Zscaler CEO: AI finds decade-old software flaws in hours

Key Takeaways

• AI models can now find software vulnerabilities in hours that took researchers months to discover
• Zscaler tested Anthropic's Mythos model to scan its own code for flaws before attackers could exploit them
• Chaudhry calls US restrictions on advanced AI a 'knee-jerk reaction' and expects other models to match Mythos capabilities soon

AI models can now find software vulnerabilities that stayed hidden for two decades, and they do it in hours instead of months. That shift is creating the largest cybersecurity opportunity in years, according to Zscaler CEO Jay Chaudhry.

"There has never been a time in cyber where there's more need for cybersecurity than we see today," Chaudhry told the Economic Times at Zscaler's Zenith Live conference. The San Jose company, valued at roughly $20 billion, was among 40 firms granted early access to Anthropic's advanced AI model, Mythos, under a controlled testing program.

What did Zscaler learn from testing Anthropic's Mythos?

Zscaler used Mythos to scan its own software and hunt for exploitable flaws before attackers could find them. The results confirmed what the security industry has been anticipating: AI dramatically compresses the timeline for vulnerability discovery.

“What we've learned over the past few months is that these models can find vulnerabilities in software at a much faster speed, and some of the vulnerabilities have been hidden for 10 or 20 years. That creates a new challenge. How do we fix those vulnerabilities before they get exploited?”

— Jay Chaudhry, CEO and Founder, Zscaler

Chaudhry said Zscaler compared Mythos against earlier AI versions and OpenAI's latest models. The preview model is "a few steps ahead," he noted, but expects competitors to catch up quickly.

Should companies wait for the best AI model?

No. Chaudhry argues that chasing access to a specific cutting-edge model misses the point. "The focus on who gets access is probably misplaced," he said. "Other models can already find 80% of what it does. Customers need to focus on fixing what today's models can already identify rather than waiting for access to one specific model."

This is a practical stance for security teams. The backlog of known, unpatched vulnerabilities already overwhelms most organizations. AI accelerates discovery, but human teams still have to triage, test, and deploy fixes. Waiting for marginally better detection while ignoring the current pile makes little sense.

Chaudhry calls US AI restrictions a 'knee-jerk reaction'

The Zscaler CEO didn't hold back on recent US policy moves limiting access to advanced AI systems. "I personally think that was a knee-jerk reaction," he said. "Ideally, these issues should have been sorted out before the models were made available."

He sees the restrictions accelerating a broader shift toward sovereign AI. Countries want control over mission-critical technology, and AI is no exception. "First it was sovereign cloud. Sovereign AI is the natural extension of that," Chaudhry observed.

India, where nearly 40% of Zscaler's workforce is based, is making progress. Chaudhry praised the government's efforts to make GPUs available and attract semiconductor investment. He also suggested that tightening US immigration policies could reverse some brain drain, helping India catch up faster in AI.

Why zero trust becomes more critical with AI threats

Chaudhry's answer to the speed problem comes in two parts: prevent breaches without patching every vulnerability immediately, and minimize damage when a breach does occur. Both require abandoning legacy security architecture.

"Anything that can be seen from the internet can be discovered by bad actors," he said. "In the zero-trust world, those firewalls and VPNs are no longer needed. If they can't find you, they can't attack you."

Zero trust assumes no user or device should be automatically trusted, even inside the corporate network. Every access request gets verified. This model doesn't eliminate vulnerabilities, but it shrinks the attack surface that AI-armed adversaries can probe.

The commercial reality: opportunity, not panic

Chaudhry frames AI-powered vulnerability discovery as an opportunity rather than a catastrophe. Yes, attackers get the same tools. But the cybersecurity market has a clear pitch: either invest in modern defenses now or face exploitation of flaws that AI will inevitably uncover.

The interview suggests Zscaler sees stronger customer engagement from AI threat concerns, though Chaudhry cautioned that the commercial impact will take time to materialize. Security budgets move slowly. The urgency is real, but enterprise procurement cycles don't accelerate just because the threat landscape does.

Frequently Asked Questions

What is Anthropic's Mythos model?

Mythos is an advanced AI model from Anthropic that Zscaler tested for vulnerability detection in software. It was made available to about 40 companies under a controlled testing program.

How fast can AI find software vulnerabilities?

According to Zscaler's CEO, AI models can now identify vulnerabilities in hours that previously took security researchers weeks or months to uncover, including flaws hidden for 10 to 20 years.

What is zero trust security?

Zero trust is a security model that assumes no user or device should be automatically trusted. Every access request is verified, regardless of whether it comes from inside or outside the corporate network.

Does Zscaler use AI for its own security?

Yes. Zscaler used Anthropic's Mythos model to scan its own software for vulnerabilities before they could be exploited by attackers.

Source: Tech-Economic Times / ET