We address these questions with a five-year model built across four scenarios, varying LLM capability (with models between 60–80% effective in finding vulnerabilities) and the share of the vulnerability backlog discovered each year ranging between 10–30% of the total number of existing but unidentified bugs. 

Across all scenarios, even the most conservative, the first year produces a sharp surge in published CVEs as AI rapidly exposes the enormous backlog of latent flaws already present in deployed software. 
 

More vulnerabilities will be found by attackers

 
The most consequential finding is not the volume — it is the shift in who finds the vulnerabilities. Across all four scenarios, my data analysis shows that the attacker share of CVE discovery rises from one-in-three today to between 55% and 72% by year five. That means defenders will increasingly be responding to vulnerabilities that attackers have already identified and potentially weaponized. 

The center of gravity moves from finding vulnerabilities faster to fixing them faster — with patch velocity, exposure management and automated remediation becoming the decisive control points.

Next steps

My previous post outlined the operational risks presented by these emerging AI capabilities. I encourage readers to revisit that article to review the recommended action steps for improving remediation speed, exposure management and resilience. These actions are increasingly important in a world where attackers may have first discovery advantages.

To support continued scrutiny and debate, we’ve also published the underlying model and assumptions behind this analysis as an interactive experience. Visit https://ai-hype.ai/ to explore the scenarios, challenge the inputs and track how AI-driven vulnerability discovery evolves over time.

This is an ongoing area of research. Follow the Barracuda blog for upcoming posts in this series, including updates to the model, real-world signals from CVE data and deeper analysis of what these shifts mean for businesses.