From zero days to zero hours: How AI is accelerating attacks to "machine speed"
CrowdStrike data shows that exploits are being weaponised within days as AI drives down the cost of vulnerability discovery.
AI is accelerating cybercriminals and nation-state attackers, enabling breakouts in minutes - or even seconds - and allowing zero-day vulnerabilities to be exploited well before public disclosure.
CrowdStrike’s new 2026 Global Threat Report found that AI is speeding up attackers while expanding the enterprise attack surface, with the average time taken to move laterally across networks falling to just 29 minutes in 2025 - a 65% increase in speed from 2024 - and the fastest breakout ever recorded taking place in just 27 seconds.
Threat actors are not only weaponising AI, but have also been observed targeting AI systems at more than 90 organisations and abusing AI development platforms.
Hackers are increasingly using AI agents to write code, analyse data and orchestrate workflows at what CrowdStrike describes as “machine speed”.
Based on frontline intelligence from threat hunters tracking more than 280 named groups, the report found AI-enabled adversaries increased operations by 89% year over year, using AI across reconnaissance, credential theft and evasion.
Intrusions now cycle through trusted identities, SaaS applications and cloud infrastructure, blending into normal activity while giving defenders less and less time to respond.
CrowdStrike also found that 42% of vulnerabilities were exploited before public disclosure, as attackers increasingly weaponised zero days for initial access, remote code execution and privilege escalation.
The pattern extended across both criminal and nation-state operations, with 67% of vulnerabilities exploited by China-nexus actors delivering immediate system access.
From "artisanal" vulnerability research to AI-powered exploitation
We asked Adam Meyers, CrowdStrike’s head of counter-adversary operations, if the situation would worsen and whether vulnerabilities would be exploited even faster.
He told Machine: “Absolutely. I think in the next three to nine months, we’re going to see an explosion of zero-day vulnerabilities coming out of AI.
“When you think about how to build a vulnerability or weaponise an exploit, there are really two ways to do it. There’s what I like to call the artisanal way, where you’re completely reverse engineering a target and finding the perfect vulnerability.
“And then what most people do is fuzzing, where you throw a bunch of inputs at a system, wait until it breaks, and then analyse the log or crash dump that comes out of that. That’s perfect for AI, which can automate the throwing of garbage at an input.
“Once a crash occurs, AI can automate the analysis and even build a test exploit. The cost of discovering a vulnerability will go down from hundreds or thousands of dollars to [single-digit] dollars - or even pennies. And as that happens, we’ll see more and more of that.”
READ MORE: "It's not a losing battle": CrowdStrike's optimistic view of a worsening threat landscape
Attackers are also beginning to treat AI systems themselves as infrastructure worth compromising.
CrowdStrike observed adversaries injecting malicious prompts into legitimate generative AI tools, using them to generate commands capable of stealing credentials and cryptocurrency.
Vulnerabilities in AI development environments were also exploited to establish persistence and deploy ransomware, while malicious AI servers impersonating trusted services were used to intercept sensitive data.
The shift reflects a broader industrialisation of intrusion techniques. Rather than relying solely on manual reverse engineering, attackers are increasingly using AI to analyse crash data and automate elements of exploit development, coordinating workflows at a scale that increasingly resembles automated operations rather than human-led attacks.
State-backed groups appear to be adopting these techniques fastest. Activity linked to China increased sharply during 2025, with logistics organisations among the most heavily targeted sectors and many attacks focused on internet-facing edge devices designed to provide immediate access into corporate environments.
North Korean operations also expanded significantly, including large-scale financially motivated campaigns targeting cryptocurrency platforms.
READ MORE: FBI warns of surge in ATM jackpotting "cash on command" attacks
Increasingly, much of this activity is shifting toward cloud infrastructure, where attackers can combine intelligence collection with long-term access. CrowdStrike recorded a sharp rise in state-linked actors targeting cloud environments, reflecting the growing strategic value of identity systems and hosted enterprise data.
Intrusions targeting cloud infrastructure rose 37% overall, fuelled by a 266% increase in state-linked actors using cloud environments for intelligence gathering.
“This is an AI arms race,” Meyers added. “Breakout time is the clearest signal of how intrusion has changed. Adversaries are moving from initial access to lateral movement in minutes.
“AI is compressing the time between intent and execution while turning enterprise AI systems into targets. Security teams must operate faster than the adversary to win.”
