Help Net Security web signal

FIRST projects 2026 CVE count to hit 66,000 via AI

anthropic openai cybersecurity vulnerability-discovery ai-security

Key insights

  • FIRST projects 2026 CVE disclosures will reach approximately 66,000, driven by Anthropic's Mythos and OpenAI's GPT-5.4-Cyber autonomous discovery tools.
  • Mozilla's Project Glasswing, using the Mythos Preview agent, identified 271 bugs in Firefox 150 as a concrete benchmark of AI-assisted discovery scale.
  • Human analyst capacity is now the primary constraint, with security teams advised to budget for roughly double their current vulnerability management workload.

Why this matters

The 66,000 CVE projection forces a structural rethink of security operations budgets and staffing at a time when most organizations sized their programs against a much smaller disclosure volume. AI-generated disposable code creates a parallel vulnerability surface that never enters CVE registries, meaning traditional scanning and patch programs are structurally blind to a growing share of actual risk. FIRST CEO Chris Gibson's framing that coordinated, trust-based intelligence sharing is the differentiator for 2026 signals that organizations without established CSIRT relationships are already operationally behind.

Summary

FIRST now projects approximately 66,000 CVEs will be disclosed in 2026, exceeding initial forecasts, as autonomous AI tools hunt for vulnerabilities without human prompting. Anthropic's Mythos and OpenAI's GPT-5.4-Cyber are the key drivers. Mozilla's Project Glasswing benchmarks the scale: the Mythos Preview agent identified 271 bugs in Firefox 150. GitHub Security Advisories and VulnCheck also expanded cataloging operations and backfilled historical records, contributing to the inflated totals. Essentially: (FIRST, Anthropic, OpenAI) have accelerated disclosure past human response capacity. - Analyst capacity is now the binding constraint: teams cannot verify and patch faster than AI discovers flaws. - AI-generated disposable code creates vulnerabilities that bypass CVE registries entirely. - Security teams should budget for roughly double their current vulnerability management workload. The actively exploited subset remains proportionally small, but operational pressure on security teams is rising faster than headline CVE numbers suggest.

Potential risks and opportunities

Risks

  • Organizations that do not scale vulnerability management headcount in 2026 face triaging backlogs that could leave confirmed flaws unpatched for months as AI discovery outpaces human verification capacity.
  • AI-generated disposable code vulnerabilities that never enter CVE registries could become a preferred attack vector for threat actors monitoring public AI output, exploiting gaps before any cataloging occurs.
  • Vendors relying on periodic patch cycles risk exposure in the window between autonomous discovery by Mythos or GPT-5.4-Cyber and coordinated public disclosure, leaving defenders with no warning period.

Opportunities

  • Vulnerability management platforms such as Tenable, Rapid7, and Qualys have a direct upsell path as enterprises facing roughly doubled workloads need automation to handle AI-driven triage at scale.
  • AI bill of materials tooling vendors and runtime monitoring providers are positioned to fill the cataloging gap left by disposable AI-generated code that bypasses CVE registries entirely.
  • CSIRTs and MSSPs with established trusted intelligence-sharing networks, as highlighted by FIRST CEO Chris Gibson, gain a competitive moat in coordinating response and attracting enterprise clients preparing for the 2026 surge.

What we don't know yet

  • Whether GitHub Security Advisories' and VulnCheck's historical backfilling is a one-time event or ongoing, and how it skews year-over-year CVE trend comparisons going forward.
  • How FIRST plans to update CVE severity and triage frameworks to distinguish AI-autonomous discoveries from human-reported ones, given the volume difference.
  • What share of the projected 66,000 CVEs are expected to be actively exploited, and whether that exploitation ratio holds as autonomous discovery by tools like Mythos and GPT-5.4-Cyber continues to scale.

Originally reported by Help Net Security

Read the original article →

Original headline: FIRST Projects AI Autonomous Discovery Will Push 2026 CVE Count to 66,000 — Human Patching Capacity Now the Binding Constraint