The Basement Hacker Never Sleeps

Bruce Schneier recommends on his blog reading Melissa Hathaway’s analysis in the Cyber Defense Review.

Here’s the essential takeaway.

In summary: AI tools now find flaws in code in hours, across thousands of products at once. The gap between “vulnerability discovered” and “attack possible” is now measured in hours, not months. Organizations have a 12 to 24 month window to catch up.

The Model Shift

For 40 years, the industry lived on one principle: ship fast, fix later. That worked because finding a flaw was long and difficult.

Companies gave themselves 30 days to fix a vulnerability, sometimes much more. Vendors also took their time before publishing a patch. That time is over.

The new model is direct: fix fast, or get exploited. Three facts that prove it:

• In three months, the cURL software team fixed more flaws than in each of the two previous years.
• 28% of published vulnerabilities are exploited within 24 hours.
• Microsoft’s April Patch Tuesday was the second largest in history.

The enemy of security is complexity. We just added a machine capable of exploiting every corner of it at scale.

Mythos, the AI tool making headlines, may be marketing hype. But I don’t rely only on announcements: I’m building my own LLM-based source code analysis tool and I’m already finding vulnerabilities. The capability is real and accessible to an individual with the right tools.

And it’s no longer hypothetical. OpenAI has already released GPT-5.5, judged as performant as Mythos for finding vulnerabilities. When Chinese models arrive — and they are arriving — we change speed for good. It’s no longer a single tool stirring passions; it’s a capability being normalized across all major players. The volume and speed of discoveries will have nothing in common with today.

Should We Really Worry?

The vulnerability itself isn’t new. The real change is who holds the tool.

Before, the danger was a kid in his basement with all the time in the world. Talented, patient, but alone, and limited by hours in a day. Today, it’s agents that don’t even need to sleep. Hacking tools end up in many more hands, and these tools work 24 hours a day, without fatigue or distraction. The real danger is 10x attack capacity, available to everyone.

That’s consistent with tech culture: “move fast and break things.” That was how software was built. It’s become how it’s attacked.

What You Need to Know

Nobody is too small. These flaws hit serious, widely used products.

End-of-support systems are time bombs. Flaws become easier to find, but these systems will never be patched.

Prepare for multiple incidents. Two critical flaws the same week, on two different products, is no longer science fiction. The isolated ransomware every three years is over.

What to Do: The Minimum Over 12 to 18 Months

The foundation is knowing what you own. That seems obvious. It isn’t.

When I run a security test, my first question is always the same: “Do you have a list of your publicly accessible targets?” I expect a list of domains, URLs, websites. In a 250-person company, getting it often takes one or two weeks, because you have to go around the teams. If you don’t even know your own attack surface, you can’t defend it. That’s where it starts.

Here’s a plan for you:

Months 1 to 3: Make our list

1. Asset inventory. A spreadsheet is enough: workstations, servers, network equipment, critical SaaS. You don’t protect what you don’t know.
2. Spot old systems. Highlight everything that no longer receives updates. That’s your red list.
3. Multi-factor everywhere. Email, remote access, admin accounts.

Months 4 to 9: Fix

1. Monthly patch cycle. A fixed maintenance window. For a critically exploited active flaw: less than 7 days.
2. Test your backups. One offline copy, and a real restoration test. One, but real.
3. Address the red list. Each unsupported system: replace, or isolate and restrict. Documented decision, approved by management.

Months 10 to 18: Prepare

1. One-page response plan. Who to call, how to disconnect, who talks to clients, who contacts the insurer. One page.
2. One-hour tabletop exercise. Scenario: critical flaw in common software, ransomware three days later. What do we do, who decides? Do we have all the information? Improve our documentation or training.
3. Contracts up to date. With your MSP vendor: which systems they patch, in what timelines, who owns legacy. Assume nothing.

So?

The advantage is temporary and still tilts the right way. Take it. The minimum is nothing special: inventory, two-factor authentication, faster patches, tested backups, end of old systems, one-page plan. What changes is the urgency and the fact that it’s no longer negotiable.

Sources

• Melissa Hathaway’s analysis in the Cyber Defense Review, vol. 11, no. 2, recommended by Bruce Schneier
• UK NCSC warning on the “patch wave”
• IBM X-Force Threat Index 2026
• HackerOne data on the discovery-to-remediation gap
• Bitsight analysis of Mythos
• NPR coverage of AI vulnerability discovery