{"id":108722,"date":"2026-05-12T15:17:34","date_gmt":"2026-05-12T13:17:34","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=108722"},"modified":"2026-05-12T15:56:30","modified_gmt":"2026-05-12T13:56:30","slug":"two-fronts-one-risk-securing-yesterdays-debt-and-todays-ai-code","status":"publish","type":"post","link":"https:\/\/checkmarx.com\/blog\/two-fronts-one-risk-securing-yesterdays-debt-and-todays-ai-code\/","title":{"rendered":"Two Fronts, One Risk: Securing Yesterday\u2019s Debt and Today\u2019s AI Code\u00a0\u00a0"},"content":{"rendered":"

With advanced AI models capable of generating working exploits in minutes for under a dollar, no vulnerability is too small to ignore. The security calculus has fundamentally changed, and the only winning strategy runs on two tracks simultaneously: remediate everything in the backlog and stop new vulnerabilities from entering the codebase at all.<\/em> <\/p>\n\n\n\n

\nThe Old Playbook No Longer Works<\/strong> <\/h2>\n\n\n\n

For years, security teams operated on a pragmatic assumption: not every vulnerability is equal. Prioritize critical and high-severity findings. Let medium and low age in the backlog. There was logic to this approach \u2014 resources are finite, and triaging CVSS score felt like rational risk management.<\/p>\n\n\n\n

\nThat logic is now obsolete.<\/strong> <\/h3>\n\n\n\n

The arrival of advanced large language models has detonated the foundation beneath severity-based triage. These models do not read CVE databases the way humans do \u2014 they reason through code, identify attack vectors, and generate working exploits autonomously. The result is a threat environment where the old categories of \u201ccritical\u201d versus \u201clow\u201d risk are becoming meaningless distinctions.<\/p>\n\n\n\n

Consider the trajectory: in 2018, it took an attacker an average of 840 days to exploit a disclosed vulnerability. By 2026, that number has collapsed to 1.6 days. Security researchers project it will reach one minute by 2028. Meanwhile, the cost of generating a working exploit has dropped to approximately $1, achievable in 10 to 15 minutes using commodity AI tools.<\/p>\n\n\n\n

The most alarming proof point arrived in April 2026 with Claude Mythos, Anthropic\u2019s most capable model. In independent testing, Mythos achieved a 72.4% exploit success rate against known vulnerabilities \u2014 compared to 14.4% for Opus 4.6 and 4.4% for Sonnet 4.6. For context, the model designed for reasoning and safety is now among the most capable offensive security tools ever tested. <\/p>\n\n\n\n

The implication is stark: a vulnerability your team rated \u201clow severity\u201d and deprioritized two years ago can now be weaponized by an adversary using an AI model, in minutes, for less than the cost of a cup of coffee. The backlog is not a sorted list of future work. It is a list of open attack surfaces \u2014 every item on it, regardless of its original severity score. <\/p>\n\n\n\n

\"Threat<\/figure>\n\n\n\n

The industry is already feeling this in practice. Bug bounty programs – long structured around 30-to-60-day disclosure and remediation cycles, are collapsing under the weight of AI-speed weaponization. What once gave organizations a reasonable window to assess, triage, and patch is now measured in hours, not weeks. Security leaders who have spoken to Checkmarx\u2019s have been consistent in their reaction: this is happening, and it is happening at a scale larger than anyone anticipated. <\/p>\n\n\n\n

The pressure extends to release cycles themselves. As new AI models emerge with increasingly sophisticated reasoning capabilities, they surface new attack vectors against existing code, meaning a vulnerability that was practically unexploitable last quarter may become a live risk the moment the next frontier model ships. Release cadences will need to become far more dynamic<\/strong>, with security gates that respond to the threat environment in real time rather than on a fixed calendar. <\/p>\n\n\n\n

\nFront One: Get the Backlog to Zero<\/strong> <\/h2>\n\n\n\n

The first strategic imperative is a mindset shift: the remediation backlog is not a queue to be managed. It is a liability to be eliminated. Every unresolved vulnerability, regardless of its original severity rating, represents a door that a capable AI adversary can now open. <\/p>\n\n\n\n

\nWhy Severity Scoring Has Lost Its Primacy<\/strong> <\/h3>\n\n\n\n

Traditional CVSS scoring was designed for a world where exploiting a vulnerability required genuine expertise, time, and effort. A \u201clow\u201d score reflected the realistic difficulty of weaponization. That friction no longer exists. <\/p>\n\n\n\n

Advanced LLMs can reason through code the way a skilled human security researcher would \u2014 but at machine speed, at near-zero cost, and without fatigue. A vulnerability that was previously difficult to exploit because it required understanding complex application logic, chaining multiple conditions, or crafting a precise payload is now within reach of any adversary with API access to a frontier model. <\/p>\n\n\n\n

This does not mean severity scores are worthless for ordering work. It means they can no longer be used to justify inaction. A \u201clow\u201d vulnerability left unresolved is not a calculated risk \u2014 it is an invitation. <\/p>\n\n\n\n

\nThe Agentic Remediation Imperative<\/strong> <\/h3>\n\n\n\n

Getting to zero is not achievable through human effort alone. The math does not work. Security teams are already buried: 81% of companies knowingly ship vulnerable code because backlogs are growing faster than teams can manually remediate. AI-generated code compounds this further \u2014 every AI coding session produces approximately 1.7x more issues than human-written code, and roughly 45% of AI model solutions are insecure. <\/p>\n\n\n\n

The response must be agentic. Security teams need AI-powered remediation pipelines that do not just surface findings but close them \u2014 automatically, at the pull request level, prioritized by what is actually exploitable in the production environment. The goal is not faster triage. The goal is autonomous closure at scale. <\/p>\n\n\n\n

This is where attackability-based prioritization becomes essential. Not all of those 22,500 raw findings across a typical enterprise codebase represent equal danger. The critical filter is not severity \u2014 it is reachability and exploitability in the specific production context. A confirmed exploitable vulnerability in a code path that handles authentication for a production system is categorically different from a theoretical flaw in a dead code branch. Checkmarx\u2019s fidelity funnel reduces that 22,500 raw findings to 500 actionable risks \u2014 then agentic remediation closes 7 out of 9 confirmed findings automatically. <\/p>\n\n\n\n

The proof point: mean time to remediation drops from six hours to 1.8 minutes. That is not an incremental improvement. That is a different operational model entirely. <\/p>\n\n\n\n

\nRemediation at Zero: What It Requires<\/strong> <\/h3>\n\n\n\n

Getting the backlog to zero at enterprise scale requires three capabilities working in concert: <\/p>\n\n\n\n