Risks and opportunities in AI enabled security testing for 2026

In early 2026, AI was shaking the entire process of software development. It looks like the way the software – not just coding – “happens” is changing and there is no going back.
According to Bruce Schneier, a well known security expert, we are entering an era of “instant software” (Schneier, 2026). AI can write, deploy, modify, and delete custom applications on demand. As organizations take steps to integrate generative AI and increasingly also autonomous agents into their software workflows, they face entirely new opportunities but also unprecedented risks.
As the workflows of software realisation are changing, also the security workflows and security testing must adapt to new, AI enabled ways.
In this post, we look at how these might change in 2026 “post Mythos era” from both the opportunity side as well as from the risk perspective.

When leveraged effectively, AI acts as a massive force multiplier for defensive side cybersecurity, offering the defenders the ability to operate at machine speed and scale.

Automated and multi-agent penetration testing

Traditional, i.e. manual penetration testing – or interactive application security testing – is resource-intensive and can take some time to execute. Today, multi-agent AI architectures are emerging also for application security testing. This is demonstrated e.g., by AWS’s recent introduction of its AWS security agent (Alkhouli et al, 2026).
Just like agentic software development, security testing is also on its path to becoming agentic. With this approach, specialized security agents can be orchestrated to work collaboratively: one maps the attack surface, another analyzes business logic flaws, and others validate findings using active exploitation. This dynamic generation of focused test tasks can significantly accelerate vulnerability discovery as demonstrated in recent studies and especially Anthropic’s Mythos preview (Carlini et al, 2026).

AI assisted code security and Mythos “Project Glasswing”

AI puts traditional Static Application Security Testing (SAST) on steroids. Now, with AI SAST tools can apply contextual reasoning to identify complex vulnerabilities and directly propose fixes that are elaborate and go far beyond what SAST tools previously did (Ellis, 2026). Bruce Schneier notes in his commentary (Schneier, 2026) on Anthropic’s Mythos preview that AI vulnerability-finding technologies are incredibly valuable for defense, allowing defenders “to patch code and deny it to attackers forever”.

A prime example is Anthropic’s Project Glasswing (Carlini et al, 2026), launched alongside their Claude Mythos Preview model. Project Glasswing aims to run Mythos model against massive amounts of public domain and select vendors’ proprietary software to find and patch vulnerabilities before hackers can exploit them. The Glasswing project highlights a current advantage for defenders: finding a vulnerability for the purpose of fixing it is currently easier for an AI than finding and fully exploiting it. In an optimistic future, according to Bruce Schneier, this could lead to “self-healing” networks, where AI agents continuously scan and automatically patch evolving codebases upon discovery.

Accelerated cyber operations planning

In Defensive Cyber Operations (DCO), as studied by Sarjakivi and Moilanen (Sarjakivi, Moilanen, 2026), AI agents have demonstrated highly capable of accelerating operations planning. When tested against expert human teams in complex cyber defense exercises, AI agents excelled at quickly generating Courses of Action (COAs) and prioritizing defended capabilities. By rapidly processing vast amounts of data, AI helps reduce the cognitive load on security analysts. Studies like this emphasize that agentic defensive operations indeed are worth building and can protect against the dark side of agentic forces (“fight AI with AI” approach).

While AI offers powerful defensive capabilities, it simultaneously introduces severe risks—both from malicious actors leveraging AI and from the inherent flaws in AI systems themselves.

The “Lethal Trifecta” and prompt injection

As we deploy AI agents to assist with security and IT tasks, we expose our organizations to risks, with experts noting that many users install assistants without proper security or isolation boundaries. This exposes them to the “lethal trifecta” as coined by Simon Willison (Willison, 2025), the co-creator of Django framework: an AI agent that combines access to private data, exposure to untrusted content, and the ability to communicate externally. When these elements mix, attackers can use “prompt injection” via a seemingly harmless email or web page, tricking the agent into following malicious instructions and exfiltrating sensitive data. LLM prompts have become the new high value “Crown Jewel” assets of the enterprise and organisations, and compromising the prompt layer allows attackers to silently poison output or remove safety guardrails as demonstrated by CodeWall (Price, 2026).

Autonomous attackers and the Anthropic Mythos

AI agents are increasingly capable of acting as autonomous attackers. In a bleak demonstration, an autonomous offensive security agent hacked McKinsey’s internal AI platform in just two hours, mapping the attack surface, finding an unprotected endpoint, and executing a SQL injection that exposed 46.5 million internal chat messages without any insider knowledge (Price, 2026).
The capabilities of offensive AI are advancing so rapidly that Anthropic withheld the release of its Claude Mythos Preview model from the general public specifically due to its advanced cyberattack capabilities (Carlini et al, 2026). During internal testing, Mythos surfaced thousands of high-severity zero-day vulnerabilities across major operating systems. Especially noteworthy, the Mythos model demonstrated the ability to write effective exploits without human involvement, chain together complex memory corruption bugs, and successfully execute attacks using one-shot prompting (Evron et al, 2026).

The “vibe coding” epidemic and the “instant software” paradox

A massive hidden risk in AI-enabled development is “vibe coding,” where users hand over implementation to LLMs without understanding security (Krebs, 2026). The “instant software” created through vibe coding is generally filled with vulnerabilities because both the AI and the user lack security expertise (Schneier, 2026). Furthermore, these AI tools introduce severe governance risks by generating code that functionally works but violates internal enterprise policies—such as GDPR compliance or approved library lists—which traditional security scanners are not designed to catch (Laakkonen, 2026).
However, Schneier highlights a fascinating twist in vulnerability economics: while vibe coding produces vulnerable code, the diversity of “instant software” actually creates an advantage for defenders: Because instant software is highly customized and its source code is not always publicly available, it breaks the traditional scalable attack model where hackers find one flaw and exploit it globally.

Attackers scaling with AI

AI drastically lowers the barrier to entry for offensive cyber capabilities. Threat actors are using commercial GenAI services to plan attacks, automate custom tooling, and execute mass credential abuse at scale (Moses, 2026). For instance, a financially motivated actor recently used multiple AI tools to compromise over 600 FortiGate devices across 55 countries, proving that AI allows unsophisticated attackers to achieve a scale previously reserved for advanced teams (Moses, 2026).

The integration of AI into cybersecurity is shifting the cybersecurity battlefield permanently.
Defenders currently have an edge: Defensive scanning remains easier than writing exploits. Defenders can both scan the code (SAST) and run the offensive AI agents against the running targets. Defenders have more means to discover the vulnerabilities before they hit production. Mean time to discover (MTTD) shrinks dramatically.
But, the attackers do not sleep either. The (pre-)release of models like Mythos demonstrates the attacker tooling improves model by model, release by release. In the future, increasing number of attackers possess offensive capabilities that go beyond their actual technical skills. To survive this era, organizations must be prepared for a world where zero-day exploits are still being found – despite the defending activities. For that, e.g. agentic patching actions that push mean time to remediate (MTTR) down must be implemented to fight AI with AI.
With technical battle advancing and with defensive AIs getting better at scanning and automatically patching software vulnerabilities, attackers will likely move “up the stack,” focusing on non-software loopholes, social engineering, and increasingly manipulating the AIs themselves (Schneier, 2026).
To coordinate all this, organizations must embrace human-machine teaming to continue to validate the findings and courses of actions that AI enabled tools are producing.
Also, as new layers of defense in depth, we must implement strict access boundaries around AI agents, and focus on securing the prompt layers to maintain resilience while we move to the age of instant and agentic software.

Juha Eskelin

Head of Operations, 2NS Cybersecurity

1. Schneier, B. (2026, April 7). Cybersecurity in the Age of Instant Software.
2. Alkhouli, T., Bhargavi, D., Bonadiman, D., Cui, Y., & Zhang, Y. (2026, February 26). Inside AWS Security Agent: A multi-agent architecture for automated penetration testing.
3. Price Paul, CodeWall. (2026, March 9). How We Hacked McKinsey’s AI Platform.
4. Ellis, Laura, Rapid7, (2026 March, 8)
5. Evron, Gadi et al, CSA CISO Community, SANS, [un]prompted, & OWASP Gen AI Security Project. (2026, April 12). The “AI Vulnerability Storm”: Building a “Mythos-ready” Security Program. https://labs.cloudsecurityalliance.org/wp-content/uploads/2026/04/mythosready-20260413.pdf
6. Krebs, B. (2026, March 8). How AI Assistants are Moving the Security Goalposts.
7. Laakkonen, M. I. (2026, March 31). I Read Every Major Study on AI Code Security. We Have a Bigger Problem Than AI slop Vulnerabilities.
8. Moses, C. (2026, February 20). AI-augmented threat actor accesses FortiGate devices at scale.
9. Sarjakivi, P., & Moilanen, P. (2026). Evaluation of AI Agent Accelerated Cyber Operations Planning. In U. Clark, T. Pence, & B. Karabacak (Eds.), ICCWS 2026: Proceedings of the 21st International Conference on Cyber Warfare and Security (21, pp. 408-416). Academic Conferences and Publishing International. The Proceedings of the International Conference on Cyber Warfare and Security.
10. Schneier, B. (2026, April 13). On Anthropic’s Mythos Preview and Project Glasswing.
11. Willison, S. (2025, June 16). The lethal trifecta for AI agents: private data, untrusted content, and external communication. *Simon Willison’s Weblog*.
12. Carlini, Nicholas et al, Anthropic (2026, April 7).