In January 2026, a security researcher published a proof-of-concept that changed the conversation about AI in cybersecurity. Using a fine-tuned open-source language model, they demonstrated the ability to scan an entire GitHub repository — 340,000 lines of code — and identify three exploitable vulnerabilities in under four minutes. Two of them were zero-days.
The researcher did this to prove a point. But threat actors had been doing it for months already.
The new reconnaissance playbook
Traditionally, the reconnaissance phase of a cyberattack was slow and manual. An attacker would probe ports, fingerprint services, Google-dork for exposed admin panels, and manually review source code for injection points. A skilled attacker could spend days or weeks mapping a target's attack surface.
AI has compressed that timeline from weeks to minutes.
Today's adversaries are using large language models to:
- Analyze source code repositories for common vulnerability patterns — SQL injection, SSRF, insecure deserialization, hardcoded secrets — across thousands of files simultaneously.
- Generate and test exploit payloads tailored to specific technology stacks. The AI doesn't just find a vulnerability; it writes the working exploit.
- Craft phishing campaigns that are grammatically perfect, contextually aware, and personalized using scraped LinkedIn and corporate data.
- Identify misconfigurations in cloud environments by analyzing public documentation, IaC templates, and leaked configuration files.
- Reverse-engineer patches to develop n-day exploits within hours of a vendor releasing a fix — before most organizations have had time to apply it.
The arms race nobody talks about
Here's the uncomfortable truth the security industry doesn't want to confront: the same AI capabilities that power defensive tools are available to attackers. Often, they're the same models.
When Microsoft releases a new AI-powered security feature, adversaries study it — not to defeat it, but to learn from its architecture. When a security vendor publishes research on using LLMs for threat hunting, red teams and criminal groups adapt those techniques for offense.
"We are witnessing the democratization of advanced offensive capabilities. The barrier to entry for sophisticated cyberattacks has effectively collapsed." — Mandiant, M-Trends 2025
Google's Threat Intelligence Group documented a 300% increase in AI-assisted vulnerability discovery attempts in 2025. MITRE's ATT&CK framework has added new sub-techniques specifically to address AI-assisted reconnaissance (T1595.003) and AI-generated social engineering (T1566.004).
Case study: The 47-minute enterprise compromise
In Q4 2025, Mandiant investigated a breach at a Fortune 500 manufacturing company that illustrated this new paradigm perfectly. The post-mortem revealed a startling timeline:
Minute 0: The attacker's AI agent began scanning the company's public-facing web applications.
Minute 3: A Server-Side Request Forgery (SSRF) vulnerability was identified in an internal API endpoint exposed through a misconfigured reverse proxy.
Minute 7: An exploit payload was generated and tested. Initial access was achieved.
Minute 12: The attacker used AI-generated scripts to enumerate the internal network, identifying Active Directory structure and trust relationships.
Minute 19: A Kerberoasting attack extracted service account password hashes. AI-powered password cracking recovered credentials for a domain admin service account.
Minute 31: Lateral movement to the file server containing engineering schematics and customer data.
Minute 47: Data exfiltration began through an encrypted tunnel to a cloud storage endpoint.
Total time from first probe to data theft: 47 minutes. The SOC's first alert fired at minute 4. The on-call analyst didn't begin investigating until minute 38.
Why your vulnerability management program isn't enough
Most organizations run vulnerability scans weekly or monthly. Patch cycles take 30-90 days. This cadence was designed for a world where attackers operated on similar timelines.
That world is gone.
When an attacker can scan your entire external attack surface in minutes and generate working exploits in seconds, your quarterly penetration test isn't a security measure — it's a snapshot of how vulnerable you were three months ago.
Fighting AI with AI — but not the way you think
The instinct is to deploy AI defensively: AI-powered vulnerability scanners, AI-driven patch prioritization, AI-enhanced threat detection. And those tools have value. But they address symptoms, not the core problem.
The core problem is speed. An attacker using AI can go from zero to full compromise faster than a human analyst can read a single alert. No amount of better alerting fixes that.
What fixes it is removing the human bottleneck from the investigation loop. Not from the decision — from the investigation.
n0limit doesn't replace your vulnerability scanner or your patch management process. It ensures that when an attacker's AI finds the vulnerability you haven't patched yet, the subsequent attack is investigated, scoped, and presented to your team in microseconds — not minutes, not hours.
Because in this new reality, the question isn't whether your defenses will be tested by AI. The question is whether your response can match the speed of the attack.
At 47 minutes, you lose. At 500 microseconds, you have a chance.
REFERENCES
Mandiant M-Trends 2025 — AI-assisted attack techniques → Google Threat Intelligence — AI in cybercrime report → MITRE ATT&CK — Updated reconnaissance techniques → Microsoft Security Blog — AI-powered security research → CISA — Artificial intelligence and cybersecurity →Attackers have AI. Shouldn't your SOC?
See n0limit investigate a live alert in 500μs — with your own data.
Book a demo →