Skip to main content
Holger Rünkaru logo
🇪🇪 Eesti
/ 9 min read

AI finds vulnerabilities in minutes — what your business should do right now

Why this matters right now

In April 2026, Estonia’s Information System Authority (RIA) published a blog post about Anthropic’s new model, Claude Mythos. Written in measured, factual language — but the message is clear: the cyberattack landscape is changing quickly and fundamentally.

The model discovered vulnerabilities up to 27 years old — undetected until now — in FreeBSD, OpenBSD, the Linux kernel, Firefox, Windows, cryptographic libraries, and numerous other systems. The performance gap compared to the previous generation is dramatic: an earlier model managed to turn a Firefox vulnerability into a working exploit twice across hundreds of attempts — Mythos did it 181 times in the same test. According to RIA’s assessment, hostile state actors (Russia, China) will reach comparable capabilities within 6–12 months. Publicly available models will follow 12–18 months later.

This doesn’t mean a wave will hit tomorrow and sweep every business away. But it does mean that the speed at which vulnerabilities are discovered — and therefore the speed of attacks — is growing at a rapid pace.

What does this mean in practice? Previously, finding a vulnerability required time and skill, and then more time was needed to build a working exploit. The window in which a company could apply a security patch before attackers exploit it is getting shorter — sharply so.

According to Zero Day Clock data, the median time-to-exploit in 2021 was 1 year; in 2025, 1 month; in 2026, we have already reached medians of 1 week and 1 day — and predictions suggest we may reach 1 hour before the end of this year.

Zero Day Clock tracks in real time how quickly the first working exploit appears after a vulnerability is publicly disclosed — based on a dataset of over 83,000 vulnerabilities. The trend is unambiguous: the time between disclosure and exploitation keeps shrinking.

Small and medium-sized businesses don’t need to panic. But ignoring this isn’t an option either.

What does this mean for your business?

It’s tempting to think: “this is about large systems, nation-states and corporations — not us.” But today, attacks are not analytically targeted — systems are scanned for vulnerabilities and struck. Target analysis comes after a successful breach.

Most security incidents don’t happen because an attacker has singled out your specific company. They happen because software wasn’t updated, a user account credential was in a leaked database, or an admin panel was left exposed to the internet. These are exactly the kinds of issues AI-powered tools can already scan for — automatically and at scale.

The numbers speak clearly: in 2025, Estonia recorded 10,185 cyber incidents — for the first time crossing the ten-thousand mark, approximately three times more than in 2023. At the same time, the Cybersecurity Act implementing NIS2, which entered into force in January 2026, expanded the circle of organisations subject to cybersecurity obligations in Estonia from around 3,500 to nearly 6,500 — thousands of businesses now face regulation they hadn’t previously encountered.

If your company isn’t dealing with cybersecurity because of regulation, it should be dealing with it to stay operational next week.

Cybersecurity — and the change AI is bringing to the threat landscape — is not yet a paradigm shift. What’s changing is a few risk assessments: if it used to feel riskier to apply an update or patch immediately, without testing it first or waiting just in case, today it is riskier to wait.

The question isn’t “do I need to deal with cybersecurity?” — it’s “how do I achieve an adequate level of security at a reasonable cost, so my business remains viable?”

This is today’s baseline — not advanced cyber defence for special institutions.

1. Security updates — not “someday”, but now

This is the simplest, most repeated, and most ignored recommendation in cybersecurity: apply security patches quickly. If this was once a soft goal for many, today there’s no getting by without it.

In today’s environment, most organisations are better served by setting up clear rollback procedures and automating updates so they are installed at the earliest opportunity.

With today’s threats, the question is no longer “will this vulnerability be exploited?” — it’s “is it already being exploited?“. Once a vulnerability is publicly disclosed, attackers begin exploiting it within hours, not days. AI-powered automation makes the process faster, more accessible, and more widespread.

What to do:

  • Enable automatic updates on all employee computers and servers — Windows, macOS, browser extensions, mobile apps. This doesn’t replace careful management, but ensures critical patches arrive promptly.

  • Know what you have. You can’t update what you don’t know about. Make a list of all software and devices in use — especially anything old. Software that hasn’t been supported for three years is an open door.

  • Track end-of-life software. When a vendor stops supporting a product, security patches stop too. Every such program is an open invitation for attackers.

Delaying updates often feels like a reasonable call — “it might break something”, “we don’t have time.” But unpatched software is an unlocked door.

2. Reduce your attack surface — less exposure means more protection

AI-powered tools are particularly effective at one thing: systematically scanning the internet for exposed systems. Every port, every admin interface, every application that is publicly reachable without necessity — is a potential entry point worth investigating.

What to do:

  • Review what’s visible from the internet. Is your router, printer, office cameras, or business systems accessible to outsiders? Ask your IT/security partner to use tools like Shodan.io to see your own systems through an attacker’s eyes. The results are often surprising.

  • Use a secure channel for remote access. If an employee needs to reach the company’s internal network, it should be through a secure channel — not directly exposed to the internet. Whether that’s a VPN, SASE, or another solution.

  • Enable MFA on all accounts. Multi-factor authentication (MFA) is a baseline requirement in 2026. Not a “bonus” security measure — a minimum. Accounts protected only by a password are too vulnerable.

  • Remove access that’s no longer needed. Former employees, test accounts, application integrations — every unused access point is a potential risk. Review regularly, at least once per quarter.

A smaller attack surface makes your company a less attractive target. It’s like locking your car in a car park — it doesn’t guarantee full safety, but a thief moves on to the next, easier target.

3. Know what’s happening in your systems

The classic cybersecurity problem: an attack is often discovered weeks after the attacker was already inside. AI-powered attack tools work quietly and quickly — the longer they go unnoticed, the greater the damage.

Early detection and a layered security architecture allow threats to be identified and stopped before significant damage occurs.

What to do:

  • Enable log collection. Most modern office and cloud platforms have built-in audit logging — who logged in, when, from where, what they did. These logs are your eyes inside the system. Without them, there’s nothing to investigate after the fact.

  • Set up automatic alerts for suspicious activity. Login from an unknown country, a new mailbox forwarding rule, a flood of failed login attempts — these are signals that should trigger an automatic alert. Many of these are available out of the box, but require configuration.

  • Hold a simple quarterly review. Look at logs, check access lists, ask your IT partner if anything has changed. It doesn’t need to be a full audit — a quick meeting reviewing key indicators and identifying areas for improvement is enough.

  • Review the security settings of your solutions. Solutions are often configured only at deployment. As systems are updated, and as your company and the threat landscape change, security settings need revisiting to ensure optimal protection. Make your existing tools actually work for you.

Cybersecurity isn’t a one-time action you do once a year. It’s an ongoing process — like bookkeeping or HR. For most SMEs, that means having someone who owns this — even part-time.

Where does a cybersecurity consultant fit in?

The steps above are simple in theory, but in practice they require competence, time, and consistency — all things SMEs are typically short on.

A cybersecurity consultant helps in concrete ways:

  • Checks what your actual attack surface looks like from the outside — what’s protected, what isn’t, where the biggest risks lie. Not theoretically, but based on your specific environment.

  • Sets priorities — not everything needs to be done at once. A good adviser helps you decide what’s most important and what changes provide biggest positive impact.

  • Creates an action plan — what to handle internally, what to delegate to your IT partner, what to bring in from outside.

  • Reviews and tightens your security configurations hands-on — not just advice on paper. Checks that your actual settings in M365, cloud services, and security solutions reflect best practices — and fixes what doesn’t.

  • Keeps it moving — reviews progress quarterly, flags what has slipped, and keeps your security posture current as both your business and the threat landscape change.

Your IT partner keeps the lights on. A cybersecurity consultant asks the uncomfortable questions — are the right things actually protected, and would you know if they weren’t? — bringing an independent perspective, specialised cybersecurity knowledge, and helping leadership make informed decisions.

Summary: what to do tomorrow morning?

RIA’s article on Mythos is a warning, not an apocalypse. AI makes the threat landscape faster and more automated. But the fundamentals don’t change: patch your software, reduce your attack surface, monitor your systems.

Three concrete steps:

  1. Check that all software is up to date and updates are automated — if not, schedule the fix within the next two weeks.

  2. Check that MFA is active on all critical accounts — if not, set it up as the first priority.

  3. Ask your IT partner whether audit logging is enabled, whether suspicious activity alerts are working, and whether security settings are up to date.

These three questions don’t solve everything. But they’re the right place to start — and starting is what matters.

If you’d like to map out your company’s situation and get a clear picture of where you stand and what’s worth doing next — I can help. Get in touch and we’ll find a time.

Share: Bluesky X/Twitter Facebook LinkedIn

Read Next