AI can now weaponize vulnerabilities in 15 minutes for less than the cost of a Costco hot…

AI can now weaponize vulnerabilities in 15 minutes for less than the cost of a Costco hot dog.

Researchers at Valmarelox (linked in comments) just showed AI can automatically and rapidly generate working exploits based on CVE reports for around a dollar.

It's slower than the time for your hot dog to be ready but significantly faster than your change advisory board can get their next meeting scheduled.

When this capability becomes widespread, 30-day patch windows will become as relevant as a 2021 return-to-office plan.

Is AI-powered exploitation scarier than Brady in support getting phished for his credentials?

Maybe?

Attackers still need to know your stack and then chain exploits for your specific system.

But AI will figure that out too. It's just a matter of time.

What will matter in the future?

🐇 How fast can you patch when you absolutely have to?

💥 How quickly can you recover when a patch (inevitably) breaks production?

🚧 How fast can you make a vulnerability irrelevant through isolation or compensating controls when there isn't a patch available?

Drive conversations around emergency patching - when is the risk of breaking a given service worse than guaranteed exploitation?

Two years ago, this was impossible.

Two weeks ago, it was plausible.

Today, it's been demonstrated.

How long until "possible" becomes "probable"?

Uncertainty isn't an excuse for inaction.

If you're not starting to plan for this, you're betting your infrastructure on patch cycles designed for when exploits took weeks to write, not minutes.

That's a bet I wouldn't take.