You’ve probably already heard about modern frontier AI models that are very good at finding vulnerabilities in your code and creating potential exploits. In fact, these models are so good that their general use is severely limited in order to give defenders time to find and fix vulnerabilities before attackers can find and exploit them.
For context, on April 7, 2026, we began testing Anthropic’s Claude Mythos model as a launch partner for Project Glasswing. Our conclusion was clear. Modern models are extremely capable of discovering vulnerabilities and turning them into critical exploitation paths in near real-time. In Defender’s Guide to the Frontier AI Impact on Cybersecurity, we shared our initial findings and recommendations.
Since then, we have continued to test the latest frontier AI models as part of our Trusted Access for Cyber program, including Anthropic’s Mythos and Claude Opus 4.7 and OpenAI’s GPT-5.5-Cyber. Just a few weeks ago, the big question was, “Are we exaggerating the capabilities of our models?” After further testing, I can confidently say that this was not the case. In fact, these models may be even better at finding vulnerabilities than we originally realized. Today we’re providing an update on our ongoing investigation, what we’ve learned along the way, and the approach we’re taking to protect our customers.
Find and fix it before attackers find it and exploit it
Today, we released the May Patch Wednesday security advisory, a monthly pace of transparent vulnerability disclosure and remediation. This is the first time that the majority of discoveries were the result of code scanning of Frontier AI models.
- These are the results of a complete initial scan of over 130 products across all three platforms.
- As of today, we have patched all critical vulnerabilities in our SaaS-delivered products and have patches available for all products operated by our customers.
- Today’s advisory covers 26 CVEs (equivalent to 75), compared to normal volume (typically less than 5 CVEs per month). None of them are actually exploited. Note that this does not include CyberArk vulnerabilities that are exposed in the normal process.
It is important to understand that this is not a one-time situation. We are currently rescanning and applying everything we learned about how to provide the right context and threat intelligence to our models. We intend to fix all vulnerabilities found before advanced AI capabilities are widely available to attackers.
AI models are very powerful, but they’re not just magic. Achieving high-fidelity results requires building an AI scanning harness and leveraging context, guardrails, and threat intelligence. We also found differences between models due to training variability. Identifying a superset of vulnerabilities requires a multi-model approach. And finally, while the immediate priority is to discover and remediate the vulnerabilities that organizations currently have, the long-term change is to incorporate these models directly into the software development lifecycle. This is the light at the end of the tunnel. A future where software is secure by design.
Four steps every organization needs to take now
Regardless of the current limited access, we believe these features will be offered more broadly to other models as well. It is currently estimated that organizations have a narrow window of three to five months to outperform their adversaries before AI-powered exploits begin to become the new norm. This impending flood of vulnerability demands urgency. Organizations that don’t have the right safeguards in place will face an entirely new type of risk. Here’s what we recommend:
- Find and fix vulnerabilities in applications, products, and code
Find and fix it before attackers find it and exploit it.- Leverage AI models to identify vulnerabilities in all your codebases.
- Apply the same AI scan to your open source supply chain and remediate or mitigate findings.
- Work closely with product and development teams to perform rapid patching.
- Assess, reduce and remediate exposure
Reduce what attackers can access and protect what they need to have access to, such as customer-facing applications.- Attack surface management products such as Cortex Xpanse®has never been more important to discover and reduce exposure.
- Modern frontier AI models are very good at assessing exposures, understanding security misconfigurations, and prioritizing attack path reachability (with the right AI scanning harness).
- Audit your supply chain, including your AI infrastructure, runtime environment, and model dependencies.
- Reliably protect against attacks
Vulnerability exploitation is typically just one step in a multi-step attack lifecycle. Ensuring best-in-class protection has become even more important to prevent breaches.- Map current sensor coverage to identify critical blind spots in detection, prevention, and telemetry.
- Deploy best-in-class XDR everywhere, with a focus on real-time ML-based detection and attack prevention across all hosts, including on-premises and in the cloud.
- Deploy Agentic Endpoint Security to deploy vibe coding and AI security at scale across your enterprise (like Prisma AIRS).® And Koi, which we recently acquired, is now what we need to protect our agent endpoints).
- A secure enterprise browser with AI-based security is essential to protecting where your users do their work.
- Zero trust and identity security are the foundation for securing all users and connections, extending to internal segmentation and outbound application connections.
- Implement real-time security operations
Autonomous, AI-driven attacks reduce attack lifecycles to minutes and require every SOC to achieve single-digit mean time to detection (MTTD) and mean time to response (MTTR).- To detect new and frequently changing attacks at scale, attack detection must leverage AI/ML.
- These AI detections must work against a wide range of first-party and third-party data sources. A best-in-class AI SOC must work with all relevant data sources.
- Achieving single-digit MTTR requires natively integrated automation and automation across the entire SOC lifecycle. This automation will become increasingly agentic.
- This should provide a platform for eliminating seams and gaps created by point solutions.
- Evaluate and act as soon as possible.
Fighting AI with AI — AI Frontier Security Innovations Coming Soon
So far, Frontier AI models only detect new attacks and not new attack techniques. This means that with the right innovations, you can scale the use of AI to solve the security challenges your organization faces and deliver what your customers need to stay ahead of the ever-evolving threat landscape.
- Rethink virtual patching with proactive, high-fidelity content updates across network, endpoint, and cloud security – Expect a flood of patches across open source and technology suppliers, and virtual patching provides the layer of mitigation you need to give your teams time to update. The first phase of the feature will be rolled out soon.
- Enhanced attack defenses, including Cyber LLM-trained ML and small language models (SML) and behavioral protection – Initial testing with Cortex XDR® Our network security security services such as WildFire® Malware protection shows high protection coverage against the types of attacks created using these new frontier AI models.
- Use these models to scan your code, applications, and even security configurations – Our aim is to productize these capabilities and build them into our platform.
Unit 42 — We can help.
We recognize that not everyone has the capacity or expertise to implement all the recommendations to effectively combat cutting-edge AI-driven risks in the short term mandated by AI innovation. Our Unit 42 Frontier AI Defense service is designed to discover and remediate current risks before attackers do, strengthen controls to mitigate risks and contain impact, and modernize security operations so teams can detect and respond at machine speed.
This is a pivotal moment for our industry. The scale of the challenge we face is real, but I have confidence in our ability to solve it. We are here to help our customers navigate this transition and help defenders maintain their edge as the situation continues to evolve.
Forward-looking statements
This blog contains forward-looking statements that involve risks, uncertainties and assumptions. This includes, but is not limited to, statements regarding the benefits, effects, performance or potential benefits, effects or performance of our products or technologies or future products or technologies. These forward-looking statements are not guarantees of future performance, and there are a number of factors that could cause actual results to differ materially from those described in this blog. We identify certain important risks and uncertainties that may affect our results and performance in our most recent Annual Report on Form 10-K, most recent Quarterly Report on Form 10-Q and other filings with the Securities and Exchange Commission from time to time. These are available on our website (Investors.paloaltonetworks.com) and the SEC’s website (www.sec.gov), respectively. All forward-looking statements in this blog are based on information available to us as of the date hereof, and we undertake no obligation to update any forward-looking statements provided to reflect events that occur or circumstances that exist after the date on which they are made.
