AI Can Now Find and Exploit Vulnerabilities in Hours — Here's What GCC CISOs Must Do Now

SANS, CSA, and OWASP warn that AI has collapsed the exploit timeline from years to hours. A new CISO briefing — built by 60+ experts, reviewed by 250+ CISOs — delivers 11-action framework GCC security leaders can deploy this week.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region5 min read
A security operations center dashboard depicting AI-driven vulnerability exploitation timelines, representing the SANS Institute and Cloud Security Alliance's 2026 Mythos-Ready CISO briefing.

A security operations center dashboard depicting AI-driven vulnerability exploitation timelines, representing the SANS Institute and Cloud Security Alliance's 2026 Mythos-Ready CISO briefing.

The window between a vulnerability being discovered and it being weaponised against enterprise systems has collapsed. Not gradually — dramatically. According to the Zero Day Clock, the mean time from vulnerability disclosure to confirmed exploitation now stands at less than one day in 2026, down from 2.3 years in 2019.

That is the context behind a major emergency strategy briefing released today by four of the world's leading cybersecurity organisations: the SANS Institute, the Cloud Security Alliance (CSA), [un]prompted, and the OWASP GenAI Security Project. Released from Dubai and distributed across the MENA region, the briefing — titled "The AI Vulnerability Storm: Building a Mythos-Ready Security Program" — gives CISOs and enterprise security leaders an immediately actionable framework for responding to the new reality of AI-driven vulnerability discovery and exploitation.

What Triggered the Emergency Briefing

The document was produced over a single weekend by more than 60 named contributors and reviewed by over 250 CISOs globally. Its urgency is driven by a specific catalyst: the capabilities demonstrated by Anthropic's Claude Mythos (Preview) and Project Glasswing, which autonomously identified thousands of zero-day vulnerabilities across every major operating system and web browser — including a 27-year-old vulnerability in OpenBSD, one of the most security-hardened operating systems available.

In internal testing, Mythos generated 181 working exploits against Firefox vulnerabilities under conditions where the previous best AI model succeeded only twice. The model achieved a 72% exploit success rate and demonstrated the ability to chain multiple vulnerabilities into single exploit paths without any human guidance.

"The window between vulnerability discovery and weaponization has collapsed into hours," said Rob T. Lee, Chief AI Officer and Chief of Research at SANS Institute. "What Mythos shows us is a permanent acceleration. This document gives CISOs something the commentary doesn't: a risk register, priority actions with start dates, and a board briefing they can use this week."

A 12-Month Escalation GCC Security Teams Cannot Ignore

The briefing documents a rapid escalation in AI offensive capabilities that has been building for over a year — and which has direct implications for enterprise security operations across the Gulf:

In June 2025, XBOW became the first autonomous system to top HackerOne's US leaderboard, outperforming all human hackers on the platform. In August 2025, DARPA's AI Cyber Challenge found 54 vulnerabilities across 54 million lines of code in just four hours. By November 2025, Anthropic disclosed that a Chinese state-sponsored group had used AI to autonomously run full attack chains — from reconnaissance through data exfiltration — across approximately 30 global targets.

By February 2026, more than 500 high-severity vulnerabilities in open source software had been identified using AI. A Sysdig-documented AI-based attack reached administrator-level access in eight minutes. Linux kernel maintainers saw vulnerability reports climb from two to ten per week.

For GCC enterprises running critical infrastructure, financial services platforms, and government digital services — all of which operate on the same open source and commercial software stacks — this escalation is not a distant threat. It is an active operational risk.

What the Briefing Delivers

The strategy document provides four concrete tools for enterprise security teams:

A 13-item risk register mapped to four industry frameworks: OWASP LLM Top 10 2025, OWASP Agentic Top 10 2026, MITRE ATLAS, and NIST CSF 2.0. An 11-item priority actions table with aggressive timelines. 10 diagnostic questions for CISOs to triage their current security programme. And a board-ready executive briefing section — directly relevant for GCC security leaders navigating the board-level AI confidence gap that has emerged across the region's enterprises in 2026.

The briefing's first priority action is deliberately immediate: point AI agents at your own code this week. The longest-horizon item is standing up a permanent Vulnerability Operations (VulnOps) function within 12 months, staffed and automated for continuous AI-driven discovery across the entire software estate.

The Governance Dimension: EU AI Act and Liability Exposure

Beyond the operational urgency, the briefing raises a governance flag that is increasingly relevant for multinationals operating across the GCC and Europe simultaneously. The EU AI Act takes effect in August 2026, introducing automated audit requirements, incident reporting obligations, and cybersecurity requirements around AI systems. When AI can find and exploit vulnerabilities at scale, the standard for what constitutes reasonable defensive effort shifts — creating direct liability exposure for organisations that do not adapt their security programmes accordingly.

The Culture Problem No Technology Solves

One of the briefing's more pointed findings is its classification of the AI security capability gap as a cultural challenge as much as a technological one. Defensive teams that have not adopted AI agents face a widening gap against AI-augmented adversaries, regardless of their existing technical skills.

"Attackers already operate as syndicates — crowdsourcing, sharing tools, moving as a collective. Defenders have to do the same," said Gadi Evron, CEO of Knostic and CISO-in-Residence for AI at the Cloud Security Alliance, and lead author of the briefing. "We built this in three days because CISOs needed it now, not when it was perfect. The organisations that build the muscle now — the processes, the tooling, and a culture willing to adopt AI as a core part of how security gets done — will be the ones that meet the next wave on their own terms."

Access the Briefing

"The AI Vulnerability Storm: Building a Mythos-Ready Security Program" is available free at labs.cloudsecurityalliance.org/mythos-ciso. Audio and video overviews are available at sansurl.com/CISO-mythos-ready. The briefing is released under a CC BY-NC 4.0 license.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

AI-Driven Threat IntelligenceGCC CISO Strategy & GovernanceVulnerability Management MENAAI Security & Governance Enterprise Security Leadership