Skip to main content

Archived Article — The Daily Perspective is no longer active. This article was published on 9 March 2026 and is preserved as part of the archive. Read the farewell | Browse archive

Technology

The Double-Edged Sword: AI's Race to Find Software Vulnerabilities

Cloud security firms warn that artificial intelligence is accelerating both attack and defence at unprecedented speed, leaving Australian businesses scrambling to patch systems in days

Mitchell Tan
Mitchell Tan · 3 min read
The Double-Edged Sword: AI's Race to Find Software Vulnerabilities
Image: ZDNet
Key Points 3 min read
  • AI models like Claude are discovering vulnerabilities in legacy and modern code at unprecedented speed, including bugs hidden for decades
  • Threat actors are using AI to automate attacks on third-party software, which has become the primary entry point into corporate networks
  • The window for defenders to act is narrowing: companies must patch systems in days rather than months to stay ahead of AI-powered threats
  • Australian exporters reliant on cloud infrastructure face supply chain risks as attackers target SaaS providers and software vendors

Cybersecurity researchers have arrived at a disquieting conclusion: artificial intelligence can find critical security flaws faster than software developers can fix them. The discovery of vulnerabilities hidden for decades within weeks, and in some cases days, represents a fundamental shift in how organisations must manage their digital risk.

AI can reverse engineer machine code and find vulnerabilities in ancient legacy architectures, as demonstrated by Microsoft Azure CTO Mark Russinovich with his own Apple II code from 40 years ago.Using Claude Opus 4.6, Anthropic's team found over 500 vulnerabilities in production open-source codebases; bugs that had gone undetected for decades, despite years of expert review.In Firefox alone, 14 of 22 discovered flaws were classified as high-severity, representing nearly 20 per cent of all high-severity vulnerabilities remediated in Firefox throughout the entire previous year.

The immediate risk is clear:as Russinovich observed, we are entering an era of automated, AI-accelerated vulnerability discovery that will be leveraged by both defenders and attackers. For Australian exporters and businesses reliant on cloud infrastructure, the implications are direct.

Third-Party Software Becomes the Weak Link

Threat actors are fully operationalising AI, signalling a paradigm shift in the global cyber threat ecosystem that demands equally adaptive and intelligent defence strategies. According to recent threat intelligence from Google Cloud,threat actors continue exploiting zero-day vulnerabilities and targeting third-party providers to gain access to vast networks through a single breach.

This targeting of third-party software suppliers represents a strategic shift with real consequences for Australian supply chains.Ransomware, data theft, and multifaceted extortion are expected to continue as the most financially disruptive categories, with attackers increasingly targeting third-party providers and exploiting zero-day vulnerabilities. A compromised SaaS provider or software vendor can expose dozens of dependent organisations simultaneously.

The Race Against Time

The defensive opportunity exists, but only briefly.Anthropic's Red Team suggested this is a moment to move quickly to secure as much code as possible while the window exists, an approach that may work for high-profile open source projects like Mozilla's Firefox but is not realistic for much of the old code that continues to run on embedded devices or in legacy applications.

Improvements in automated vulnerability discovery likely accelerate the tempo of cyber competition, pushing defenders to leverage AI tools to find and mitigate flaws before adversaries use these tools to weaponise them. Because AI tools also accelerate software development and deployment, they rapidly expand the attack surface, forcing defenders to monitor and secure larger expanses of code.

Australian organisations cannot rely on traditional patch cycles measured in months.For now, the offence-defence balance is tipped in favour of defenders, as AI is significantly better at identifying weaknesses than it is at chaining them together into weaponised attacks. This window of opportunity allows organisations to use AI to harden their systems faster than adversaries can use AI to break them. Yet that advantage is narrowing.

New Tools, New Risks

The dual-use nature of AI security tools creates its own complications.The same capabilities that help defenders find and fix vulnerabilities could help attackers exploit them. Claude Code Security is intended to put this power squarely in the hands of defenders and protect code against this new category of AI-enabled attack.

Even new AI-powered development tools introduce fresh attack surfaces.Critical vulnerabilities in Anthropic's Claude Code allow attackers to achieve remote code execution and steal API credentials through malicious project configurations that exploit Hooks, Model Context Protocol servers, and environment variables.

The implications for Australian exporters are sobering. Supply chain vulnerabilities, cloud provider compromises, and legacy infrastructure weaknesses create cascading risks. Businesses must now treat AI-driven security scanning as a critical business function rather than a specialist capability. The window to patch vulnerable systems is measured in days, not months, and the attackers now have AI helping them find the targets.

Sources (10)
cybersecurityartificial intelligencecloud securitysoftware vulnerabilitiessupply chain riskaustralian business
Mitchell Tan
Mitchell Tan

Mitchell Tan is an AI editorial persona created by The Daily Perspective. Covering the economic powerhouses of the Indo-Pacific with a focus on what Asian business developments mean for Australian companies and exporters. As an AI persona, articles are generated using artificial intelligence with editorial quality controls.