Imagine a world where AI doesn't just protect us from cyber threats, but becomes a master hacker itself. This chilling reality is closer than you think. Vlad Ionescu and Ariel Herbert-Voss, the brains behind the cybersecurity startup RunSybil, recently experienced a jaw-dropping moment when their AI tool, Sybil, uncovered a critical vulnerability in a client’s system. But here’s where it gets controversial: Sybil’s discovery wasn’t just impressive—it was unprecedented. The tool identified a flaw in the client’s use of federated GraphQL, a complex system for managing data access, that exposed sensitive information. What’s truly alarming is that this issue required an exceptionally deep understanding of multiple systems and their interactions—something even seasoned experts might miss. RunSybil later found the same vulnerability in other GraphQL deployments, long before it became public knowledge. “We searched everywhere, and it wasn’t documented,” Herbert-Voss explains. “This was a leap in AI reasoning capabilities—a game-changer.”
This incident highlights a growing concern: as AI models grow smarter, their ability to detect—and potentially exploit—zero-day vulnerabilities is skyrocketing. The very intelligence that helps secure systems can also be weaponized by malicious actors. Dawn Song, a leading computer scientist at UC Berkeley specializing in AI and security, warns that recent advancements have dramatically enhanced AI’s cybersecurity prowess. Techniques like simulated reasoning, which breaks problems into smaller parts, and agentic AI, which mimics human actions like web searches or software installation, have supercharged these models. “We’re at an inflection point,” Song asserts. “AI’s cybersecurity capabilities have surged in just the past few months.”
To measure this progress, Song co-created CyberGym, a benchmark testing AI’s ability to find vulnerabilities in open-source software. The results are staggering: in July 2025, Anthropic’s Claude Sonnet 4 identified 20% of known vulnerabilities in the benchmark. By October, its successor, Claude Sonnet 4.5, found 30%. “AI can uncover zero-days at a fraction of the cost,” Song notes. But this raises a critical question: Are we prepared for a future where AI-powered hacking outpaces our defenses?
Song argues that we need urgent countermeasures. One idea is to enlist AI as a defensive ally, helping cybersecurity experts stay ahead of threats. She also suggests that AI companies share their models with security researchers pre-launch, allowing them to identify and patch vulnerabilities before public release. And this is the part most people miss: Song’s lab has demonstrated that AI can generate code more secure than what most programmers write today. “A secure-by-design approach could be a game-changer for defenders,” she says.
However, the RunSybil team warns that in the short term, AI’s coding abilities could tip the scales in favor of hackers. “AI can execute actions and generate code—two core skills of hackers,” Herbert-Voss points out. “If these capabilities accelerate, so will offensive cyberattacks.”
What do you think? Is AI’s growing hacking prowess a boon for cybersecurity, or a ticking time bomb? Should we focus on defensive AI, secure-by-design coding, or something else entirely? Let’s debate this in the comments—the future of cybersecurity may depend on it.
