Does your organization know how long it takes for a newly discovered vulnerability to be exploited in the wild? Current data suggests the window is now roughly three hours. This timeline is not the result of a sudden surge in human genius among threat actors. It is the result of automation. Specifically, it is the result of a new generation of artificial intelligence models that turn the slow, manual process of bug hunting into a high-speed commodity service.
I recently spent an evening reviewing the performance benchmarks for GLM 5.2, an open-weight model released by the Chinese firm Zhipu AI. This is not just another large language model. In specific tests, it outperformed frontier models like GPT-5.5 and Anthropic’s Claude 4.8 Opus at identifying software vulnerabilities. The most striking figure is the cost. GLM 5.2 can find a vulnerability for approximately $0.17. When the price of an exploit drops to the cost of a handful of paperclips, the traditional defensive math breaks.
Security teams often operate under the assumption that they are in a fair race against human attackers. This is a mistake. We are now in a race against highly optimized inference engines that do not sleep, do not require a salary, and can be downloaded to run on private hardware. This shift is particularly evident in the recent release of Tulongfeng, or "Dragon Saber," by 360 Security Technology. This tool has reportedly identified over 3,400 vulnerabilities already. These are not academic exercises. These are actionable entry points into corporate and critical infrastructure.
In the past, high-tier exploits were the province of state-sponsored actors or sophisticated criminal syndicates because they required expensive human labor. Margaret Cunningham from Darktrace points out that reliability in a model must be weighed against cost and ease of deployment. Both attackers and defenders make economic decisions. If a model is good enough and costs almost nothing to run, it becomes a pervasive threat regardless of whether it is the absolute best model on the market.
From a risk perspective, this changes the threat environment from targeted strikes to a continuous, automated storm. Attackers no longer need to choose their targets carefully. They can point a model like GLM 5.2 at every public-facing IP address and wait for the results. The cost to the attacker is negligible. The cost to the defender, in terms of incident response and data breach mitigation, remains catastrophic. This is the architectural paradox we face today. A multi-million dollar defense system can be bypassed by a script using a seventeen-cent vulnerability scan.
One significant advantage of models like GLM 5.2 is their open-weight nature. Unlike models that live behind a US-based cloud API, an open-weight model can be installed on local servers. This is a critical factor for organizations managing sensitive data or critical infrastructure. John Gallagher from Viakoo notes that for operational technology (OT), data sovereignty is a primary concern. Sending proprietary network maps or source code to a cloud-based AI for analysis is a non-starter for many security-conscious firms.
By design, these Chinese models allow defenders to perform their own vulnerability discovery without leaking data to a third party. This creates a rare opportunity for parity. A defender can use the same model that an attacker uses to find a hole in the hull before the ship leaves the dock. However, this only works if the organization has the agility to patch as fast as the model finds the bugs. Most do not. This leads us to the problem of security debt.
Chris Inglis, the former US National Cyber Director, views security debt in three distinct buckets. The first consists of known vulnerabilities that have existing patches but remain unaddressed. The second bucket includes unknown vulnerabilities that are easily discoverable by modern tools. The third bucket is the realm of zero-day exploits and complex attack chains.
We do not need frontier models to find bugs in the first two buckets. Commodity models are already capable of running circles around most enterprise defenses. This is why the rise of high-performance Chinese models is so concerning. They excel at finding the low-hanging fruit that makes up the majority of security debt. When an organization ignores a three-year-old CVE, they are effectively leaving the front door unlocked in a neighborhood where every thief has a master key.
Encryption acts as a shatterproof digital vault, but it is useless if the attacker has the keys. Similarly, a robust perimeter is useless if an AI finds a misconfigured service that bypasses the firewall. The reality is that most breaches do not happen because of a sophisticated zero-day. They happen because a model found a boring, predictable error in a piece of legacy software that was never prioritized for a patch.
Data from Semgrep shows that GLM 5.2 achieved a 39% F1 score in bug-finding tests. This is a respectable metric for an LLM. However, a model is only one part of a security program. Cunningham highlights that the origin of a model is often less important than how a security team integrates it into their daily operations. If a tool finds 100 bugs but the security team only has the capacity to fix five, the tool has not actually improved the security posture. It has only increased the noise.
Proactively speaking, the goal should be to reduce the time between discovery and remediation. We need to move away from the idea of the network perimeter as a castle moat. In an era of AI-driven attacks, we must adopt a zero trust architecture. Think of zero trust as a VIP club bouncer at every internal door. Even if an attacker uses an AI-discovered bug to get inside the building, they should find every subsequent door locked and requiring a separate credential. This limits the blast radius of any single exploit.
To bridge the gap between technical reality and business impact, organizations should focus on the following steps:
I recently analyzed an incident where a mid-sized firm was hit by ransomware. The entry point was a forgotten VPN server running software from 2019. The attacker used an automated tool to find the unpatched vulnerability. This was not a sophisticated operation. It was a commodity attack. If that firm had spent even a few hours running a basic LLM-based scanner against their own perimeter, they would have seen the red flags. Security is no longer about being perfect. It is about being faster than the automated tools that are scanning your network right now.
Sources: NIST Cybersecurity Framework, MITRE ATT&CK, Semgrep LLM Security Report, Reuters Report on 360 Security Technology.
Disclaimer: This article is for informational and educational purposes only and does not replace a professional cybersecurity audit or incident response service.



Our end-to-end encrypted email and cloud storage solution provides the most powerful means of secure data exchange, ensuring the safety and privacy of your data.
/ Create a free account