AI finds zero-days faster than we patch them — the underground panics

On Lobsters, a thread is exploding about what most people don't dare to say aloud: AI will find vulnerabilities we can't fix. And it might already be happening.

◉

24AI Underground

April 21, 2026·Updated April 22, 2026·2 min read

AI finds zero-days faster than we patch them — the underground panics

Community buzz · early signal

SIGNALS

A thread on Lobsters is boiling over with people discussing how close we are to an AI-driven zero-day apocalypse scenario
CrowdStrike figures show that AI-enabled attacks increased by 89% last year — and the average breakout time is down to 27 seconds
The community is divided: some are hoarding air-gapped machines, others believe we are already too late

Early signal · community sourced · unverified

A discussion thread on Lobsters that started quietly a few days ago has garnered an unusual amount of traffic for a forum that usually remains quite calm. The topic: what are you doing specifically to protect yourself against a scenario where LLMs start finding zero-days on an industrial scale?

And no, this is no longer speculative sci-fi.

The figures circulating in the thread are worth taking seriously. CrowdStrike recently reported an 89 percent year-over-year increase in AI-enabled attacks, and the average time from a system being compromised to the attacker moving laterally within the network is now down to 29 minutes. The fastest observed breakout time? 27 seconds. There's barely time to react.

From late 2025 to March 2026, the proportion of security vulnerabilities where AI helped find them jumped from 16 percent to over 66 percent.

What makes the Lobsters thread particularly interesting is that it's not full of doomer rhetoric. It's technical, pragmatic, and a little frightening precisely because the people there know what they're talking about. Some highlight air-gapping as the only real defense — the classic "machine that has never been online" strategy. Others point out that this doesn't help for infrastructure we actually depend on.

Context is important here: AI CVEs (i.e., documented vulnerabilities related to AI systems) surged to over 2,100 in 2025 alone, an increase of nearly 35 percent. Of these, over 1,500 have a high or critical severity. This means the attack surface is growing faster than defense capabilities.

The truly worrying scenario discussed in the thread is not that AI directly attacks systems — it's that a small group of people with access to powerful LLMs can find and exploit vulnerabilities that take years to patch, or that cannot be patched at all because they are deeply embedded in hardware or protocols.

Google Project Zero has already shown that AI can increase vulnerability detection by up to 20 times on standard benchmarks. It's a double-edged sword of immense proportions.

Why should you pay attention to this now? Because mainstream security media still treats this as a future scenario. It is no longer. The Lobsters thread is an early signal that people working hands-on with security are starting to take this seriously on a completely different level than six months ago.

NOTE: This is based on community discussions and aggregated industry figures — not verified through independent primary sources. Early signal, not definitive.

AI finds zero-days faster than we patch them — the underground panics

Related Articles

The Python Community is Talking AI — And It's Happening Right Now

Fixa.dev Aims to Be the Datadog for AI Voice Agents

xAI Wipes Out Competitors with Grok Voice API — 5x Faster Than GPT