Cybersecurity's New Arms Race: Defending Against AI That Hacks Itself

SAN FRANCISCO, CA – June 17, 2026 – The world of cybersecurity has long been a cat-and-mouse game, but the mouse is now evolving at an exponential rate. Today, San Francisco-based security firm Corelight announced a major expansion of its network defense platform, a move that directly confronts a chilling new reality: the emergence of artificial intelligence capable of autonomously discovering and weaponizing software vulnerabilities at machine speed.

This new class of threat, which Corelight and others refer to as "Mythos-class AI," threatens to upend decades of security strategy built on patching and perimeter defense. In response, Corelight is betting that the only viable defense is total, real-time network visibility. Its updated Open NDR (Network Detection and Response) platform now includes passive asset classification and network performance monitoring, aiming to create an unblinking eye on every device and service communicating within an organization. The move signals a critical shift in the industry, away from simply reacting to known threats and towards continuously mapping the battlefield in a state of what one executive calls "permanent vulnerability."

The Dawn of the Self-Hacking AI

The term "Mythos-class AI" is not mere marketing hyperbole. It stems from models like Anthropic's Claude Mythos, a frontier AI that has demonstrated startling capabilities in cybersecurity. Research from independent bodies, including the UK AI Security Institute, has confirmed that such models can autonomously identify novel vulnerabilities in complex software, write the code to exploit them, and execute multi-stage attacks against vulnerable systems—all without human intervention. This dramatically lowers the barrier to entry for sophisticated attacks, compressing timelines from months or weeks to mere minutes.

This new paradigm renders traditional defense strategies dangerously obsolete. For years, organizations have relied on a cycle of vulnerability discovery, vendor patching, and enterprise-wide deployment. This human-driven process, already struggling to keep pace, is simply no match for an adversary that operates at machine speed. "AI-powered tools enabled by Mythos-class models can now discover and weaponize zero-day vulnerabilities at machine speed, creating a state of permanent vulnerability where no organization can patch its way to safety," said Vijit Nair, vice president of product at Corelight.

This reality is echoed across the industry. A recent survey found that 87% of organizations have already experienced an AI-driven cyberattack, and firms like Palo Alto Networks have warned that such attacks are rapidly becoming the "new norm." The threat is no longer theoretical; it is an active and escalating force reshaping digital risk.

You Can't Defend What You Can't See

In this environment of constant, automated threat, the old security adage, "you can't defend what you can't see," has taken on a new urgency. The most fertile ground for AI-powered adversaries is the unknown and unmanaged parts of a network: forgotten servers, unauthorized employee devices (BYOD), sprawling Internet of Things (IoT) sensors, operational technology (OT) in industrial settings, and the rapidly growing landscape of "shadow AI"—unsanctioned AI tools and services used by employees. These assets rarely appear in traditional configuration management databases (CMDBs) and are often missed by security tools that require agents to be installed.

Corelight's platform update directly targets this problem. By leveraging the open-source Zeek engine—a gold standard for network analysis—the system passively analyzes network traffic to build a complete and continuously updated inventory of every asset. "Every unmanaged device, shadow IT endpoints, shadow AI platforms and services, and OT asset that cannot be seen by agent-based tools is a potential entry point for an adversary," Nair explained. "Corelight closes that gap — turning the network itself into a continuously current inventory of everything that communicates, with no agents, no scan cycles, and no blind spots."

This passive approach is the key differentiator. Instead of actively polling devices, which can be disruptive and slow, the system identifies and classifies assets—from workstations and servers to over 180 different AI services—based on their unique communication patterns, or "protocol fingerprints." The result is a real-time, ground-truth map of the entire digital environment, providing the foundational visibility needed to spot anomalous behavior.

Fueling the AI-Powered Defense

Ironically, the best defense against malicious AI may be a smarter, better-informed defensive AI. Recognizing this, Corelight is positioning its platform not just as a detection tool, but as a data provider for the next generation of Security Operations Centers (SOCs). The high-fidelity, structured data generated by Zeek is described as "clean fuel" for an organization's own AI tools and large language model (LLM) agents.

By feeding these defensive AI systems with real-time asset identity, performance context, and communication logs, security teams can automate complex workflows and dramatically accelerate incident response. The company claims this approach can lead to a "10x faster triage" with auditable reasoning at every step. This is a critical capability for SOC teams who are drowning in alerts and struggling with the manual effort required to investigate them.

The value of this contextual data is already being realized. "In incident response, a fast mean-time-to-understanding is everything," commented the head of network incident and response at a Fortune 100 manufacturing enterprise. "Corelight's passive asset classification provides our security operations team with immediate, accurate IT and OT device visibility right where we are already analyzing traffic, allowing network defenders to drastically accelerate triage and investigate alerts with confidence." This integration of asset identity directly into the security workflow allows analysts to immediately understand the "who" and "what" of an alert, rather than wasting precious time hunting for information.

Redefining Risk in an Unpatchable World

The strategic implications of this technological shift are profound. For years, cyber risk has been largely measured by vulnerability scores and patching compliance. While still important, these metrics are no longer sufficient. As Chris Kissel, research vice president at IDC Security & Trust, noted, "Mythos-class AI capabilities have effectively ended the era in which organizations could manage cyber risk through patching discipline alone."

The focus must now expand to include real-time visibility and the ability to detect exploitation as it happens. "The unknown attack surface — unmanaged endpoints, OT devices, unauthorized AI tooling, assets that have never appeared in a CMDB — is precisely where AI-powered adversaries will look first, because it is where defenders are least prepared," Kissel added. "Network-level asset classification that operates continuously and passively is the only mechanism that scales to match that reality."

This new capability also provides a dual benefit. For security teams, it enriches every alert with crucial context. For network operations teams, the platform's new performance monitoring features offer a rapid "mean time to innocence"—the ability to quickly and definitively prove that the network is not the cause of an application slowdown, all without deploying and managing a separate suite of monitoring tools. By unifying visibility for both security and operations, the approach aims to break down traditional IT silos and foster a more holistic understanding of the enterprise environment.