23rd June 2026

AI cyber risk could surge "within months"

Five Eyes (FVEY), the Anglosphere intelligence alliance, has warned that frontier AI models could reshape the cyber threat landscape within months, as malicious actors use the technology to increase the speed, scale, and sophistication of attacks.

Artificial intelligence has become the defining technology of the 2020s. In only a few years, it has transformed how people write, code, search for information, analyse data, create images, edit video, and automate everyday tasks. New tools are also helping researchers to accelerate drug discovery, model climate risks, improve medical diagnostics, and optimise complex industrial systems.

However, AI is increasingly proving to be a double-edged sword. The same capabilities that help people work faster and more effectively can also be used by criminals, hostile states, and other malicious actors. Concerns over frontier AI have grown steadily since the first AI Safety Summit at Bletchley Park in 2023. Around 100 delegates attended, including political leaders, technology executives, academics and AI researchers. Governments later continued the process at further international meetings in Seoul in 2024 and Paris in 2025. Scientists and industry figures have also published a series of open letters in recent years, calling for stronger regulation and safety testing, and in some cases even a pause in the development of the most powerful models.

Until recently, many of these warnings could have sounded abstract or distant. The risks were serious, but often framed in terms of future systems and hypothetical scenarios. A new warning from Five Eyes now brings the issue into sharper focus.

Five Eyes, also known as FVEY, is the intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States. This week, cybersecurity agencies from the five countries have issued a joint statement warning that AI is already changing the cyber threat landscape. Frontier AI models, they said, are likely to exceed current industry expectations and could reshape offensive cyber capabilities within months, not years.

Earlier this month, researchers at Epoch AI reached a similar conclusion after reviewing public evidence on the Mythos family of AI models developed by OpenAI rival Anthropic. They found that Mythos Preview represented a major advance in exploit development, with its aggregated cyber benchmark score appearing several months ahead of the previous trend. If such capabilities become widely available, they warned, the result could be a "new regime of cybersecurity" in which organisations must patch vulnerabilities much faster to prevent a sharp rise in successful attacks.

Cybersecurity benchmark scores for frontier AI models have advanced rapidly in 2025–26, with Epoch AI's Cyber-domain ECI showing Anthropic's Claude Mythos Preview several months ahead of the previous trend. Source: Epoch AI / Chauvin et al. (2026), CC-BY.

According to Five Eyes, AI is lowering barriers for malicious actors, making attacks faster, larger in scale, and more sophisticated. This could shrink the window between vulnerability discovery and exploitation, giving organisations less time to respond. In practice, these risks may include more automated reconnaissance, more convincing phishing campaigns, faster identification of weak points across networks, new malware variants, and increasingly realistic deepfakes for fraud or social engineering.

The statement does not present cybersecurity as hopeless. In fact, it also highlights the defensive potential of AI, including earlier detection of vulnerabilities, improved software quality, monitoring of unusual behaviour, and faster incident response. But the agencies stress that organisations must act quickly. They urge leaders to reduce their attack surfaces, accelerate patching, address legacy systems, strengthen identity and access controls, and prepare for breaches before they happen.

The message is stark: AI is no longer a future consideration for cybersecurity. It is here now, and the pace of change means that assumptions can become outdated in a matter of months. Organisations that delay may face operational, financial, and reputational risks from increasingly capable AI-enabled attacks.

Comments »

If you enjoyed this article, please consider sharing it: