call for guardrails in AI systems, which aim to prevent AI models from working on potentially harmful tasks. But this raises a difficult question: Who is actually being constrained?<\/strong><\/p>\n\n\n\n
This situation is comparable to banning dual-use tools like Nmap or Mimikatz: These tools are essential for defenders in vulnerability identification. But they are also used by attackers for the same reason. Guardrailed AI models will also make it more difficult for the good guys to use AI for cyber defense. And attackers will likely find ways around guardrails or use good unrestricted models altogether.<\/p>\n\n\n\n
Guardrails may slow development (on both sides) \u2013 but they do not meaningfully reduce risk. Organizations must prepare for a world where capable, unrestricted models are widely available.<\/p>\n\n\n\n
What Can Organizations Do?<\/h3>\n\n\n\n
The fundamentals still apply. AI doesn\u2019t change the rules of the game, but it changes its speed. Organizations don\u2019t need entirely new security principles \u2013 but they do need a change of mindset:<\/p>\n\n\n\n
- \n
- Faster execution<\/li>\n\n\n\n
- Higher automation<\/li>\n\n\n\n
- Lower trust in assumptions<\/li>\n<\/ul>\n\n\n\n
Key recommendations:<\/p>\n\n\n\n
- \n
- Accelerate patch cycles: We need to apply patches faster. If there is a patch, there will likely be an exploit much sooner than we expect.<\/li>\n\n\n\n
- Defense in depth: This principle applies more than ever. We have to expect attackers to find a way around our controls, so hopefully an additional measure stops or delays them. Microsegmentation, least privilege, MFA even for non-internet-facing systems, could be parts of it.<\/li>\n\n\n\n
- Detection & Response: Improve detection and response capabilities. Attacks will happen faster and more often, but when and how well will your organization react?<\/li>\n\n\n\n
- Internal AI capabilities: Build internal skills and integrate AI in security workflows. It might start with experiments and proofs of concept (PoCs), but it will soon result in improved capabilities, quality and speed. But don\u2019t forget to consider AI risks and design such systems securely before production usage.<\/li>\n<\/ul>\n\n\n\n
The goal is not to \u201cwin\u201d outright \u2013 but to ensure the gap does not become<\/strong> unmanageable<\/strong>.<\/p>\n\n\n\n
<\/div>\n\n\n\nAt Certitude, we continuously adapt our services to reflect these developments\u2014and pass these gains on to our clients.<\/a><\/p>\n\n\n\n
- Defenders require accuracy and stability (no outages). Attackers can tolerate failure and noise. In other words: Defenders need human-in-the-loop validation<\/strong>. Attackers don\u2019t. That difference matters more as speed increases.<\/li>\n<\/ul>\n\n\n\n
- Defenders need to secure all possible attack vectors. Attackers only need to find one.<\/li>\n<\/ul>\n\n\n\n