Cybersecurity is Gravity & this Week AI Felt the Pull
As AI becomes more massive, the pull grows stronger
Cybersecurity is not a product category. It’s a force of nature, like gravity. It’s the inherent consequence of systems interacting, the bill that comes due whenever you connect two things that each made locally reasonable assumptions about the other. You don’t defeat gravity. You account for it, or it accounts for you. And the thing about AI and agents is that they didn’t exempt themselves from any of this. They changed the mass of the system, which bent the field, which means the old equations still hold but the numbers moved. Hard.
Three stories this week, and the lazy read is that they disagree with each other. One says AI agents are a shiny new attack surface. One says AI is the best vulnerability finder we’ve ever built. One says confidence in autonomous AI security is falling off a cliff. Pick your narrative, right? Except they don’t actually conflict. They’re three projections of the same object. Same force, different faces.
Move fast, and meet the things that break back
[The Register reported] on CVE-2026-12957, a CVSS 8.5 in Amazon Q that Wiz found. Amazon Q would auto-load an MCP server config sitting in a repo (`.amazonq/mcp.json`) and execute whatever it found, no prompt, no consent. Open a poisoned repo and the commands run, inheriting your whole environment: AWS keys, session tokens, SSH agent sockets. `git clone` to cloud compromise in a single move. Similar flaws landed the same week in Claude Code, Cursor, and Windsurf, so this isn’t one vendor being sloppy. It’s the category.
Here’s the part that matters. This isn’t a bug in the classic sense. Nobody forgot to sanitize an input. The agent did exactly what it was built to do, which is read the project context and act on it. The booby-trapped repo just supplied hostile context. There’s no Lipschitz bound on agent behavior here, no guarantee that a small change in input produces a small change in output. A few lines in a config file flip the agent from autocomplete to credential thief, and the function is discontinuous at precisely the point an attacker controls.
This is what the first truth looks like in the wild. “Move fast and break things” was always a fine slogan when the things you could break were a staging environment and some user goodwill. The catch is that the moment you hand an agent the keys, the set of things it can actually break grows to include your cloud account, and the math changes significantly. Velocity is the same. Blast radius is not. Gravity doesn’t care how fast you shipped. It cares what you wired to what.
Honest caveat on severity, because the framing wants to be scarier than the facts: the exploit path needs you to open a hostile repo, with a credential-bearing agent, under a permissive posture, and Amazon patched it (1.65.0, ideally 1.69.0). That’s a real but bounded set of conditions, not “everyone running Amazon Q is owned.” It matters anyway because those conditions are getting more common monotonically, since the whole industry is racing to give agents more autonomy rather than less. The exploit surface grows with the autonomy you grant. That relationship isn’t going to invert.
AI is genuinely good at finding the missing links
Second story, and this is the optimistic one if you let it be. [The Register also covered] the Athena coalition, roughly two dozen companies led by Chainguard, pointing frontier models at open source code at scale. The numbers aren’t subtle: Athena has already chewed through more than 20,000 findings and produced over 2,000 patches across 500 projects. Anthropic ran Mythos Preview against a thousand-plus open source projects and surfaced an estimated 6,202 high or critical vulnerabilities. Chainguard’s Dan Lorenc’s point was basically that you keep running scans on the same libraries and the thing just keeps finding more.
This is the good news, and I want to say it plainly without hedging it into mush. AI is genuinely, categorically good at the search problem. Finding a vulnerability is, to first order, pattern-matching across a space too large for a human to walk by hand, and that’s exactly the shape of task where the technology is strongest. The flaws were always there. We finally have something with the patience to look at all of it. That’s a new era for defense, full stop. The dormant five-year kernel bug, the decade-old Office RCE, the missing-link finding nobody had the hours to chase: that’s in reach now.
The catch is that the same accelerant has no allegiance. Discovery is cheap for the defender and equally cheap for the attacker, and the two sides aren’t symmetric in what happens next. The defender’s AI finds a bug and files it into a queue with change management, regression testing, and a long tail of systems nobody wants to touch. The attacker’s AI finds the same bug and there is no queue. So in expectation, AI widens the gap between the rate of discovery and the rate of remediation, because it compresses the cost of finding far more than the cost of fixing. Fixing is still an engineering and coordination problem, and that curve is much, much flatter.
Worth noting honestly, because the capability here is uneven: when cURL’s Daniel Stenberg [had Mythos run against his codebase], it returned five “confirmed” vulnerabilities and exactly one survived his team’s review. The rest were false positives or ordinary bugs. So “AI finds countless vulns” and “most of what it flags is noise” are both true at the same time, and the ratio depends heavily on the codebase and the reviewer. The signal is real. It just arrives buried in a lot of not-signal, which is the perfect handoff to the third story.
AI is not an island, and verification is the bottleneck now
The third one runs against the hype, which is exactly why I trust it. [Dark Reading reported] on a Cobalt survey: the share of organizations willing to rely on fully autonomous AI pentesting dropped to 9% in 2026, down from 29% the year before. The headline frames this as “AI decline.” The headline is wrong. Nothing declined. What happened is that people ran the tooling long enough to develop a calibrated sense of where it fails, and they adjusted. That’s the system working precisely as it should.
And the place it fails is the place that was always going to matter. 78% of companies reported automated systems missing significant vulnerabilities, the false negatives, the high-severity thing the agent strolled right past. Pentesting is a heavy-tailed task. The value lives in the weird edge case, the creative chaining of two individually-boring findings into one serious one, the judgment call about whether a lead is worth a day of your life. Agents are good at the median case and bad at the tail, and in security the tail is the entire job. An autonomous scanner that nails the obvious 80% has reinvented the vulnerability scanner we already owned. The 20% it misses is exactly why you hired a human.
Here’s the load-bearing point, and the FIRST analysts said it cleaner than I will. In a world where AI finds far more flaws than humans can, the constraint stops being discovery and becomes the human capacity to verify, coordinate, and patch. Verification is the bottleneck now. HackerOne literally paused its Internet Bug Bounty program because the volume of submissions needing validation outran the humans available to validate them. Microsoft shipped a record 206 CVEs in a single Patch Tuesday, driven by AI discovery. Vulnerabilities are getting reported 46% above forecast. The firehose is real, and the median organization has no pipe wide enough to drink from it.
So the honest thing about AI here is neither doomer nor hype. It’s that AI is a force multiplier, and the word doing the work in that phrase is *multiplier*. It scales your force. It doesn’t replace it. The durable shape, and the practitioners converged on this independently, is the agent running relentless breadth on the first pass while a human supplies depth and judgment on whatever survives. AI does the custodial work, the tireless grinding through everything, so your scarce expert attention lands on the part that actually requires a mind.
But a multiplier cuts both ways, and this is the part people skip. If your AI’s output outpaces your team’s capacity to verify it, you haven’t added security. You’ve added an unverified backlog wearing a security costume, and to close it you need people who are, in the relevant sense, smarter than the AI, because verification is the harder cognitive task, not the easier one. The verification gap isn’t only a capability problem. It’s a labor problem too. You can buy more discovery for almost nothing now. You can’t buy more senior judgment at the same rate, and if you let the first outrun the second, that gap is precisely where you get owned.
The whole picture
These three don’t actually disagree. They’re the same object seen from three angles, and the object is what happens when you drop a new kind of mass into a system governed by the gravity of cybersecurity.
AI is subject to that gravity and gets hit hard, because when “move fast and break things” finally collides with the things it can really break, the equation stops being about speed and starts being about blast radius. AI is also the best pattern-matcher we’ve ever pointed at our own code, genuinely opening a new era of finding the missing links, while handing the identical capability to whoever’s standing on the other side. And AI is not an island. It’s a force multiplier that does the custodial labor beautifully and frees your people for the work that needs people, right up until its output outruns your ability to verify it, at which point the multiplier is amplifying your risk instead of reducing it.
None of that is a contradiction. It’s gravity, doing what gravity does, on a system that suddenly weighs a great deal more than it did a year ago. The teams that win this aren’t the ones with the most autonomous AI. They’re the ones who kept their verification capacity ahead of their discovery rate. That ratio is the whole game now, and I don’t think most people have clocked that it’s the number to watch.
Sources
- Amazon Q flaw let booby-trapped Git repos execute code, swipe cloud creds (The Register): https://www.theregister.com/cyber-crime/2026/06/26/amazon-q-flaw-let-booby-trapped-git-repos-execute-code-swipe-cloud-creds/5263202
- It’s looking like a hot, messy summer for security teams as AI finds countless previously hidden vulns (The Register): https://www.theregister.com/security/2026/06/27/its-looking-like-a-hot-messy-summer-for-security-teams-as-ai-finds-countless-previously-hidden-vulns/5260478
- AI Decline? Confidence in Autonomous Penetration Testing Falls (Dark Reading): https://www.darkreading.com/cybersecurity-operations/ai-decline-confidence-autonomous-penetration-testing
- Anthropic’s bug-hunting Mythos was greatest marketing stunt ever, says cURL creator (The Register): https://www.theregister.com/security/2026/05/11/anthropics-bug-hunting-mythos-was-greatest-marketing-stunt-ever-says-curl-creator/5238111






