2 items
Google's criminal AI zero-day confirms the new attack topology: AI compressed bug discovery to near-zero cost, but the attacker still needed credentials and the patch cycle still ran in days. The asymmetric trade sits in IAM hardening and patch-velocity infrastructure. The AI-security pure-plays are already priced for the headline; the credential layer is what actually moved.
Coordinated disclosure was an information-containment regime, and containment fails when discovery diffuses. Eleven independent researchers landed the same critical bug in six weeks; Copy Fail took roughly an hour of AI-assisted scanning to find; Dirty Frag's embargo collapsed within hours via unrelated rediscovery, with Microsoft Defender confirming in-the-wild exploitation a day later. The offense side has integrated LLMs into exploit pipelines. The defense and policy layer largely has not, and that asymmetry is the actual risk — CVE feeds are now lagging artifacts, and patch-diff intelligence is the signal that matters.
