Brace Yourselves for a Vulnerability Explosion, Forescout Warns

The latest Forescout study marks a turning point in how artificial intelligence is reshaping vulnerability research. Where a year ago more than half of AI models struggled with basic flaw identification, today every tested model can pinpoint weaknesses, dramatically shortening the discovery cycle. This leap mirrors broader generative‑AI advances that lower the expertise barrier, allowing even small teams to surface security gaps that previously required deep specialist knowledge. As AI tools become more adept, the volume of potential CVEs is set to rise sharply, challenging the traditional, labor‑intensive processes that govern vulnerability disclosure.

For vendors and open‑source maintainers, the surge presents an operational nightmare. The standard CVE assignment workflow—researcher discovery, vendor verification, and ID allocation—already stretches to three months; a flood of AI‑generated reports could extend that timeline or force prioritization shortcuts. Recent reports of “AI slop,” where models flag non‑issues as vulnerabilities, have already compelled some projects to suspend bug‑bounty programs. Organizations will need to invest in automated triage, machine‑learning‑enhanced filtering, and faster coordination with standards bodies to keep pace without compromising quality.

The dual‑use nature of these advances cannot be ignored. While security teams gain powerful assistants for rapid patching, the same agents enable threat actors to craft and test exploits with minimal human input. Forescout found that over half of the AI models could autonomously generate functional exploits, a capability that could lower the entry barrier for less‑skilled cybercriminals. This convergence of discovery and exploitation forces a strategic shift: defenders must not only accelerate remediation but also anticipate AI‑augmented attack vectors, integrating threat‑intelligence feeds that account for agentic behavior and investing in adversarial‑AI research to stay ahead of the next wave of automated attacks.