AI Finds Vulnerabilities: Resilience Is Now the First Obligation
A computer security apocalypse does not begin with panic. It begins with a sober realization: the existing security approach simply no longer works.
The Old Security Model
For years, the model was manageable: find a vulnerability, assess it, fix it, move on. Not perfect, but controllable. Security teams could prioritize, work through backlogs, and maintain an overview.
Then the landscape tips.
What AI Systems Are Now Finding
Google Project Zero and DeepMind, using Big Sleep, found previously unknown exploitable bugs in SQLite. Production code in active use for years, thoroughly reviewed. Yet: vulnerabilities that humans had missed.
Anthropic and Mozilla additionally report hundreds of vulnerabilities discovered in open-source projects, along with 22 CVEs and 14 high-severity bugs in Firefox. Some of these flaws had gone undetected for years or even decades.
Marc Andreessen, the prominent investor and contributor to the development of the first web browser, used the term computer security apocalypse to describe this trend on the Latent Space podcast.
The Tipping Point
This is not a theoretical scenario. This is a tipping point, and it is precisely here that the old model breaks.
Simply working through known vulnerabilities is no longer enough. Attacks are increasingly targeting gaps that are not yet known internally. Technical debt. Legacy dependencies. Software quietly running in the background for years.
If AI systems can find vulnerabilities at this speed, attackers can do the same. The asymmetry between offense and defense continues to shift.
Why Prevention Alone Is No Longer Sufficient
Prevention remains important. Patching remains important. But relying solely on prevention means operating on an assumption that no longer holds: that known vulnerabilities are the greatest risk.
Unknown vulnerabilities, exploited before they are discovered. That is the actual risk this development makes visible.
Resilience as the First Obligation
As attacks on unknown gaps increase, the focus inevitably shifts from prevention to resilience.
Resilience means: detecting attacks early, limiting impact, maintaining critical operations, and making sound decisions under pressure.
What This Means in Practice
Resilience is not a marketing term. It is an operational capability that must be built before it is needed. Tabletop exercises, tested recovery plans, clear escalation paths, and auditable incident processes.
No company can close every vulnerability. But every company can prepare for the inevitable.
The Real Warning
Andreessen suggests that AI will trigger this apocalypse and eventually close it again. That may be correct. But the period in between is now.
The question for organizations is not: will we ever be attacked? The question is: can we professionally manage a successful attack?
Those without an answer to that question should start developing one. Not because it is mandated. But because the situation demands it.