Increasingly powerful AI tools are expected to fuel the explosion in newly discovered CVEs and further compress exploitation windows. The CVE surge is threatening to overwhelm the National Vulnerability Database (NVD), although the bug backlog has also been blamed on “mismanagement and other strategic failings” at the National Institute of Standards and Technology (NIST) by a Department of Commerce Watchdog, reports The Record. The urgency of responding to the threat, meanwhile, has been heightened by the news that Google has for the first time identified cybercriminals leveraging AI to uncover and exploit a hitherto unknown vulnerability at scale. John Hultquist, chief analyst at Google Threat Intelligence Group, said the finding was the “tip of the iceberg” for the emerging threat of autonomous malicious hacking. 🧊
First things first
Unfortunately, AI is not yet accelerating remediation in the same way that it is supercharging bug discovery. As such, effective prioritisation of the most dangerous vulnerabilities has never been more important – something security leaders are now recognising. For instance, the trade body for European airports, Airports Council International Europe, has published an open letter urging the industry to implement a risk-based vulnerability management process that determines “Severity (CVSS) + Exploit Prediction (e.g. EPSS) + Exposure (e.g. to the internet) + Business Impact (e.g. Confidentiality, Integrity, Availability)” and prioritises remediation on this basis. 📝
Similarly, a new Cybersecurity and Infrastructure Security Agency (CISA) directive requires US federal civilian agencies to prioritise vulnerability remediation according to real-world risk, including internet exposure, known exploitation, exploit automation and potential technical impact, rather than severity scores alone. The highest-risk vulnerabilities must be fixed within three days and undergo forensic triage to determine whether compromise has already occurred. Prioritisation is now a top priority.
CISA's prioritisation equation mirrors the calculation that YesWeHack uses to prioritise findings generated from multiple sources: Bug Bounty, VDP reports, Autonomous Pentest and Continuous Pentesting. Our latest article explains why CVSS is only one part of this equation, how prioritisation works on the YesWeHack platform and the implications for security teams. 💡
Organisations cannot take for granted that they can leverage the latest models in security testing. The US government recently ordered Anthropic to immediately shut off access to two of its most powerful AI models because of national security concerns. Anthropic has been forced to disable access to Claude Fable 5 and Claude Mythos 5 worldwide.
CISO roundup
A few other stories of note to CISOs and security teams:
🛡️ Microsoft says it will not pursue security researchers after zero-day backlash – Alexander Martin on The Record
🛡️ What companies patch, and what they don’t – Arve Kjoelen, Barracuda Networks
🛡️ Cybersecurity Has Become a Cult – CISO Series podcast
🛡️ Why a decade of writing detection logic makes the Mythos exploit numbers less scary – Signalblur on Magonia Research
🛡️ NSA using Claude Mythos for ‘offensive cyber operations’, report claims – Bruno Ferreira on Tom’s Hardware
🛡️ 2026 Cybersecurity Workforce Research Report – by SANS and GIAC Certifications
🛡️ Cybersecurity considerations 2026 – KPMG report
🛡️ Veeam: Why Rogue Agentic AI Is a CISO Responsibility – Rithula Nisha in Cyber Magazine
🛡️ Pentagon grapples with securing AI as it moves toward autonomous warfare – Dina Temple-Raston, The Record
AI is reshaping – and reaffirming – the Bug Bounty model from both sides of the testing dynamic, with AI scopes creating novel testing challenges and AI tooling is enhancing vulnerability discovery. 🤖 YesWeHack has already launched dozens of Bug Bounty Programs with AI-related scopes – from simple chatbot interfaces to complex, multi-agent architectures with tool-calling capabilities. However, traditional architecture still underpins AI-powered systems. The first article in a three-part series on AI-focused Bug Bounty Programs explains YesWeHack’s approach to securing the conventional stack around AI. Parts two and three will cover the integration layer (AI-specific vulnerabilities) and the guardrails (model behaviour and misuse resistance). Watch this space… 👀
Not dead. Just evolving
When Anthropic declared Claude Mythos not safe for general release, it sparked fears that AI might kill Bug Bounty. Fortunately, the data says otherwise. As the image below shows, our hunters are generating growing numbers of high and critical findings as AI models advance. Anecdotal evidence corroborates this: for instance, Aituglo, a YesWeHack-registered hunter, has found it “easier to find bugs”. Crucially, all these vulnerabilities are truly actionable. Unlike non-experts – and the AI models themselves – ethical hackers can validate real-world exploitability, while our triage team of well-drilled security engineers, also augmented by AI, adds another layer of time-saving validation. As we observed in the last edition, there’s a reason why the US tech giants continue to expand their Bug Bounty programs. ✅
Don’t just take our word for it about the value of expert human validation. ‘Xclow3n’ tested four AI-assisted approaches for finding vulnerabilities over the course of a week and found that most of his findings “fell apart” during exploitation. “AI is fast at coverage, hypothesis generation, and code analysis,” he explained. “It’s bad at impact assessment, validation and knowing what’s actually exploitable. Every model inflated findings. The researcher’s judgement was the difference between noise and CVEs every single time. AI doesn’t replace security researchers – it’s a force multiplier, not a replacement.” ⚡
Other researchers have reached similar conclusions about frontier AI’s cyber capabilities, including Anthropic’s much-hyped Claude Preview. cURL creator Daniel Stenberg reviewed a Mythos-generated report on curl’s git repo, which claimed five confirmed security vulnerabilities. After investigation, that turned into a rather less impressive trio of false positives, one non-exploitable bug and a single validated vulnerability. Stenberg acknowledged that AI-powered code analysers outperform tradition analysers, but said they have yet to surface anything truly novel. 🤔
Continuous Pentesting
Without effective human validation, SecOp teams can drown in vulnerability alerts – and leveraging AI without expert human oversight only makes the problem worse. Designed to remedy this problem, Continuous Pentesting from YesWeHack combines real-time visibility of fast-evolving attack-surfaces, targeted security checkpoints and agentic pentesting guided by experienced researchers, with two layers of human validation (hunters and triagers) ensuring 0% noise. We’ve documented the six-step process of Continuous Pentesting, which involves minimal effort on the customer’s part. 😌
With AI tools compressing exploitation timelines, our security checkpoints are rapidly crafted to detect newly disclosed CVEs.The YesWeHack platform can map your external attack surface, quickly identify instances running affected versions and run targeted checks across your perimeter to confirm real exploitability – giving your team a clear, actionable view of the risk. It also equips you to respond reassuringly when a critical new CVE drops and your CEO asks: “are we exposed?” Relatedly, two real-world examples of CVEs covered by our checkpoints are CVE-2026-48907, an unauthenticated RCE in the Joomla Content Editor extension, and CVE-2026-9082, a PostgreSQL SQL Injection in Drupal. ⏱️
Built around a four-step cycle of MAP > TEST > FIX > COMPLY, our offensive security and exposure management platform is built for the age of AI. That’s why our approach happens to align closely with Anthropic’s recommendations for ‘preparing your security program for AI-accelerated offense’. 🔁
Of course, there’s no room for point-in-time manual pentesting among Anthropic’s recommendations. We shared our take on a recent Gartner report about continuous offensive testing, in the context of frontier models’ growing cyber capabilities. Regulation is catching up with the need for continuous testing too. DORA, which applies to EU financial services firms, prescribes continuous testing, with Bug Bounty recognised as a legitimate vehicle. In our latest customer story, the CPTO of European fintech Sogexia notes that “Bug Bounty perfectly aligns with DORA requirements”. 📜
The latest customer story published on our blog stars TeamViewer’s Patricia Leppert. Find out why the team manager for customer trust and security at the digital workplace platform feels they “backed the right horse and have never regretted our decision” to partner with YesWeHack. 🚀
Do you use AWS Marketplace to procure software and digital services? Then implementing YesWeHack solutions will now be easier, since we’re available on Amazon’s digital catalogue for buying, deploying and managing third-party software.
🤘 Meet the YesWeHack Team 🤘
Here’s where you can meet the YesWeHack team and learn about our Bug Bounty and vulnerability management platform in the coming weeks:
📍Congrès du coTer Numérique | Reims, France | booth 178 | 23-24 June
📍 European Cyber Security Organisation (ECSO) 10-year anniversary event | Brussels, Belgium | 24-25 June
📍 OWASP AppSec | Vienna, Austria | booth S12 | 25-26 June
📍leHACK | Paris, France | booth 49 | 26-27 June | Featuring a YesWeHack live hacking event (the brand behind the scopes will be revealed on day one)
📍GITEX AI Europe | Berlin, Germany | booth H4.2-C74, Expand North Star Zone | 30 June-1 July
📍FutureCon | California, US | 23 July
Read this monthly roundup even sooner by subscribing to CrowdSecWisdom – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.
Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.
