Why cyber defenders need to be ready for frontier AI

Summary

A new analysis from the AI Security Institute reveals that frontier AI models are rapidly advancing cyber attack capabilities, with models like Claude Opus 4.6 completing multi-step enterprise network attacks in roughly half the time a human expert would need. Attackers are already leveraging these AI tools, and the cost of launching sophisticated attacks has plummeted to around £65 per attempt. Defenders must adopt equivalent frontier AI capabilities to maintain their structural advantage and stay ahead of evolving threats.

Full text

Blog Post Download & print article PDF Download & print article PDF Why cyber defenders need to be ready for frontier AIUnderstanding the threats and staying ahead of the adversary Paul J, Alan Steer Shinsei motions via Getty imagesArtificial intelligence (AI) is no longer a distant or speculative issue for cyber security. The most advanced systems, often referred to as frontier AI models, are already showing results in specific steps of cyber operations, such as in helping identify zero days in widely used software, or solving cryptographic challenges. These models are changing the cost, speed and scale of operations for both attackers and defenders. It means tasks which once required specialist skills – such as writing exploit code, understanding system architecture or using attack tools – can increasingly be automated using AI in certain circumstances.Recent findings from the AI Security Institute (AISI) highlight an accelerated increase in the cyber capabilities of frontier models, and at a far faster pace than many expected. In specific cyber tasks, models already exceed what a skilled practitioner could achieve at lower cost. In parallel, publicly available examples demonstrate how these capabilities are already being used in practice, and how attackers could adopt them more widely.The implication is clear: defenders should assume that at least some attackers already have access to capable AI tools. Since frontier AI capabilities potentially strengthen cyber attackers, cyber defenders must use the same capabilities to drive defensive advantage.This blog helps cyber security professionals, decision makers and risk owners to better understand:how frontier AI capabilities are evolvinghow attackers are already using – or could use – these capabilitieswhere frontier AI is most likely to deliver game-changing improvements in cyber defenceIt also explains the critical structural advantage defenders hold and how to retain that advantage to stay ahead of the attackers. Glossary of terms used Show All AI Show (unless otherwise stated) refers to generative AI (GenAI) – the class of AI systems that can produce text, code and other outputs in response to prompts. (This is distinct from earlier forms of AI which have been used in the cyber security context for many years). Frontier AI models Show refer to the most capable models available at any given time. It’s worth noting that capabilities developed in frontier models can be transferred into smaller, cheaper, or open-weight models through a process called distillation – meaning advances at the frontier set the direction of travel for the whole ecosystem. AI systems Show refer to broader AI systems that combine models with tools, workflows and human oversight. Examples include:agentic systems that take sequences of actions autonomouslysystems where humans and AI collaborate on tasksMany of the benefits and risks discussed in this blog are delivered by AI systems rather than raw model capability alone. How frontier AI capabilities in cyber operations are evolvingWhilst safeguards applied by responsible model developers can limit misuse of AI, these protections can often be bypassed (and in open‑weight models can be removed or are absent from the start). Publicly-available AI model weights can be modified, and safeguards removed entirely. Reporting from multiple frontier labs over the last few years has shown attackers are using frontier AI models to aid their operations. For example:Anthropic’s Disrupting the first reported AI-orchestrated cyber espionage campaignGoogle’s Adversarial misuse of generative AI Open AI’s Disrupting malicious uses of AIIn its recent research into measuring AI agents' progress on multi-step cyber attack scenarios, AISI evaluated the cyber capabilities of 7 frontier AI models, released before March 2026. Importantly, the capabilities are inherently dual-use, meaning the skills that could be used by attackers – such as identifying vulnerabilities and developing exploits – can also be used by defenders for security testing and hardening. The models were given specific tasks in 2 simulated environments (an enterprise network and an industrial control system) and left to operate autonomously.On the 32-step enterprise network attack, estimated to take a human cyber security expert approximately 14 hours to complete end-to-end, the best-performing model (Claude Opus 4.6, released February 2026):Averaged 15.6 steps, with extended processing time - which corresponds to roughly 6 of the 14 hours a human expert would need.Averaged 9.8 steps without extended processing time – up from fewer than 2 steps 18 months earlier.Completed its single best run in 22 of 32 steps.As of March 2026, no public model has completed the full scenario end-to-end.On the more complex industrial control system attack scenario, AI performance was significantly more limited. But even here there were early signs of progress: the most recent models were the first to make any consistent headway, and in some cases found attack approaches the scenario designers hadn't anticipated. In just 18 months, the best AI models went from barely making any progress on a realistic simulated enterprise attack to completing over half of it, and the cost of a full attempt is now around £65.Factors driving the rapid pace of improvement in offensive AI cyber capabilitiesThere are 2 reinforcing trends driving this acceleration:The capability ceiling is rising fast. Each new generation of AI model is better at working through complex attack sequences than the last. The best model in early 2026 completed nearly 6 times more attack steps than the best model 18 months earlier.Running these attacks is getting cheaper, not harder. Giving the same model more processing time reliably improves results with no additional attacker skill required. At current pricing, a full attempt at this simulated attack costs around £65. This means the limiting factor is increasingly funding, not expertise.Current limitations of the AI models in attack scenariosDespite rapid improvement, AI models released before March 2026 still fall short of end-to-end completion of these complex attack scenarios. The main reasons for this limitation are: The amount of processing time. In several evaluations, models were still taking useful actions when they reached the end of the allotted processing time, meaning the results likely understate their full capability. Specialist knowledge gaps in areas such as reverse engineering, cryptography, and malware development. Performance drops sharply when attacks transition from reconnaissance and web exploitation to phases where there is less training data. Complex, multi-step coordination is unreliable. Models struggle with operations that require managing several concurrent processes in real-time. Models lose track over long operations which leads to lost context and missed opportunities. Results are inconsistent. The same model with the same amount of processing time can produce very different results across individual runs.It’s important to note that these aren't permanent barriers. They are areas where the rate of improvement has already been rapid, and where even modest extensions to processing time or human-AI teaming can result in substantial gains. It's also worth noting that these results likely underrepresent what current models are capable of, given the evaluations used a standard setup with no specialist tools or human involvement. Purpose-built approaches would almost certainly perform better.An important near-term advantage for defenders is that the activity of frontier AI models released before March 2026 tends to generate noticeable security alerts and is relatively easy to detect. Current models would likely be identified and disrupted before they managed to achieve the levels of progress outlined above – but only in environments with effective monitoring and the ability to respond. For a broader assessment of how A

Entities