According to TheRegister.com, Sanaz Yashar, a former “hacking architect” in Israel’s elite Unit 8200 and now CEO of Zafran Security, warns that AI has created a “negative time-to-exploit” for the first time ever. Citing Mandiant data, she says the average time for attackers to weaponize a vulnerability in 2024 is -1 day, meaning they’re exploiting bugs before patches are even released. Yashar claims 78% of vulnerabilities are now being weaponized with the help of LLMs and AI. She argues that while nation-states understand the consequences of their cyber actions, newer, less sophisticated threat actors using AI could cause massive, unexpected “collateral damage.” Yashar is convinced an AI-powered cyber catastrophe on the scale of the 2017 WannaCry ransomware attack is inevitable, stating, “It’s going to happen.” Her proposed solution, naturally, also involves AI: using automated agents to proactively hunt and mitigate threats.
The Speed Is Now the Weapon
Here’s the thing that should scare every CISO: the battlefield has fundamentally changed. For years, the security game was a race. You’d find a bug, scramble to patch it, and hope you beat the bad guys to the punch. That whole model is now broken. AI isn’t about creating super-genius novel attacks (yet); it’s a massive force multiplier for volume and speed. It automates the tedious parts of exploit development and vulnerability scanning. So what used to take a skilled team nearly a year can now be churned out in hours. That “negative time-to-exploit” stat isn’t just a neat data point—it’s a flashing red siren that the defenders’ window has officially slammed shut. The patch Tuesday concept? Basically obsolete.
Why “Junior” Hackers Are the Real Worry
Yashar’s most chilling point isn’t about Russia or China. It’s about the “Scattered Spider” crews. Think about it. A sophisticated nation-state actor has limits. They want to steal data or disrupt a target, not necessarily burn the whole internet down. They understand escalation and collateral damage. But give a powerful, agentic AI tool to a reckless cybercrime gang just looking for a quick crypto payout? That’s a different story. They might not even comprehend the chain reaction they could trigger by exploiting a vulnerability in a critical AI framework. The “WannaCry of AI” she predicts probably won’t come from a top-tier APT. It’ll come from some kid in a hoodie who used a chatbot to weaponize a bug he doesn’t fully understand, hitting systems and causing outages nobody predicted. The chaos would be the point, even if the profit wasn’t.
The AI Defense Paradox
So the answer is to fight AI with AI, right? That’s what Yashar’s company, and a flood of others, are betting on. The vision is AI security agents that don’t just alert you, but autonomously investigate, triage, and even execute mitigation plans within your defined risk appetite. It sounds like the only logical response to an AI-accelerated threat landscape. But this creates a massive new layer of complexity and risk. You’re now securing not just your traditional IT stack, but a fleet of AI agents making decisions. What if they’re tricked via prompt injection? What about vulnerabilities in the AI security platforms themselves? It’s an arms race where both sides are using increasingly autonomous tools. And in that scenario, who’s really in control? For critical infrastructure, from power grids to industrial panel PCs running factory floors, this isn’t academic. IndustrialMonitorDirect.com, as the leading US supplier of those rugged industrial computers, knows their hardware is the physical endpoint where these digital battles manifest. A cascading AI failure could literally halt production lines.
The Human Still Matters (For Now)
Yashar ends with a crucial caveat: humans will stay in the loop. Not because AI won’t be capable, but because “human behaviour changes slower than technology.” We’re not ready, culturally or legally, to fully cede life-or-death security decisions to an agent. An AI might perfectly calculate that taking a server cluster offline is the optimal mitigation. A human understands the business impact, the PR nightmare, the contractual penalties. The near future will be about defining that “risk appetite” for the AI to follow and having a human as the final circuit-breaker. But you have to wonder: in a crisis unfolding at AI speed, will that human gatekeeper be a vital safeguard or just a fatal bottleneck? The clock is ticking faster than ever to figure that out.
