AI’s Hacking Skills Are Approaching an ‘Inflection Point’

New York: Vlad Ionescu and Ariel Herbert-Voss are cofounders of a cybersecurity startup called RunSybil. Last November, their AI tool named Sybil spotted a weakness in a customer’s system. Sybil uses different AI models and some special methods to check for problems hackers might exploit, like a server that hasn’t been updated or a wrongly set up database.

In this case, Sybil found an issue with how the customer used GraphQL. This language helps fetch data over the web through something called APIs. The problem meant the customer was mistakenly revealing private information. Ionescu and Herbert-Voss were surprised because finding this weakness needed deep knowledge of how many systems work together.

They also noticed this same flaw in other GraphQL uses, even before it was publicly disclosed. Herbert-Voss said they looked online, and the issue was not found anywhere else. “It was a reasoning step that showed how smart the models are—a step change,” he explained.

This situation shows a growing problem. As AI tools become smarter, they can find more weaknesses in systems. The same cleverness that helps find these flaws can also help hackers take advantage of them. Dawn Song, a computer scientist from UC Berkeley, studies AI and security. She said the recent improvements in AI can spot weaknesses better. Techniques like breaking problems into smaller parts and agentic AI, which can search online and run software tools, have enhanced AI’s cybersecurity skills.

“The cybersecurity skills of advanced models have increased a lot in just a few months,” she noted. “This is an inflection point.”

Last year, Song helped create a test called CyberGym to see how well AI models find problems in open-source software projects. It tracks 1,507 known issues in 188 projects. In July 2025, a model called Claude Sonnet 4 found about 20 percent of the issues. By October 2025, a newer model, Claude Sonnet 4.5, found 30 percent.

“AI agents can find zero-days at a low cost,” Song said. She believes that new defenses are needed, including using AI to assist cybersecurity experts. “We must explore different ways to let AI help on the defense side,” she suggested.

One idea is to let AI companies share their models with security researchers before they are launched. This would help find problems and secure systems before they are released widely. Another idea is to change how software is built. Song’s lab showed it is possible to use AI to create more secure code than most programmers make today. “In the long run, this secure-by-design method will help defenders,” she said.

The RunSybil team warns that AI models’ coding skills might help hackers gain the upper hand soon. “AI can perform actions on computers and write code, which are two things hackers do,” Herbert-Voss said. “If these skills speed up, attackers will also become faster.”