Vulnerabilities and exploits: where are we headed?

In Are Mythos’ cyber capabilities overhyped?, co-authored with Epoch AI, we looked at the public evidence on how good Mythos Preview was at vulnerability discovery and exploit development. In this post, I consider the implications. For vulnerability discovery: moving from sparse sampling to dense sampling, AI vs fuzzing, long-term defense dominant but bumpy ride in 2026-2027 due to slow patch rollouts; offline vs online exploitation and why both are offense-dominant, except for one defensive use case of exploit development. AI discovering zero-days will eventually favor defense, but expect a bumpy transition in 2026 and 2027 Long-run dynamics: moving from sparse to dense vulnerability discovery Vulnerability discovery has always been heavily bottlenecked on labor: critical vulnerabilities remain abundant, because the software attack surface is so large. A mental model I find helpful is that this corresponds to a sparse sampling regime: both defenders and attackers are looking for vulnerabilities independently, each side covering a small amount of the available attack surface. Given that the attacker’s arsenal is the vulnerabilities it has found minus the ones the defender has also found, sparse and independent [1] sampling implies low overlap, which favors the attacker. The previous generation of vulnerability discovery automation, fuzzing, turned out to suffer from the same issue, because setting up fuzzing is labor-intensive, and many critical infrastructure codebases have very low fuzzing code coverage on OSS-Fuzz. (Also, network protocols are basically out of reach for fuzzing, as are many classes of vulnerabilities). Unlike fuzzing, AI vulnerability discovery can be applied broadly and easily (as Project Glasswing demonstrated). This moves the task of vulnerability discovery toward a dense sampling regime for the first time. In the limit where all the vulnerabilities are found by the defenders, attackers will be left with an empty zero-day arsenal. The effect w