Key Takeaways

- Over 100 new vulnerabilities are disclosed daily, and organizations already cannot patch them all
- AI systems capable of finding software bugs could weaponize flaws faster than defenders can respond
- Banks, hospitals, and utilities running legacy systems will be hit first and hardest
CrowdStrike President Mike Sentonas is warning that AI could soon flood the security industry with zero-day vulnerabilities at a pace no organization can handle. Speaking to Fast Company, Sentonas described a near-future scenario where security teams shift from patching 10 known flaws per week to responding to 10 previously unknown exploits in the same timeframe. The math, as he sees it, does not work in defenders' favor.
What's the current state of vulnerability disclosure?
More than 100 new vulnerabilities hit public databases every day, according to Sentonas. That figure aligns with broader industry data: the NIST National Vulnerability Database logged over 29,000 CVEs in 2023, up from roughly 25,000 the year before. The trend line points one direction.
Even with that volume, most disclosed vulnerabilities are known quantities. Patches exist. The challenge is prioritization. Security teams cannot test and deploy every fix without risking the outages they are trying to prevent. So they triage, focusing on the handful of flaws that pose the greatest threat to their specific environment.
Zero-days break that model. By definition, no patch exists when they are discovered. Google's Threat Analysis Group and Mandiant tracked 97 zero-days exploited in the wild during 2023, a record. That number, Sentonas suggests, is about to look quaint.
How AI changes the discovery timeline
The gap between a flaw existing and someone discovering how to exploit it is about to shrink dramatically. Sentonas puts it plainly: "Frontier AI is going to drastically reduce the time between a flaw existing and somebody discovering how to exploit it."
This is not speculation about some distant capability. Sentonas expects AI systems capable of finding software bugs at high speed to arrive within months. The same tools that help defenders audit their own code will hand attackers a faster path from discovery to weaponization.
The worst-case scenario? "Theoretically, we all wake up and there is just an exponential growth in zero-day vulnerabilities, and there are no patches," Sentonas says. He has worked in cybersecurity for over 20 years. He is not prone to hyperbole.
Which organizations face the biggest risk?
Sentonas points to banks, factories, hospitals, and utilities as the first wave of targets. These sectors share a common problem: they run older machinery and legacy hardware that cannot be quickly upgraded without disrupting vital services. A hospital cannot take its patient monitoring systems offline for a Tuesday patch cycle.
That operational constraint creates a structural advantage for attackers. Legacy systems often lack modern security features. They may not support the latest encryption standards or endpoint detection tools. When a zero-day emerges in software running on 15-year-old industrial controllers, the "patch it" solution does not apply.
The scale problem compounds the legacy problem. Security teams already struggle to prioritize among known vulnerabilities. Adding a stream of zero-days to that workload forces impossible choices. Which critical infrastructure flaw do you address first when three hit your queue the same morning?
Can defenders use the same AI tools?
In theory, yes. AI-powered vulnerability discovery can help organizations find flaws in their own systems before attackers do. CrowdStrike and competitors are building exactly these capabilities into their platforms. The question is whether defenders can move faster than attackers once a flaw is found.
The asymmetry here favors offense. An attacker needs to find one exploitable flaw. A defender needs to find and fix all of them. Even if both sides have equal AI tools, the attacker's task is simpler. And unlike defenders, attackers do not need to worry about breaking production systems when they deploy their code.
IBM's 2023 Cost of a Data Breach Report found that organizations take an average of 277 days to identify and contain a breach. That window exists even with current vulnerability volumes. Shrink the time-to-exploit while expanding the number of exploits, and that 277-day figure becomes an invitation.
What should product teams do now?
The shift Sentonas describes has direct implications for anyone building software. Code shipped today will face AI-powered scrutiny tomorrow. Security cannot remain an afterthought bolted on post-launch.
Automated security testing in CI/CD pipelines becomes non-negotiable. Static analysis, dynamic analysis, and dependency scanning need to run on every commit. Tools like Snyk, Semgrep, and GitHub's native security features can catch common flaws before they reach production. The cost of integrating them is far lower than the cost of a zero-day in your shipped product.
Dependency management matters more than ever. Many zero-days emerge in third-party libraries, not your own code. Tracking what you import, auditing it regularly, and having a rapid-response plan for upstream vulnerabilities is baseline hygiene.
Logicity's Take
Sentonas is describing a problem that most security vendors are not yet equipped to solve. Current SIEM and endpoint detection tools assume a finite, manageable stream of known threats. A 10x increase in zero-days would break that assumption. For product teams, the practical takeaway is defensive depth: assume your code will be scanned by AI, assume your dependencies will be scanned, and assume attackers will find the path of least resistance. The teams that survive this shift will be those who already treat security as a core engineering discipline, not a compliance checkbox.
Frequently Asked Questions
What is a zero-day vulnerability?
A zero-day is a software flaw that attackers can exploit before the software vendor knows about it or has released a patch. The term refers to the number of days the vendor has had to fix the problem: zero.
How many zero-days are currently exploited each year?
Google's Threat Analysis Group and Mandiant tracked 97 zero-days exploited in the wild during 2023, a record high. CrowdStrike's warning suggests AI could push that number significantly higher.
Why can't organizations just patch faster?
Patching requires testing to avoid breaking production systems. Many organizations, especially those running legacy hardware in hospitals or factories, cannot take critical systems offline for updates without disrupting essential services.
Will AI help defenders as much as attackers?
AI vulnerability discovery tools can help organizations audit their own systems. However, attackers only need to find one flaw, while defenders must find and fix all of them. This asymmetry generally favors offense.
Technical debt in widely-used software creates the vulnerabilities AI tools will find first
A case study in how breach response and disclosure play out at scale
Need Help Implementing This?
If your team is rethinking security practices ahead of AI-powered vulnerability discovery, reach out. We can connect you with security engineers and consultants who specialize in CI/CD security integration, dependency auditing, and zero-day response planning.
Source: Fast Company / Chris Stokel-Walker
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
More in Ai In Business
AI Search Trust Problem: Why 85% of Users Doubt Results
New research reveals a massive gap between AI search adoption and user trust. Two-thirds of Americans use AI search tools, but only 15% trust the results. For businesses relying on AI-powered discovery, this trust deficit represents both a risk and an opportunity.

INSIDER REVEAL: How the American Enterprise Institute Uncovered the AI Productivity Boom
The American Enterprise Institute has been searching for signs of an AI-driven productivity boom. According to McKinsey, AI can increase productivity by up to 40%. We dive into the details of this emerging trend and what it means for businesses.

Will AI Ethics Regulation Become the New Industry Standard?
The Vatican has emphasized the need for AI ethics regulation in a recent statement, sparking a global conversation about responsible AI development. We explore the implications of this call to action and what it means for businesses and individuals alike. As AI continues to shape our world, we must consider the ethical implications of its development and deployment.


