RSS

Vulnerability Forecast Update: Navigating the AI Epoch

jruohonen1 pts1 comments

The 2026 Vulnerability Forecast Update: Navigating the AI Epoch

The 2026 Vulnerability Forecast Update: Navigating the AI Epoch

By FIRST Forecasting team: Jerry Gamblin and Eireann Leverett

Monday, June 15, 2026

Introduction: A Structural Shift in the Vulnerability Landscape

The cumulative drift is currently +46.3% above the original forecast (an excess of 6,420 CVEs), leading to a revised 2026 projection of ~66K CVEs. There were many questions earlier this year when we produced prediction intervals as wide as 100k. Still, an important feature of a forecast is that it encompasses unlikely but realistically possible outcomes. AI-assisted discovery has increased the chances that we see what many people would consider an extreme number of vulnerabilities this year, and we take such things into account when producing the strategic forecast.

As we look toward the second half of 2026, the vulnerability coordination domain is undergoing an unprecedented transformation. With the recent deployments of highly autonomous AI discovery tools, such as Anthropic’s Mythos (a specialized, unreleased agent in the Claude family) and OpenAI’s GPT-5.4-Cyber, the volume of identified software flaws has accelerated massively. However, as we will explore in this mid-year update, a spike in raw discovery volume does not equate to an unmanageable security crisis. In sharp contrast, there is evidence that version cadences are remaining static amongst the rising tide of new CVEs. This is clearly visible in the lower graph, where the interval per product release is slightly increasing. In other words, we think more CVEs are being shipped with each version update, but the version updates remain the same cadence.

We thus advocate for calm growth in your vulnerability exposure management teams and processes, rather than a panic-driven narrative. Prepare to double the work you do if you maintain software, but we actually expect the work you do patching live systems to remain steady, at least through the end of 2026.<br>The growth we see in CVE volumes is often attributed to more eyes, more bug bounties, and more AI-generated results. However, we think this ignores the growth of Open Source projects receiving attention for the first time, as well as the raw growth of software worldwide. As we can see below, this is a significant factor in CVE growth, not mentioned elsewhere.

Part 1: The 'Epochal' Shift and the Discovery Surge

Historically, the FIRST vulnerability forecast relied on time-series models to predict the organic growth of CVEs. The 2017 structural change in CVE data represented a major shift, and we carefully chose models to either avoid or accept it. That internal history is relevant today because everyone believes we are going through another transformational period. Forecasters have to make important choices about when and where to switch tools.

2026 has introduced an entirely new paradigm: the capability-triggered model.

The AI Discovery Era: We are currently witnessing the first major wave of AI-assisted bug hunting. For instance, there was a 164 % spike in Q1 disclosures at Mozilla, directly attributable to Anthropic's Project Glasswing, which uses the unreleased Mythos Preview agent and Claude Opus 4.6 to autonomously find legacy bugs within the Firefox engine. As detailed in the recent report "Behind the Scenes Hardening Firefox with Claude Mythos Preview" by Mozilla's Brian Grinstead, Christian Holler, and Frederik Braun, the team built an agentic harness on top of their fuzzing infrastructure to successfully identify and fix 271 bugs for the Firefox 150 release. This activity clarifies the relationship between the more general "Claude models" and the specialized "Mythos" agent mentioned throughout this forecast.

Structural Volume Drivers: Beyond AI, structural expansions are inflating the numbers. Specifically, GitHub Security Advisories (GHSA) volume is up 449% YoY due to an expanded curation team and CVE ID backfill campaign, and VulnCheck is up 3,119% YoY as a CNA of Last Resort absorbing the unassigned backlog. These expansions have dramatically increased aggregate volume. Growth in software will also naturally drive growth in CVEs, but we are still learning how to distinguish between the two.

The Real Bottleneck: In an era where AI can find significantly more flaws than human analysts, the constraint is no longer discovery; it is the human capacity to verify, coordinate, and patch. We also believe a crucial bottleneck will be in writing detection signatures for exploitation. The issue often comes down to the difference between identification and true risk detection.

Part 2: The Exploitability Overlay (Rain vs. Floods)

If we look only at the total volume of vulnerabilities, the forecast appears daunting. However, applying an "exploitability overlay" reveals a much more actionable reality. We refer to this as the "Rain vs. Flood" analogy.

Heavy Rainfall (Total Volume): The aggregate number of CVEs and...

forecast growth vulnerability cves volume discovery

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.