AI will soon enable attackers to find and exploit software vulnerabilities much faster, and organisations should take immediate steps to prepare their security programmes, according to a new guide from Anthropic, the maker of Claude.
The company said that within the next 24 months, vast numbers of bugs that have remained unnoticed in code for years will be discovered by AI models and chained into working exploits. Publicly available models are already capable of finding serious vulnerabilities that traditional reviews have missed. However, defenders can also use AI to move faster. Anthropic has published a set of recommendations based on its own security work.
First, organisations should close their patch gap immediately. AI excels at reversing patches into working exploits, so the window between a patch being published and an exploit becoming available is shrinking. Vulnerabilities on the CISA Known Exploited Vulnerabilities catalogue should be treated as emergencies, and internet-facing systems should be patched within 24 hours.
Second, security teams should prepare for a much higher volume of vulnerability reports, potentially an order of magnitude increase. Automation with human oversight will be necessary for triage.
Third, companies should find bugs before shipping code. This includes adding static analysis and AI-assisted code review to continuous integration pipelines, adopting secure-by-design practices, and preferring memory-safe languages for new code.
Fourth, organisations should proactively scan their existing codebases with the same kind of models attackers would use, prioritising internet-facing services and legacy code that has received less scrutiny.
Fifth, zero-trust architecture is essential. Access should be tied to verified hardware, long-lived secrets replaced with short-lived tokens, and services isolated by identity. Network segmentation alone is no longer sufficient.
Sixth, organisations should maintain an inventory of every internet-facing host and service, decommission unused systems, and minimise what each service exposes.
Finally, incident response times need to be shortened. Anthropic suggested putting a model at the front of the alert queue for first-pass triage, automating incident bookkeeping, and running tabletops for five simultaneous incidents rather than one.
For small teams without dedicated security staff, the company advised turning on automatic updates, using managed services, enabling passkeys or hardware security keys, and activating free security tooling on code hosts.