Tune In: The Future of AI-Powered Vulnerability Discovery

AI is reshaping the future of vulnerability research. Advanced AI models are capable of discovering vulnerabilities at machine speed, far faster than organizations can patch them. The consequences for defenders are enormous — and the opportunities for adversaries are vast.

In the latest episode of the Adversary Universe podcast, CrowdStrike’s Adam Meyers, SVP of Counter Adversary Operations, and Cristian Rodriguez, Field CTO of the Americas, unpack some of the most pressing questions facing security teams today: What does AI-powered vulnerability research mean for the future of security operations? How will adversaries use it to their advantage?

Threat actors are already using AI in their operations: The CrowdStrike 2026 Global Threat Report revealed an 89% year-over-year increase in attacks by adversaries using AI. FANCY BEAR, FAMOUS CHOLLIMA, and PUNK SPIDER are among the prolific threat actors weaponizing AI in their operations, using it to craft more convincing phishing lures, automate social engineering, and improve the speed of malicious content. While core tradecraft remains human-driven, AI acts as a force multiplier, helping adversaries increase efficiency. A tool in the eCrime space uses AI to conduct voice phishing attacks, which can now be executed agentically. 

As AI continues to rapidly mature and adversaries explore its use, the hosts explain, the pressure is on organizations to defend against their evolving tradecraft. Vulnerability discovery, exploitation, and patching are at the front and center of their concerns. And CrowdStrike is at the forefront of defense, as a founding member of Project Glasswing and participant in OpenAI’s Trusted Access for Cyber program.

The Looming Vuln-pocalypse

The most urgent topic discussed is the “vuln-pocalypse,” a term used to describe the projected massive influx of newly discovered vulnerabilities driven by AI-accelerated research. 

“I’ve been saying since November, we’re looking at three to nine months until a massive influx of zero-day vulnerabilities,” Adam says in this episode.

To explain why, he describes how vulnerabilities are traditionally found. One uses deep reverse engineering of the target to create an exploit. The other, more frequently used method of fuzzing involves putting random data into a program’s inputs until it crashes, then analyzing the results to see what is broken and potentially exploitable. AI can dramatically accelerate fuzzing by quickly triaging those results in far less time than a human could to find something useful.

More than 48,000 new CVEs were published in 2025.¹ If AI accelerates discovery by even 10x, Adam points out, defenders could be looking at nearly half a million vulnerabilities requiring attention in the coming years. “That’s going to mean significant trouble,” he notes.

Why? Adversaries are eyeing zero-days and weaponizing vulnerabilities at greater speed. In 2025, CrowdStrike Counter Adversary Operations observed a 42% year-over-year increase in the number of zero-days exploited prior to public disclosure, the 2026 Global Threat Report found. Chinese adversaries demonstrated they can consistently operationalize publicly disclosed exploits within days of the vulnerability’s release — in some cases, within two days. 

Not an “End of the World” Situation

While organizations are rightfully concerned about the rise in vulnerabilities, Adam and Cristian shared some key defensive takeaways to help them approach it. 

Patching Prioritization

There are two ways organizations typically prioritize patching. The first is prevalence, or how much of that vulnerability is in their environment. The second is severity, typically determined by CVSS score. This system breaks down when adversaries chain multiple vulnerabilities together. While they may appear low-priority in isolation, together they can open a door. 

Organizations must be more thoughtful in what they’re patching, how they’re patching, and when. Adam’s guidance is to patch based on what is actively being exploited in the wild; he references CISA’s Known Exploited Vulnerabilities catalog, which shares the vulnerabilities CISA is aware of being exploited on a weekly basis. Security teams don’t have to patch every vulnerability — they have to patch the vulnerabilities that present the greatest threat. 

Zero Days Are Just the Beginning

Zero-days are alarming, but they’re not the catastrophe many assume they are. Even if an adversary uses a zero-day to gain access, Adam explains, they still need to do something with their access — move laterally, escalate privileges, identify targets, exfiltrate data. All of this post-exploitation activity is observable. If the adversary can be caught, they can be stopped.

These observations contribute to CrowdStrike’s “community immunity,” Cristian says. “Every time an adversary burns through some new type of tradecraft, we’re crowdsourcing that telemetry.” All of this high-fidelity telemetry can then be used to identify that behavior in the future.

AI in the Defender’s Toolbox

Below are some of the ways defenders can incorporate AI into their security posture:

• Agentic red teaming: Continuous red-team exercises can surface vulnerabilities in the environment before adversaries find them.
• AI vulnerability scanning: Use AI to proactively identify vulnerabilities in the development pipeline.

Organizations are also advised to stay current on agentic AI news to understand this constantly evolving space and prepare their environments.

Check out the full Adversary Universe podcast episode below or tune in on Spotify and Apple Podcasts.

Additional Resources

• Dive deeper into topics like this at Fal.Con 2026 with expert-led sessions, hands-on training, and real-world insights.
• Learn more about how CrowdStrike is securing AI in this blog: Frontier AI Is Collapsing the Exploit Window. Here’s How Defenders Must Respond.

¹ 2026 VulnCheck Exploit Intelligence Report