April 2026 brought a moment that made the security community hold its breath: Anthropic imposed new usage restrictions on its Mythos Preview model after the system, during testing, autonomously discovered and exploited zero-day vulnerabilities across every major operating system and browser. This isn't science fiction — it happened. In the same month, CISA added six actively exploited flaws to its catalog, including Fortinet FortiClient EMS SQL-injection bug CVE-2026-21643 with a CVSS of 9.1.
On the breach front, Basic-Fit leaked data on 1 million members (names, birth dates, bank details). Rockstar Games became collateral damage in a ShinyHunters campaign that pivoted through third-party vendor Anodot.
Why "AI Finds Zero-Days" Matters
Zero-day hunting used to be the preserve of elite hackers and nation-state teams, requiring years of experience and deep intuition. An AI model can now do this, which means:
1. The attack barrier collapses. You no longer need to be an APT group. Anyone with access to capable open-source models could surface serious flaws in enterprise systems.
2. Defense must automate. The classic "human red team twice a year" model is obsolete. AI red teams must run 24/7 against your own products.
3. AI governance is now core to security. Anthropic's response — proactively restricting its own model's capabilities — is a milestone. AI labs are acknowledging that model capability itself is a security risk.
Three Security Trends for 2026
First, vulnerability exploitation is overtaking phishing as the dominant attack path. Unpatched N-days and AI-assisted zero-days are rising sharply.
Second, supply-chain attacks keep expanding. Rockstar wasn't breached because of its own systems; it was breached because Anodot was. Every company must treat supply-chain security as a first-class concern.
Third, the app store is no longer a safe haven. A malicious Ledger Live clone slipped through Apple's review and drained ~$9.5M from 50 victims. Official-store endorsement is no longer absolute trust.
My Take
We're entering an era of "AI vs. AI" in security. The real concern isn't just that attackers use AI — it's this: when your adversary is a model that reviews 100,000 lines of code simultaneously and never sleeps, can your defense keep up?
For SMBs, prioritize three things: inventory every third-party integration and SaaS dependency; tighten your baseline N-day patching cadence; and consider AI-powered security monitoring — fight AI with AI. The era of "just buy a firewall" is over.