Commercial AI Models Show Rapid Gains in Vulnerability Research

The landscape of cybersecurity is shifting at an unprecedented pace. While much attention has focused on elite, non-public frontier AI systems like Anthropic’s Claude Mythos, commercial AI models are quietly making remarkable strides in vulnerability research. According to new findings from Forescout‘s Verde Labs, these widely available tools are now capable of identifying and exploiting security flaws that once required deep human expertise.

Just a year ago, the picture looked very different. Verde Labs reported that 55% of AI models failed basic vulnerability research tasks, and a staggering 93% could not generate working exploits. Fast forward to 2026, and the situation has transformed dramatically. Today, all tested models can complete vulnerability research assignments, and half can autonomously produce functional exploits.

The Rise of Autonomous Exploit Generation

This rapid progress is not just incremental—it represents a fundamental shift in what commercial AI can achieve. Forescout evaluated 50 different AI models, spanning commercial, open-source, and even underground variants. The standout performers were Claude Opus 4.6 and Kimi K2.5, both of which can now find and exploit vulnerabilities without requiring complex prompts. This ease of use makes them accessible to inexperienced attackers, lowering the barrier to entry for cybercrime.

“These are widely available AI models exceeding human capability,” said Rik Ferguson, VP of Security Intelligence at Forescout. However, he cautioned that their performance may not yet match the scale, speed, and quality of Anthropic’s Claude Mythos, which remains in a class of its own.

Real-World Discovery: New Zero-Day Vulnerabilities

During testing, Forescout’s team used single prompts combined with the RAPTOR agentic framework—an open-source AI system designed for cybersecurity research—alongside the firm’s own extensions. This approach led to the discovery of four new zero-day vulnerabilities in OpenNDS, a widely deployed network management system. Notably, one of these flaws existed in code that Verde Labs had already manually analyzed and missed entirely.

This finding underscores a critical point: AI can spot weaknesses that even experienced human researchers overlook. As a result, organizations must rethink their assumptions about software security.

Cost Dynamics: Commercial vs. Open-Source AI

Commercial AI models delivered the best results in Forescout’s testing, but they come with a hefty price tag. Claude Opus 4.6, for instance, costs up to $25 per million output tokens. On the other hand, open-source alternatives like DeepSeek 3.2 handle basic tasks at a fraction of the cost—with all test tasks costing less than $0.70. Meanwhile, access to Claude Mythos will be priced at $25 per million input tokens and $125 per million output tokens for participants.

Therefore, a practical strategy is emerging: using different models based on task complexity and budget. Both defenders and attackers can now mix and match AI tools to optimize cost and capability.

Implications for Cybersecurity Defenders

Building on these findings, Forescout warned that if its research can uncover new vulnerabilities with open models—and if larger initiatives like Project Glasswing can surface thousands of zero-days in critical software—then organizations should assume their environments already contain unknown vulnerabilities. AI will inevitably find them, whether used by ethical researchers or malicious actors.

This means that proactive vulnerability research is no longer optional. Companies must invest in AI-driven security tools and continuous monitoring to stay ahead. For more on securing your infrastructure, check out our guide on AI security best practices.

What This Means for the Future

The democratization of vulnerability research through commercial AI models presents both an opportunity and a threat. On one hand, it empowers defenders to find and fix flaws faster than ever before. On the other hand, it equips attackers with powerful capabilities that require minimal expertise.

As Ferguson noted, the genie is out of the bottle. The key question is not whether AI will find vulnerabilities, but who will find them first. To learn about the latest trends, read our analysis on emerging cyber threats in 2026.

In conclusion, the rapid gains in commercial AI for vulnerability research signal a new era in cybersecurity. Organizations must adapt quickly, leveraging AI for defense while preparing for a world where software flaws are discovered at machine speed.