The same AI models that help security teams find vulnerabilities are available to the people trying to exploit them — and that changes the math for every business that can be hacked. This episode unpacks the arms race with real examples, calibrated numbers, and a clear-eyed look at where the advantage actually lands.
AI-generated (NotebookLM) audio overview. Source: HexLocal in-house research — Research - AI Cybersecurity Arms Race - 2026-06-21 (Dr. Priya Nair). Primary external sources include Google Project Zero, Google Cloud, The Hacker News, Dark Reading, The Record, TechRepublic, and NYU Tandon.
- Google's Big Sleep (DeepMind + Project Zero) found a critical SQLite vulnerability known only to threat actors and patched it in ~48 hours — the first time an AI agent beat attackers to a real-world exploit
- XBOW, an autonomous AI pentester, reached #1 on HackerOne's US bug-bounty leaderboard in 90 days by attacking live targets the way a human pentester would, at machine scale
- The "thousands of vulnerabilities" headline is inflated — verified per-system figures are ~1,060 XBOW submissions and a handful of high-value Big Sleep finds; most "AI-found bugs" in the wild are noise
- The curl bug-bounty program illustrates the flip side: only ~5% of 2025 AI-assisted submissions were genuine, flooding maintainers with low-quality slop
- Whether defenders or attackers hold the net advantage is genuinely contested and unresolved — the episode presents the honest open question, not a false verdict
- The business takeaway centers on what the arms race actually demands from non-security companies: the threat is real, the hype needs calibrating, and the defender's playbook has new risks built in