What will attackers do in response? 

I predict attackers will increasingly segment their treatment of software vendors to maximize their own economic benefit: 

Group 1 – Soft prime targets: These vendors have attractive products but slow artificial intelligence (AI) adoption. Attackers will continue targeting them using current tactics augmented with AI.

Group 2 – Large vendors who quickly adopt AI for vulnerability discovery: As these vendors issue patches, attackers will continue using patch‑diff engineering — analyzing changes between vulnerable and patched versions — to create exploits.

Group 3 – Lower-value vendors slow to adopt AI:  Attackers will target these vendors opportunistically, sitting on discovered vulnerabilities until an opportune time.

Group 4 – Lower-value vendors rapidly adopting AI:  Attackers are likely to skip these vendors.