What is this news about?

The article discusses how new AI technology may significantly accelerate the identification and exploitation of vulnerabilities, and what this means for organizational security.

What is the key message?

The key message is that AI does not introduce fundamentally new vulnerabilities, but dramatically increases the speed at which existing weaknesses can be discovered and exploited.

Which actors are involved?

Anthropic is central with its new AI model, while companies like Apple and Amazon are given early access. The topic is covered by Wired, Bloomberg, The Guardian, and Bloomberg Law.

Are the claims about the AI capabilities verified?

Not fully. Several sources note that the claims have not been independently verified and may also reflect strategic positioning in a competitive AI market.

What does this mean for organizations?

It means that existing security weaknesses become more critical because they can be exploited faster. Organizations must reduce response times and prioritize fundamental security practices.

What actions should be prioritized now?

Faster patching, reducing exposed services, improving visibility into vulnerabilities and access, and strengthening the ability to handle incidents effectively.

Blog

12.04.2026

min read

When attacks happen in hours, security measures that take weeks are not enough

AI does not change what is vulnerable in your organization. It changes how quickly those weaknesses are found and exploited. That means security efforts need to move faster than before, not necessarily become more complex.

<span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text" >When attacks happen in hours, security measures that take weeks are not enough</span>

In recent weeks, there has been extensive media coverage of a new AI model from Anthropic, which according to the company itself can identify and exploit vulnerabilities far faster than before. The model is currently being tested in a closed collaboration with major technology companies to find and fix weaknesses before attackers do, as reported by Wired.

Bloomberg describes how companies like Apple and Amazon are given early access to the technology to strengthen their own security before it is potentially made more widely available. At the same time, The Guardian points out that parts of these claims have not been independently verified, and that the communication may also reflect strategic positioning in a highly competitive AI market.

For Norwegian organizations, this is not primarily a new type of threat. It is an amplification of something we already know.

This is not a new problem

The same weaknesses still apply. Lack of patching. Exposed services. Excessive access. Lack of visibility. These are not new problems. They are problems we have been discussing for years. The difference is the pace.

The pace has changed

Where it previously could take weeks to discover and exploit a vulnerability, it can now in some cases happen in days or hours. AI does not necessarily make attackers smarter. But it makes them faster and more scalable. This means the time you have to respond is shorter.

The real risk is the gap

The biggest risk now is not new technology in itself. It is the gap between what you know you should be doing and what you actually get done. Many organizations have a good understanding of their own risk. Still, actions are delayed because the organization is complex, because technical debt takes time to address, or because other initiatives are prioritized higher. As the pace of the threat landscape increases, this gap becomes more dangerous. This is not about becoming the best at security. It is about not being the easiest to attack.

Four actions leadership should ensure now

For leadership, this means ensuring that some very fundamental things actually happen.

Ensure patching happens fast enough: If it takes weeks to update critical systems, that represents a real risk. Automate where possible, and make sure the rest is handled within days, not weeks.
Reduce what is exposed: Review what is accessible from the internet. Close what does not need to be open. Most attacks do not start advanced, they start with something that should not have been accessible.
Gain visibility into your exposure: Many organizations lack an up-to-date overview of what is actually exposed, what is vulnerable, and where access is too broad. Without this, it is difficult to prioritize correctly.
Plan for failure: No security control is perfect. Ensure the organization can withstand one or more failures. This includes limiting the impact of an attack, ensuring critical data can be restored, and that important services can be maintained or scaled down in a controlled manner, rather than stopping completely.

You do not need to wait for all claims about AI and security to be fully documented before taking action. If the development is as fast as some suggest, it becomes even more important to get started. If it turns out to be exaggerated, these are still measures you should have implemented regardless.

AI does not change the rules of the game. It increases the pace. Whether it is possible to catch up depends on how far behind you are. Either way, it becomes more challenging the longer you wait.