Claude and other AI agents are forcing both attackers and defenders to abandon manual security work, creating a genuine arms race where the outcome remains uncertain. Mozilla used Claude Mythos Preview to identify 271 vulnerabilities in Firefox 150, including 180 high-severity bugs, representing a dramatic shift from the typical 20 to 30 security fixes per month. Meanwhile, Google's Threat Intelligence Group documented the first high-confidence case of a threat actor using an AI-developed zero-day exploit, signaling that offensive capabilities are advancing at the same pace.

How Are AI Agents Changing Cybersecurity Workflows?

The shift from human-driven security work to agentic systems is fundamentally reshaping how both defenders and attackers operate. Defenders can now ask AI agents to scan codebases, reproduce bugs, validate patches, generate detections, and explain what happened from logs. Attackers, meanwhile, can use agents to profile targets, inspect code, validate proof-of-concepts, tailor phishing lures, and operate across developer infrastructure.

The Firefox case demonstrates how effective this can be when properly engineered. Mozilla didn't simply run Claude against its codebase and hope for results. Instead, the team built an agentic harness on top of its existing fuzzing infrastructure. This system generated reproducible test cases, tested hypotheses, dismissed unreproducible speculation, deduplicated findings, and routed bugs through the normal security lifecycle to engineers who could patch and release. The result was transformative: April saw 423 total Firefox security bug fixes, compared to a 2025 baseline of roughly 20 to 30 per month.

OpenAI's response follows a similar pattern. The company launched Daybreak, which uses Codex as the agentic harness together with security partners for secure code review, threat modeling, patch validation, dependency risk analysis, detection, and remediation. GPT-5.5 with Trusted Access for Cyber reduces refusals for verified defensive work, while GPT-5.5-Cyber is a more permissive limited preview for authorized red teaming, penetration testing, and controlled validation.

What Evidence Shows Attackers Are Already Using AI Agents?

The offensive side is moving faster than many expected. Google's forensic analysis of the AI-developed zero-day included educational docstrings, a hallucinated Common Vulnerability Scoring System score, and textbook-style Python formatting, all hallmarks of AI-generated code. The exploit targeted a popular open-source web administration tool, bypassed two-factor authentication after credential theft, and was disrupted before mass exploitation.

Beyond zero-day development, threat actors are deploying AI agents across multiple attack vectors:

• Mobile Device Control: Google identified PROMPTSPY, an Android backdoor with a module that sends the visible interface hierarchy to a model and receives structured actions such as clicks and swipes, allowing the model to reason about the operator's goal and turn screen state into device actions.
• Organizational Reconnaissance: Threat actors are using models for organizational mapping, hardware fingerprinting from photos, and high-volume vulnerability prompt loops to identify targets and weaknesses at scale.
• Supply-Chain Compromise: Mini Shai-Hulud, a self-spreading npm worm, demonstrates how AI-assisted attacks can weaponize developer infrastructure. Once it compromises a single package, the malicious code uses that maintainer's credentials to publish poisoned updates of every other package they own, harvests credentials from each new victim machine, and repeats the cycle.

The May 11 campaign hijacked OpenID Connect tokens from GitHub Actions release pipelines, treating developer and AI environments as targets. The malware harvested credentials from cloud accounts, crypto wallets, Claude Code configuration, and VS Code persistence hooks. This is particularly concerning because agents sit close to code, credentials, repositories, local files, browsers, and tool permissions. Once they become routine developer infrastructure, compromising the agent layer is as valuable as compromising the developer laptop.

Phishing is also evolving. A single agent can scrape a target's LinkedIn connections, GitHub activity, package ownership, company relationships, and Slack habits, pick a plausible pretext for each contact, and then draft and send tailored lures to every name on the list with no human in the loop. StepSecurity's analysis of the axios attack showed the workflow: a fake Slack workspace, a fake Microsoft Teams error, and a remote access trojan installed by the maintainer. That workflow is exactly the kind of targeting AI makes cheap to run thousands of times in parallel.

Will AI Agents Create More Security Incidents or Fewer?

The answer depends on whether defenders can move faster than attackers. In the short term, expect more incidents. Offense benefits first because attackers can apply agents without organizational change, while the patch ecosystem outside the major vendors is still slow. A noisy 12 to 18 months of breaches involving AI-assisted reconnaissance, phishing, and supply-chain compromise is likely.

Long term, the picture brightens for defenders. Fewer successful incidents should occur at the top of the stack, with a widening gap between organizations that treat AI security as an operating model and those that do not. Defenders own the parts of the stack that matter most: code, logs, identity, deployment gates, network policy, and patch pipelines. If Mythos-tier review runs continuously against major codebases, the long tail of latent bugs shrinks. Firefox shows this is not theoretical. Bugs that have sat in browsers and operating systems for years can be flushed out and merged before they ever get used.

The workflow scales. Daybreak-style products can validate, patch, and ship fixes faster than any human-only security team. Detection engineering, log explanation, and incident response all benefit. The cost of being a defender drops too, on a longer fuse than the offensive side. If defenders move fast and gating slows the worst offensive workflows, more agents means fewer successful incidents over time, even if the volume of attempts climbs.

What Should Organizations Do Right Now?

The practical defense for npm right now is to stop installing same-day releases. Most automated supply-chain attacks are detected and pulled within 24 to 72 hours, so a 3 to 7 day cooldown on dependency updates closes the largest exposure window at almost no cost. But this feels like a very brittle solution to a whole new class of vulnerabilities, particularly as coding agent environments get targeted.

The real challenge is that the internet's weakest links stay weak until defensive agents reach them. Labs gating Mythos-class capability owe the long tail of small defenders real distribution: credits, packaged products, and tooling that does not require an in-house security team. Otherwise the gating protects frontier defenders while the rest of the attack surface gets worse, and the net count of incidents goes up rather than down.

Meanwhile, Claude 4 is advancing the broader agentic ecosystem. The model features a hybrid reasoning architecture that splits inference into fast and extended thinking passes, allowing autonomous agents to persist for hours, consult tools, and refine outputs through self-correction. Sonnet and Opus tiers have been expanded to one million tokens for enterprise beta users, meaning entire repositories, legal briefs, or research corpora fit inside a single request. Autonomous agents can now ingest 500,000 lines of code, generate refactors, and iterate through self-correction loops without fragmentation.

The benchmark evidence is compelling. Opus 4 posted a score of 72.5 on SWE-bench, a widely used coding evaluation, while Sonnet 4 surprised with 72.7. Opus 4.5 pushed scores toward 74.5, and 4.7 registers even higher on private dashboards. However, internal Anthropic safety audits show steady harmlessness gains from 97.3% to 98.8%, focusing on refusal rates and responsible deployment.

The cybersecurity arms race is real, and it is accelerating. The next 18 months will determine whether AI agents become a net positive or negative for security. The outcome depends on how quickly defenders can scale their capabilities and how effectively organizations can adopt agentic workflows without creating new vulnerabilities in the process.