The race is already lost on finding vulnerabilities. AI wins that one in a landslide.
In a recent piece titled "Vulnpocalypse: AI, Open Source, and the Race to Remediate," Chris Hughes of Resilient Cyber laid it out cold: Anthropic's Claude discovered over 500 high-severity zero-days across production open source codebases. AISLE found all 12 CVEs in OpenSSL's January 2026 coordinated release. An autonomous system became the number one ranked hacker on HackerOne. A blind SQL injection in Ghost, a publishing platform that had never had a critical security vulnerability in its history, took 90 minutes to find.
Ninety minutes!
Hughes cites researcher Nicholas Carlini's assessment that AI capability for vulnerability research is doubling roughly every four months. That's not a slow burn. That's a cliff edge.
Here's the part the industry keeps glossing over: finding the bug was never the hard part.
Salt Typhoon didn't succeed because it was clever. It succeeded because organizations had the patches and couldn't deploy them. Known vulnerabilities. Documented fixes. Nobody got around to it.
That's the actual story. Quantum-resistant architectures and zero-trust frameworks mean nothing if the door is open because your team is buried in a triage queue that stretches to next quarter.
The 2026 Veracode State of Software Security Report confirms what anyone in the trenches already knows: 82% of organizations are carrying security debt. The median time to fix a vulnerability is 243 days. Critical security debt, meaning flaws that are both severe and highly exploitable, now affects 60% of organizations. That's a 20% relative increase in a single year.
The findings are getting faster to generate. The fixes aren't keeping pace.
AI Is a Superpower. The Question Is Whose.
Here's the math Chris Hughes surfaces, and it should bother everyone who runs AppSec:
Attackers using AI tools converted 2 to 10 minutes of human work into 1 to 4 hours of output. Researchers have demonstrated AI agents generating over 40 working exploits for a single flaw for $50. AI agent swarms found over 100 exploitable vulnerabilities across major hardware vendors in 30 days for $600 total. The exploitation timeline has collapsed: in 2018, the median time from disclosure to first observed exploit was 771 days. By 2024, it was measured in hours. 67% of exploited CVEs in 2026 are zero-days.
AI is a superpower for offense right now. Unambiguously. The same capability exists for defense. The same productivity multiplication is available to the teams trying to close vulnerabilities before they get weaponized. That's the window. That's exactly what we built AppSecAI to address.
The Bottleneck Is Remediation, Not Detection
SAST and DAST tools have been finding vulnerabilities for years. That's not the crisis. The crisis is that every scan generates weeks of manual triage work. AppSec teams spend most of their time just separating false positives from real issues, not fixing anything. Then the real issues pile up in a backlog that developers don't have the security knowledge to resolve and security teams don't have the bandwidth to hand-hold through.
We measured this. We took a person who had never seen our product, never seen the code, and gave them a few hundred pull requests to review. They averaged 8.2 minutes per vulnerability. We tracked it to the minute, because they billed us hourly. That same process, without automation, used to take months. Not because people are slow, but because the volume is inhuman.
That's the gap Chris Hughes is describing in his piece. The industry is about to face an order-of-magnitude increase in legitimate findings from AI-powered discovery tools, both on the open source side and inside enterprise codebases. The organizations that can't process findings today are going to drown.
What AppSecAI Does Differently
We don't add to the pile. We reduce it.
Our triage automation filters real vulnerabilities from noise at 97% accuracy. No more weeks spent on false positives. Our fix automation generates validated code fixes as pull requests in your existing workflow. Developers don't need to know what a SQL injection is. They only need to answer one question: did this change the functionality?
That's a question any developer can answer in minutes. Not months.
The per-fix cost drops from the industry average of $5,000 to $20,000 in combined labor to a fraction of that. We generate fixes in seconds. Human review averages 8.2 minutes. That's the pace that matches what AI-powered attackers are bringing to the other side of this equation.
As Chris Hughes writes, the defenders have the opportunity to move first. The technology is ready. The window is measured in months, not years.
The question isn't whether your SAST or DAST tools, or AI tools can find the vulnerabilities. They can. The question is whether your team can fix them before someone else finds them too.