Anthropic’s Mythos research (April 2026) demonstrated that AI models can find software vulnerabilities more reliably than human researchers — and can generate working exploits at a speed and scale that humans cannot match. State-sponsored groups are already using these capabilities. As AI models improve, so will every attacker’s access to them.
No public analysis had modeled what this means for the CVE landscape over time. This paper fills that gap with a five-year quantitative model across four scenarios, varying LLM capability (60–80%) and the share of the vulnerability backlog discovered each year (10–30%). Even the most conservative scenario produces a 5.9× surge in published CVEs in the first year as AI rapidly uncovers the enormous backlog of flaws already present in deployed software. S1–S3 (80% LLM) converge to ~26.7K CVEs/yr by Year 4; S4 (60% LLM) stabilises at a higher floor of ~32.6K/yr.
The most important finding is not the volume — it is the shift in who finds the vulnerabilities. Across all four scenarios, the attacker share of CVE discovery rises from one-in-three today to between 55% and 72% by year five. Defenders will increasingly be reacting to vulnerabilities that attackers already know about. The core challenge shifts from finding vulnerabilities faster to fixing them faster.
↑ Download the full paper (Word document)
AI-Enabled Vulnerability Discovery: Projecting the Impact of Large Language
Models on the CVE Landscape — A Five-Year Model · April 2026
↗ Explore the interactive model visualisation
Five-year CVE projections with scenario toggles, tabbed charts (total CVEs,
attacker share, vulnerability pool), and data tables. Built with React + Recharts.
Scenario 4 applies 60% LLM capability symmetrically to both defenders and attackers using the same market as S3 (15% annual discovery rate, 533K vulnerability pool). The bars below show how CVEs split between defenders (blue) and attackers (red) each year. The attacker share grows from 33% at baseline to 58% by year five — a lower ceiling than S1–S3 (68.7%), but still 73% above the pre-LLM baseline.