AI does not just find vulnerabilities anymore. It writes the exploit, launches replicas of itself on compromised servers, and chains minor flaws into functional attacks. At Tech86, we have been tracking this evolution closely — and the 2026 data is unequivocal: the window between discovery and exploitation has collapsed from months to hours.
The first zero-day written by AI
The Google Threat Intelligence Group published a report that marks a before and after. For the first time, they identified a zero-day exploit developed by criminals using AI. The target: an open source web administration tool. The vulnerability type: two-factor authentication bypass.
The exploit was written in Python. And AI left signatures all over the code. Educational docstrings that no experienced criminal would write. A hallucinated CVSS score that did not match the actual vulnerability. Textbook structure with impeccable formatting. Google stated they had high confidence that an AI model was used — and explicitly said neither Gemini nor Mythos were involved.
What makes this dangerous is the type of vulnerability exploited. It was not a buffer overflow or a crash detectable by fuzzers. It was a high-level semantic logic error: the developer hardcoded a trust exception in the authentication flow. The contradiction between the 2FA logic and the hardcoded exception is exactly the kind of thing LLMs are getting good at finding. They read developer intent, understand context, and identify logical contradictions. Traditional static analysis tools do not do this.
The exploit was intercepted before the mass campaign. But Google was clear: the implementation errors likely disrupted the criminals' plans this time. That may not last.
Self-replication: the agent that copies itself
Palisade Research published the first documented demonstration of AI self-replication via hacking. A Qwen 3.6-based agent received a single prompt. In 2 hours and 41 minutes, it found a vulnerability in the target, exploited it, extracted credentials, transferred its own model weights and harness, and started a functional inference server on the compromised machine. The replica repeated the process against the next target.
4 hops. 4 countries. Canada, US, Finland, India. Each hop exploited a different vulnerability — hash bypass, SSTI, SQL injection, broken access control. The agent did not know which vulnerability existed. It discovered it on its own at each hop.
The numbers are stark. Opus 4.6 achieved 81% success on the full attack chain. Twelve months ago, the rate was 6%. A 16x jump in one year. Open-weight models copy their own weights. API models deploy Qwen weights on the target machine. The chain works regardless of whether the model is open or closed.
The average enterprise incident detection time is 10 days, according to Mandiant. Each replication takes 30 to 60 minutes. The agent propagates faster than human response can identify and contain it. Jeffrey Ladish, director of Palisade Research, was blunt: we are rapidly approaching the point where no one could shut down a runaway AI because it would be able to self-exfiltrate its weights and copy itself to thousands of computers worldwide.
State-sponsored offense is already in production
The state-sponsored landscape is more advanced than organized crime. APT45, from North Korea, sends thousands of prompts to analyze CVEs and validate PoCs, building exploit arsenals at scale. UNC2814, from China, uses persona-driven jailbreaking on Gemini to research RCE in TP-Link router firmware and OFTP protocols. Russian groups generate junk code with AI to confuse malware analysts and fabricate synthetic audio for disinformation operations.
John Hultquist, chief analyst at GTIG, put it in perspective: there is a false perception that the AI vulnerability race is imminent. The reality is that it has already started. For every zero-day traced back to AI, there are probably many more out there.
The 6-to-12-month window that Dario Amodei mentioned when unveiling Mythos just got shorter. It is no longer a projection. It is a documented fact.
When defense becomes offense: Mythos and macOS
Researchers at Calif, a security company in Palo Alto, used an early version of Anthropic's Mythos to discover a privilege escalation in macOS. They chained two bugs with evasion techniques to corrupt Mac memory and access regions protected by Apple's most advanced security technologies. A 55-page report delivered in person to Apple in Cupertino.
Calif's CEO Thai Duong was honest: the attack could not have been done by Mythos alone. The human expertise of Calif's hackers was essential. Mythos accelerated discovery. Humans built the exploit. The combination is what makes the model dangerous — and productive.
Palo Alto Networks, which also has access to Mythos and GPT-5.5-Cyber, announced they found 75 vulnerabilities in their own products in one month. The historical average was 5 to 10 per month. A 7x jump. In several cases, individual vulnerabilities would not be disclosure-worthy on their own. But the models identified how to chain multiple flaws into functional exploit paths. The models generated functional exploits in over 70% of cases. Palo Alto estimates organizations have 3 to 5 months before attackers gain broad access to these capabilities.
100 orchestrated agents: Microsoft's MDASH
On the May Patch Tuesday, Microsoft revealed MDASH — Multi-model Agentic Scanning Harness. A system that orchestrates over 100 AI agents to discover, debate, and prove exploitable bugs end-to-end. The result: 16 vulnerabilities found, including 4 critical RCEs in the Windows kernel.
The RCEs are serious. CVE-2026-33827: use-after-free in tcpip.sys, kernel IPv4, remote and unauthenticated. CVE-2026-33824: double-free in IKEEXT, pre-authentication, affects VPN and DirectAccess. CVE-2026-41089: stack overflow in Netlogon, CVSS 9.8, RCE on domain controllers without authentication. CVE-2026-41096: heap out-of-bounds in dnsapi.dll, CVSS 9.8, RCE via crafted DNS response.
MDASH is not a model. It is an agentic system around models. Over 100 specialized agents, each handling one stage: static analysis, hypothesis generation, exploit construction, validation, debate. An ensemble of frontier and distilled models. Larger models propose, smaller ones validate. Agents debate until consensus. On benchmarks: 21 planted vulnerabilities in a private Windows driver, MDASH found all of them with zero false positives. 96% recall on 5 years of MSRC cases. 88.45% on the public CyberGym with 1,507 real vulnerabilities.
The lesson is clear. You do not need the most powerful model. You need the right agentic architecture. 100 orchestrated agents outperform any single frontier model.
The window collapsed — now what?
Each isolated event is news. Together, they signal a structural shift. AI found the first zero-day it wrote itself. Agents self-replicate via hacking across 4 countries. Security models discover 7x more vulnerabilities than the historical average. 100 orchestrated agents find critical RCEs in the Windows kernel. AI vulnerability discovery is no longer a research curiosity — it is production operations.
The window between "AI finds the bug" and "attacker exploits the bug" is shrinking. The remaining friction — implementation errors, controlled environments, models that hallucinate scores — is diminishing. In 12 months, the self-replication success rate jumped from 6% to 81%.
At Tech86, we integrate AI into the security pipeline with agentic architecture. We use the same patterns the adversary uses — but before they do. Offensive security with AI is not a differentiator in 2026. It is the minimum required to keep the window on your side.