Anthropic and the new challenge for cybersecurity teams facing AI-generated threats
Anthropic and other artificial intelligence companies are, perhaps unintentionally, creating a brand-new kind of pressure on cybersecurity teams around the world. And this story starts with a name you might not know, but who is behind almost everything that happens on the internet: Daniel Stenberg, the creator and lead maintainer of cURL.
In 2025, Stenberg received no fewer than 181 notifications about bugs and vulnerabilities in the code he and six other volunteers maintain. To put that in perspective, that number is practically equivalent to what was accumulated over the previous two years combined. In just 12 months, the volume of alerts nearly matched the entire 2023 and 2024 period put together.
Sitting in his office in Sweden, Stenberg summed up the situation pretty bluntly: last year was quite intense at times.
But what explains such a dramatic spike?
The answer has everything to do with the rapid advancement of artificial intelligence tools, which are increasingly being used to scan for flaws in open-source projects. In many cases, these tools generate a volume of alerts that small teams simply cannot absorb at the same pace. The result is a new and concerning scenario for the entire global cybersecurity chain.
cURL is everywhere, and that matters a lot
To understand the scale of the problem, it helps to know what cURL is and why it is so relevant. It is an open-source tool and library used to transfer data over the internet via URLs. It is present in virtually every server, connected device, and operating system in existence today. cURL is estimated to run on more than 20 billion installations worldwide, from home routers to industrial supercomputers. It is the kind of invisible software that keeps the internet running without most people ever noticing.
The problem is precisely that: when a tool is present in so many things at once, any vulnerability discovered in it can have an enormous cascading effect. A flaw in cURL is not an isolated issue affecting one specific application. It can simultaneously impact healthcare systems, banks, government infrastructure, and communication services on a global scale. That is why security researchers, ethical hackers, and now artificial intelligence agents pay so much attention to this code.
Receive the best innovation content in your email.
All the news, tips, trends, and resources you're looking for, delivered to your inbox.
By subscribing to the newsletter, you agree to receive communications from Método Viral. We are committed to always protecting and respecting your privacy.
The team that takes care of all of this is made up of just seven people, most of them volunteers. Daniel Stenberg is the most recognized face of the project, but the weight of the work falls on a small group that needs to analyze every report received, verify whether the vulnerability is real, assess the impact, create a patch, and communicate the issue responsibly before someone with bad intentions exploits the flaw. It is a careful, technical, and extremely draining process, especially when the volume of notifications starts to grow exponentially.
AI as a flaw-finding tool: opportunity or overload?
What changed in recent months was the massive arrival of artificial intelligence tools being applied directly to analyzing open-source code in search of cybersecurity flaws. Companies like Anthropic, with its Claude model, and others in the sector have made AI agents available that can scan entire repositories, identify suspicious patterns, and generate automated reports of potential vulnerabilities. The goal, in theory, is a noble one: the faster flaws are found, the faster they can be fixed before they cause real damage.
In practice, however, what happened with cURL reveals a less glamorous side of this technological advance. Many of the 181 reports Stenberg received in 2025 came from automated tools or from researchers who used AI as a discovery aid. The big challenge is that AI still makes a lot of false positive errors. This means it flags something as a potential security flaw when, in reality, the code behavior is completely intentional and safe.
Each of these alerts, even the wrong ones, needs to be seriously investigated by the maintainer team. Ignoring a legitimate report could have severe consequences for millions of users around the world. This dynamic forces maintainers to spend hours analyzing false alarms — time that could be invested in real improvements to the project or in fixing genuine flaws.
This creates a tough equation to solve. On one hand, AI is accelerating the discovery of real flaws, which is genuinely positive for the cybersecurity ecosystem. On the other hand, it is flooding small teams with a workload that simply did not exist before, without necessarily providing the human or financial resources to handle this new demand. The result is mounting pressure on people who often work on a volunteer basis with no compensation proportional to the impact their work has on the world.
The difference between quantity and quality in reports
One point that deserves attention in this conversation is the stark difference between the quantity of AI-generated reports and the actual quality of those findings. When an experienced human researcher identifies a vulnerability, the report usually comes with context, an explanation of why the behavior is problematic, exploitation scenarios, and in many cases, a suggested fix. This makes the maintainer’s job significantly easier.
Reports generated by AI-assisted automation, on the other hand, often lack that context. They flag code snippets that look suspicious according to statistical patterns but do not convincingly explain why they represent a real threat. For the cURL team, this means every report needs to be opened, read, investigated, tested, and in many cases discarded after hours of analysis. Stenberg has publicly noted that some of the reports received were so poorly written and so clearly generated by automation without human review that they took longer to dismiss than legitimate ones took to resolve.
The real impact on security teams around the world
The cURL case is not an isolated one. Other widely used open-source projects, such as OpenSSL and dozens of libraries critical to the internet, have also reported a significant increase in vulnerability notifications in recent months. The pattern is always similar: an artificial intelligence tool scans the repository, generates a list of potential issues, and the researcher or company behind the scan sends everything to the maintainer team without necessarily filtering what is relevant from what is noise.
For cybersecurity professionals working inside companies, this also presents a real challenge. When a library like cURL takes longer to release patches because the team is overwhelmed with reports, the companies that depend on that software end up in a tough spot: do they wait for the official fix or try to implement their own solutions? This dilemma is real and is being actively discussed in security forums, conferences like DEF CON, and in private incident response groups.
Anthropic and other companies in the AI sector have been mentioned in these discussions as players who, even with good intentions, need to think more carefully about how their models interact with critical infrastructure projects. The concern is not with the existence of these tools themselves but with how they are being used without proper care in the final step — triaging and validating results before submission.
The question of responsibility in the ecosystem
The debate goes beyond the technical and enters the territory of responsibility. If a company launches an AI agent that generates hundreds of automated vulnerability reports, does it have some obligation to also contribute the resources needed for maintainers to process those reports? This question still does not have a clear answer in the industry, but it is being asked with increasing frequency.
There is an interesting parallel with what happened in the past with bug bounty programs. When major companies started paying for flaw discoveries in their systems, the volume of reports grew dramatically, but average quality dropped. Many bug bounty platforms had to implement strict filters to prevent generic or duplicate reports from clogging review queues. Something similar seems to be happening now with AI, only on an even larger scale and hitting the very projects that have the fewest resources to handle it.
The volume of AI-generated alerts for open-source projects grew significantly in 2025, creating new and unprecedented pressure on small and often volunteer-run security teams.
What could change going forward
The good news is that the conversation about this imbalance has already started happening in the right places. Some artificial intelligence companies, including Anthropic, have been investing in funding programs and support for open-source projects that are critical to internet infrastructure. The idea is that if AI tools benefit from these projects and at the same time create pressure on them, it makes sense for some of the revenue generated by the sector to flow back to sustaining the maintainers who keep everything running.
Beyond that, there is a growing discussion about the need for minimum quality standards for vulnerability reports generated with AI assistance. Just as there is a responsible disclosure process that defines how and when a flaw should be publicly communicated, cybersecurity experts argue there should be a specific protocol for automation-generated reports, with mandatory relevance filters before submission. This would reduce the noise and allow teams like the cURL crew to focus on what truly matters.
Initiatives that could help in practice
Several ideas are already being debated and tested by the security community:
- Automated triage systems with mandatory human review before reports are submitted to open-source maintainers
- Confidence ratings on reports, indicating whether the discovery was made exclusively by AI, with AI assistance, or through human analysis
- Financial support funds directed specifically at open-source projects that are frequent targets of automated scans
- Submission limits for automated tools that interact with vulnerability reporting systems, preventing report overload in short periods
- Partnerships between AI companies and maintainers to develop validation pipelines before reports reach the responsible teams
These measures would not solve the problem overnight, but they would create a more balanced ecosystem where the speed of AI does not outpace the human capacity to respond.
A balance that still needs to be found
What Daniel Stenberg’s case and cURL show us, in very concrete terms, is that the advancement of artificial intelligence in the field of cybersecurity is a double-edged sword. It can find flaws that humans would take years to discover, and that is genuinely incredible. But it can also create a tsunami of work for those who need to validate, fix, and communicate those flaws, without the surrounding ecosystem having yet developed the mechanisms needed to keep up with this new pace.
Balancing these two sides will be one of the sector’s biggest challenges in the coming years. Technology moves fast, but the human structures that hold up the internet — many of them maintained by passionate volunteers like Stenberg — need support proportional to the impact they absorb. If the artificial intelligence sector genuinely wants to contribute to a safer digital world, it will need to go beyond just finding problems and start becoming part of the solutions in a more active and responsible way. 🔐
