Vulnpocalypse: why experts fear AI is tipping the scales in favor of hackers
Artificial intelligence is changing a lot of things in the tech world, but not all of those changes are exactly encouraging.
While companies and governments celebrate AI breakthroughs in productivity and innovation, a growing group of cybersecurity experts is sounding the alarm about a scenario that could be much darker than it appears. And this week, that scenario stopped being purely theoretical and landed right at the center of global discussions about digital security.
The name given to this threat is Vulnpocalypse — a mashup of vulnerabilities and apocalypse — and it represents the very real possibility that AI could put hackers in a position of advantage never seen before over the world’s digital defenses. We’re not talking about science fiction or a Netflix series script. We’re talking about a serious conversation, backed by hard data and heavy hitters, that’s happening right now, in real time.
This discussion took a dramatic turn when Anthropic, one of the biggest AI companies on the planet, decided not to publicly release its newest model, Mythos Preview. The company cited unprecedented vulnerability-discovery capabilities that could cause significant harm in the wrong hands. Instead of releasing the model to everyone, Anthropic chose to share it only with a limited group of major tech companies and partners, with the goal of helping them strengthen their defenses. That’s a rare move in the tech industry, where new model launches are usually treated as events, complete with marketing campaigns and all the fanfare. Holding back a product of this magnitude takes a very strong reason — and the reason Anthropic gave was exactly that.
The concern goes well beyond a single corporate decision. It has already reached the top levels of the U.S. government. Shortly after Anthropic’s announcement about Mythos Preview, U.S. Treasury Secretary Scott Bessent called a meeting with the country’s leading financial institutions to discuss the rapid developments happening in the AI space, according to an agency spokesperson. 🌐
What’s at stake here is no small thing: we’re talking about hospitals, financial systems, industrial plants, and critical infrastructure like water and power grids — all of which could become targets for increasingly sophisticated attacks, aided by AI tools accessible to anyone with an internet connection and the will to cause damage.
What makes Vulnpocalypse different from other digital threats
For decades, the world of cybersecurity operated in a kind of uneasy balance: on one side, hackers and criminal groups trying to find cracks in systems; on the other, security teams patching those cracks as fast as they could. It was a digital arms race, but one with relatively known rules. The problem now is that artificial intelligence could break that balance in a definitive and asymmetric way, favoring attackers far more than defenders.
That happens because finding vulnerabilities in complex software is a task that requires time, deep technical knowledge, and a whole lot of patience. Historically, only highly skilled hackers could chain multiple flaws together to create a truly devastating attack. But when you put an AI that can analyze millions of lines of code in seconds, identify failure patterns, suggest ways to exploit them, and even simulate attack scenarios, that barrier to entry all but disappears. What used to take weeks of specialized work could now take hours — or minutes.
Casey Ellis, founder of Bugcrowd, a platform for cybersecurity researchers who hunt for vulnerabilities, summed up the problem pretty directly: we have far more vulnerabilities than most people like to admit, fixing all of them was already hard, and now they’ve become much easier to exploit by a much wider range of potential adversaries. According to him, AI is putting the tools needed to do this into far more people’s hands.
Receive the best innovation content in your email.
All the news, tips, trends, and resources you're looking for, delivered to your inbox.
By subscribing to the newsletter, you agree to receive communications from Método Viral. We are committed to always protecting and respecting your privacy.
And here’s the most concerning part of all this: AI tools don’t discriminate based on who’s using them. A legitimate security researcher can use these capabilities to find and fix flaws before someone with bad intentions exploits them. But a criminal group, a hostile nation, or even an individual with personal motivations can use the exact same tools for the opposite purpose. The technology is neutral; the intent of whoever uses it is not. 😬
Ellis also pointed out a fundamental asymmetry that makes the picture even more troubling: a defender needs to be right every single time, while an attacker only needs to be right once. That sentence alone pretty much explains why the scales tend to tip toward attackers when both sides gain access to the same AI tools.
The Anthropic case and the model that stayed in the vault
Anthropic’s decision not to publicly release Mythos Preview is a major milestone in this story and deserves to be understood in its full context. The company, which is known for its more cautious approach to AI development — especially compared to competitors like OpenAI and Google — ran a series of internal tests on the model before making any release decision. What those tests revealed was enough to bring the process to a halt.
Mythos Preview demonstrated a capability that experts call vulnerability chaining. In practice, this means the model doesn’t just identify an isolated flaw in a system — it can map how that flaw connects to other existing weaknesses, creating a chain of exploitation that can progressively compromise entire systems in ways that are nearly invisible to traditional defense tools.
Logan Graham, who leads offensive cybersecurity research at Anthropic, explained that Mythos isn’t simply good at finding vulnerabilities — it’s capable of chaining them into complex exploits that become devastating hacking tools. That’s very different from anything any AI model had publicly demonstrated up to that point, and it put Anthropic’s researchers in a real ethical dilemma: releasing technology like this openly would essentially be handing a high-precision digital weapon to anyone who knew how to use it.
But Graham also left an important warning: even if Mythos never goes public, he expects Anthropic’s competitors — including companies in China — to release models with comparable hacking capabilities in the coming months and years. In his words, we should be planning for a world where, within six to twelve months, capabilities like these could be widely distributed or widely available, and not just by companies in the United States.
Graham emphasized that this is an aggressive timeline, considering that preparations for threats of this nature normally take many years. 🔐
Mediocre hackers now have superpowers
One of the most concerning aspects of Vulnpocalypse, and one that often flies under the radar, is the impact of AI on intermediate or even beginner-level hackers. Historically, pulling off sophisticated attacks against well-protected targets required a level of technical skill that served as a natural barrier. Not everyone who wanted to attack a hospital or a power plant could actually do it, simply because they didn’t have the necessary know-how.
Cynthia Kaiser, a former senior FBI cybersecurity official and currently senior vice president at Halcyon, a company focused on ransomware attack prevention, expressed direct concern about this dynamic. According to her, the aspiring hackers, that underground current of people who weren’t capable of carrying out these kinds of operations just a year ago, now have in their hands some of the most powerful tools ever known to humanity.
Kaiser pointed out that healthcare and critical manufacturing were the sectors most targeted by ransomware in the past year, and that this pattern is expected to intensify. These are sectors with extremely low tolerance for downtime — a hospital can’t just go offline for hours while it tries to recover its systems. And it’s exactly that urgency that makes these targets so lucrative for criminal groups that use ransomware as a business model.
AI, in this context, works as a force equalizer. It allows people with limited technical knowledge to carry out attacks that were previously reserved for only the most sophisticated groups. This doesn’t just increase the volume of attacks — it also diversifies attacker profiles, making the job of defense exponentially harder. 😰
Critical infrastructure: the most vulnerable target
When experts talk about Vulnpocalypse, the part that worries them the most isn’t corporate data theft or personal information leaks — even though those are serious problems on their own. What keeps people who work in high-level cybersecurity up at night is the possibility of coordinated attacks against critical infrastructure: systems that control power supply, water treatment, hospital networks, emergency communications, and financial markets.
Katie Moussouris, CEO and co-founder of Luta Security, a company that connects vulnerability researchers with software developers, said she expects scenarios similar to what happens when major cloud providers go down and take significant chunks of the internet with them. According to her, we will certainly start to see major disruptions that have cascading effects on other industries, like the airline industry experienced during the CrowdStrike incident, and like various services are affected when Cloudflare or Amazon Web Services go offline.
AI could also have significant impacts on cyber warfare and attacks against U.S. critical infrastructure, by giving an edge to hackers whose only goal is destruction. The original report cites the case of Iran as a concrete example: since the beginning of tensions with the U.S., Iranian hackers have been attacking multiple American targets, but they have repeatedly overstated their capabilities. So far, they’ve managed to carry out only one publicly significant destructive attack — against a medical technology company in Michigan called Stryker.
U.S. federal agencies reported this week that Iran has had some success breaching critical infrastructure companies, including water and wastewater services and the energy sector, with the intent of causing disruption. It’s still unclear whether any of those attacks were significant, and the victims have not been publicly identified.
But AI could make this work much easier. Some industrial control systems have robust cyber defenses, while others — like certain water treatment stations in sparsely populated areas — simply don’t. These systems tend to be challenging for hackers because they rely on more obscure and specialized technologies. However, as Jason Healey, a senior researcher at Columbia University specializing in cyber conflict, observed, AI could change that: instead of needing to train a generation of hackers who understand water treatment plants, AI should be able to help understand those systems and automate the intrusion process. ⏳
Doomsday scenario or overblown hype?
Bryson Bort, founder of Scythe, a platform that helps industrial systems simulate potential cyberattacks, offered an important counterpoint. According to him, critical infrastructure is often isolated from the internet, which makes a true catastrophic scenario unlikely. Not everything here leads to an immediate scenario where everyone starts dying like in a Hollywood movie, he said.
However, Bort acknowledged that it is feasible for persistent hackers, with the right access, to keep attacking systems like water treatment stations and force them to temporarily stop functioning until operators regain control. In his words: if the system keeps getting compromised, I need it to work at some point, to actually produce water.
That distinction matters. Vulnpocalypse doesn’t necessarily mean the end of the digital world as we know it. But it does mean a substantial escalation in the frequency, sophistication, and impact of cyberattacks — something that could cause enormous economic losses, put lives at risk, and shake public trust in digital systems that everyone depends on every single day.
The race against time: what’s being done and what’s still missing
The good news, if you can even call it that, is that awareness of the problem is growing. Agencies like CISA in the United States and their European counterparts are beginning to incorporate AI-based threat scenarios into their national security planning. Major banks and financial institutions are already investing in attack simulations that use artificial intelligence on both the offensive and defensive sides — what’s known as AI red teaming. And cybersecurity research communities are developing defense tools that also leverage AI to detect attack patterns before they cause real damage.
Anthropic’s own decision to share Mythos Preview with strategic partners, rather than simply shelving the model, reflects this approach. The idea is to use AI’s offensive capability as a defensive tool, allowing major tech companies to identify and fix their own vulnerabilities before real attackers can exploit them.
But there’s a structural problem that no technical tool can solve on its own: the speed at which AI models are evolving is far greater than the speed at which regulations and security policies can keep up. Logan Graham’s warning from Anthropic, about the six-to-twelve-month window for Mythos-equivalent capabilities to become widely available — including outside the United States — illustrates this gap well. While the regulatory debate is still at the stage of defining what constitutes a dangerous AI, research labs are already developing next-generation models.
This mismatch between innovation and governance is perhaps the biggest risk of all — because that’s where the most critical vulnerabilities hide, far from the spotlight and far from monitoring tools.
The message Vulnpocalypse leaves for all of us
For businesses and organizations that depend on digital systems — and these days that includes pretty much everyone — the message the Vulnpocalypse debate sends is straightforward: waiting for regulation or the perfect solution is not a viable strategy. Investing in regular security audits, updating legacy systems, training teams to recognize AI-based threats, and participating in threat intelligence sharing networks are concrete steps that make a real difference — and they don’t require any new legislation to get started.
The current moment is one of those inflection points that, looking back a few years from now, will probably be remembered as the beginning of a new era in cybersecurity. The question that remains is: when that future arrives — and all signs point to it coming very soon — who’s going to be ready? 💡
