The National Vulnerability Database published more CVEs in the past two years than in the preceding decade. Security reporters are writing about an "explosion" of vulnerabilities. Executives are asking their security teams whether software has somehow gotten dramatically less secure. The question is understandable. The premise is wrong.
Software has not become dramatically more vulnerable. We have become dramatically better at finding vulnerabilities that were already there. The distinction matters enormously — and the way you frame it determines whether the current pace of disclosure looks like a crisis or like a success story.
What AI-assisted vulnerability research actually does
For most of the history of software security, vulnerability discovery was a craft that required rare combinations of deep technical knowledge, pattern recognition developed over years of practice, and significant time investment. A skilled researcher might find a handful of significant vulnerabilities per year in a given codebase. The bottleneck was human attention — there was simply not enough of it to systematically examine the vast surface area of deployed software.
AI-assisted vulnerability research changes the bottleneck. Large language models trained on code can scan for vulnerability patterns at machine speed. Fuzzing tools augmented with AI can explore edge cases faster and more systematically than human-directed fuzzing. Symbolic execution combined with AI guidance can traverse code paths that would take human analysts weeks to reach manually.
The result is not more vulnerabilities. It is more vulnerabilities found. The flaws that AI tools are identifying in OpenSSL, in Linux kernel components, in widely deployed network equipment — they existed before the tools existed. The code has been running in production, exposed to the internet, exploitable by anyone with the patience and skill to find what the AI found in hours. The vulnerability was always there. Now we know about it.
"Calling AI-assisted vulnerability discovery a crisis is like calling the invention of medical imaging a cancer epidemic. The tumors were already there. Finding them is not the problem — it is the solution to the problem of not knowing about them."
The fear versus the reality
The Bernays question — who benefits from the panic?
Edward Bernays — the father of modern public relations — taught that when a message spreads rapidly and generates strong emotion, the first question to ask is who benefits from that emotional response. The vulnerability crisis narrative is worth examining through that lens.
The framing of accelerating CVE counts as a worsening crisis serves specific interests. Security vendors selling vulnerability management platforms benefit from customers who feel overwhelmed by volume and need managed services to cope. Consultancies benefit from executives who believe their security posture is deteriorating and need external assessment. Media outlets benefit from alarm — "record number of vulnerabilities discovered" generates more clicks than "security research tools are getting better."
None of these actors are necessarily being dishonest. They are selecting and framing true information in ways that serve their interests. The vulnerability count is genuinely increasing. Framing it as a crisis rather than as progress is a choice — and it is a choice that serves certain parties more than others.
The people it serves least are the organizations trying to make rational security investment decisions based on an accurate picture of the threat landscape. Those organizations benefit from understanding what is actually happening: discovery capability has improved dramatically, which is producing more known vulnerabilities, which is producing more patchable vulnerabilities, which is — if you act on the information — producing a more secure environment than existed when those flaws were unknown.
The actual problem — and it is not discovery rate
Here is what the vulnerability data actually shows when you look past the headline counts. The overwhelming majority of successful attacks exploit known vulnerabilities — flaws with published CVEs, available patches, and documented remediation steps. Not zero-days. Not novel techniques. Known vulnerabilities that organizations had not patched.
The Salt Typhoon campaign that compromised nine US telecom carriers exploited Cisco router vulnerabilities with patches that had been available for years — in some cases seven years. The Equifax breach that exposed 147 million records exploited a vulnerability that had a patch available two months before the attack. The vast majority of ransomware attacks in any given year exploit vulnerabilities that were disclosed and patched 12 to 36 months prior.
The problem is not that we are discovering too many vulnerabilities too fast. The problem is that organizations are not patching the vulnerabilities they already know about fast enough. AI discovering more vulnerabilities makes this problem more visible — it does not make it worse. The vulnerabilities were already there, being exploited by attackers who had found them through their own research while defenders remained unaware.
Who benefits from better discovery
The right response — and it is not panic
The correct response to accelerating vulnerability discovery is not alarm. It is prioritization. Twenty-five thousand CVEs per year is not twenty-five thousand vulnerabilities requiring immediate action — the vast majority affect software you do not run, have CVSS scores below the threshold for urgent action, or lack active exploitation that would elevate their priority.
The CISA Known Exploited Vulnerabilities catalog — the list of CVEs with confirmed active exploitation — is the single most useful prioritization tool available and it is free. At any given time it contains a few hundred entries out of the tens of thousands of published CVEs. Those are the ones that matter today. Everything else fits into normal patch management cycles.
AI is also improving the prioritization side of the equation. The same capabilities that find vulnerabilities faster are being applied to triage — analyzing which vulnerabilities in your specific environment are actually reachable, which have working exploits available, which are being actively targeted in campaigns against your sector. The tooling for managing vulnerability volume is improving alongside the volume itself.
The organizations that will struggle with accelerating vulnerability disclosure are the ones treating every CVE as equally urgent and burning their teams on triage theater. The organizations that will thrive are the ones that understand the actual risk distribution, automate the prioritization, and apply human attention to the small fraction of vulnerabilities that genuinely require it.
The narrative that AI-assisted vulnerability discovery represents a worsening security crisis misreads the signal. More vulnerabilities found means more vulnerabilities that can be patched before attackers find them independently. The alternative — a world where flaws remain undiscovered by defenders while being quietly catalogued by sophisticated attackers — is not safer. It is more dangerous.
The real story in accelerating CVE counts is that the information asymmetry between attackers and defenders is narrowing. Attackers have always had the advantage of being able to invest in finding vulnerabilities that defenders did not know existed. AI tools are now available to defenders — through bug bounty programs, automated scanning, and researcher disclosures — that narrow this gap.
The vulnerability flood is not a sign that software is failing. It is a sign that our ability to understand what was always in the software is improving. Organizations that internalize this reframe will make better security investment decisions than those reacting to headline CVE counts as though volume itself is the threat.