CISO Intelligence: AI Eats Security, From Both Ends
CISO Intelligence: AI Eats Security, From Both Ends
9 March 2026
---
The past week has been one of those moments where the argument about AI's role in security stops being theoretical. It has moved to production, to active exploitation, to a public falling-out between the Pentagon and one of the largest AI labs in the world. Here is what happened and what it means.
---
AI Finds Bugs. AI Writes Bugs. Both Are Now True.
Two separate stories landed within 24 hours of each other, and together they tell you something important about where this technology is heading.
Anthropic worked with Mozilla on a two-week exercise in January. Claude Opus 4.6 was turned loose on roughly 6,000 C++ files in the Firefox codebase. It found 22 vulnerabilities, 14 of them rated high severity. That figure represents almost a fifth of all high-severity Firefox issues patched across the whole of 2025. The model spotted a use-after-free bug in the JavaScript engine in 20 minutes. Anthropic then tested whether Claude could build a working exploit from the same findings. It managed it in two cases out of several hundred attempts, spending around $4,000 in API credits to get there. The company was candid: finding vulnerabilities is cheaper than exploiting them, and the model is currently better at one than the other. That gap will not stay fixed.
OpenAI followed with its own announcement. Codex Security, which is the production version of what started as a private beta called Aardvark in October 2025, has scanned more than 1.2 million commits across external repositories in the last 30 days. It found 792 critical findings and over 10,500 high-severity issues. Targets included OpenSSH, GnuTLS, GOGS, PHP, Chromium, and Libssh. The agent builds a threat model for the repository first, then hunts, then validates in a sandboxed environment before surfacing anything to a human. OpenAI says false positive rates have dropped more than 50% compared to earlier iterations. It is currently in research preview, free for Pro, Enterprise, Business, and Edu ChatGPT users for the next month.
Both of these should be on your radar if you run a software security programme. Vulnerability disclosure pipelines that assumed months of researcher time now need to account for agents running 24 hours a day at marginal cost. The upside is real. So is the implication that your attackers have access to the same capability.
---
Attackers Are Already Using It
Microsoft's threat intelligence team published a detailed report this week on AI use across the attack lifecycle. The findings are not surprising if you have been paying attention, but the scope is broader than many assumed.
Nation-state groups are using generative AI at every stage. North Korean operators tracked as Jasper Sleet and Coral Sleet are using LLMs to generate fake identities for IT worker fraud schemes, prompting models to produce culturally appropriate name lists, email formats, and skills summaries tailored to specific job postings. Pakistan-aligned Transparent Tribe has gone further. Bitdefender's researchers described a campaign targeting Indian government entities where APT36 is using AI coding tools to mass-produce malware implants in obscure languages: Nim, Zig, Crystal. The approach, which Bitdefender's team called "vibeware," is not about technical sophistication. It is the opposite. The goal is to flood target environments with disposable binaries, each using a different language and communication channel, Slack, Discord, Supabase, Google Sheets, making detection through signature matching essentially a losing game. They coined the phrase "Distributed Denial of Detection." It is a good name for a real problem.
AI is not improving these threat actors' tradecraft in the ways most people imagined. It is not writing zero-days. It is removing the friction from existing methods and making volume attacks cheaper. Phishing lures are more convincing. Infrastructure is scaffolded faster. Malware ports to a new language in a session rather than a sprint. Security teams building detection strategies around specific TTPs need to factor in how quickly those TTPs can be regenerated.
---
The Pentagon and Anthropic Had a Very Public Disagreement
This story deserves more attention than it got. Pentagon CTO Emil Michael went on the All-In podcast and described how talks with Anthropic broke down over the terms the Defense Department wanted for access to frontier AI models. The specific sticking point: autonomous weapons. Anthropic, whose CEO Dario Amodei has been open about concerns over fully autonomous lethal systems and AI used to surveil American citizens, pushed back on contract language the DoD was seeking. Michael characterised Anthropic's response as turning a commercial negotiation into a PR exercise.
The detail that crystallised the tension: after the US military's operation in Venezuela in January that captured Nicolas Maduro, Anthropic reportedly asked Palantir whether its AI had been used. That question apparently did not go down well at the Pentagon.
This matters beyond the personalities involved. There is now a visible fault line between AI labs that have made safety commitments and a defence establishment that wants maximum operational flexibility. The Trump administration's new Cyber Strategy, published 6 March, is explicit about AI as a national security asset. It calls for zero-trust adoption, post-quantum cryptography, cloud migration, and AI-driven security tooling across federal networks, and frames the preservation of US technological superiority in AI, quantum, and advanced cryptography as a strategic imperative. Given that framing, the expectation from government is that AI companies will fall in line. Anthropic has, so far, declined to fully comply with that expectation. The outcome of that standoff will shape how frontier AI capability flows to defence and intelligence customers for years.
---
Cisco SD-WAN: Patch It Now
Away from the AI story, Cisco confirmed active exploitation of two Catalyst SD-WAN Manager vulnerabilities this week, CVE-2026-20128 and CVE-2026-20122. A third, CVE-2026-20127, is a critical authentication bypass with WatchTowr reporting exploitation attempts from numerous unique IP addresses. These affect network infrastructure at exactly the kind of perimeter that threat actors prioritise for persistent access. If your organisation runs Catalyst SD-WAN and has not patched, the question is what is waiting on that edge.
---
One Other Thing Worth Noting
North Korean IT worker fraud schemes, where DPRK nationals use fake identities to get hired at Western companies and maintain persistent access, are no longer a novel threat. They are operational at scale. AI is helping with face swapping, identity generation, and the daily maintenance of plausible cover stories. Dark Reading reported this week that the schemes continue to work because the identity verification gap is wide and AI has made it wider. If your hiring process for remote engineers does not include some form of live verification, it should.
---
Sources this week: The Hacker News, BleepingComputer, SecurityWeek, Security Affairs, Microsoft Threat Intelligence, Bitdefender, Politico, Business Insider, Fortune, Tenable
Jonathan Care is Lead Analyst at KuppingerCole and a 33-year veteran of cybersecurity and fraud detection.
---
Draft prepared by Minerva — 2026-03-09 08:02 UTC. For review and publication by Jonathan Care.*