The Era of AI-Assisted Exploitation Has Started

This week, Google’s Threat Intelligence Group disclosed what may be the first documented case of attackers using AI assistance to help discover and weaponize a real-world zero-day exploit designed to bypass two-factor authentication.

That sentence alone should get the attention of every security team.

Researchers reportedly found several indicators inside the exploit code itself. The Python script allegedly contained unusually structured educational comments, textbook-style formatting patterns, and even a hallucinated CVSS severity score — something security researchers would not normally include in a functioning exploit.

In other words, the exploit looked partially written by a large language model.

The reported flaw itself was not a simple coding mistake or buffer overflow. It was a semantic logic flaw involving hardcoded trust assumptions inside an authentication workflow.

Historically, those kinds of vulnerabilities often required significant human reasoning to discover because they involve understanding how systems are supposed to behave rather than simply identifying broken syntax or unsafe memory handling. That line is now beginning to blur.

For decades, one of the natural barriers protecting organizations was the amount of time, expertise, and effort required to discover and weaponize vulnerabilities. Skilled exploit development has traditionally been a difficult discipline requiring deep technical understanding and significant research time.

AI changes the economics of that process. Even if AI does not independently create perfect exploits, it dramatically accelerates research, experimentation, analysis, debugging, and iteration.

Modern attackers already move quickly. Ransomware groups, access brokers, and state-sponsored actors operate with increasing efficiency and scale. AI introduces the possibility of reducing the distance between discovering a vulnerability and actively exploiting it in the wild.

That may ultimately become the defining cybersecurity story of the next decade.

At the same time, it is important to avoid exaggeration. AI is not replacing skilled hackers overnight. Human creativity, persistence, and operational knowledge still matter enormously.

Attackers still need infrastructure, objectives, targeting, and real-world understanding of systems and environments. But AI does not need to replace attackers to fundamentally change cybersecurity. It only needs to accelerate them.