Here's the thing about dual-use technologies: when they arrive, they don't arrive gently. They crash into existing systems, exposing assumptions we didn't know we were making and creating asymmetries we didn't anticipate. That's exactly what's happening at the intersection of AI and cybersecurity right now. A dense body of evidence — spanning independent red-team evaluations, government survey data, nation-state threat advisories, and product announcements — tells a coherent and urgent story: AI is simultaneously compressing the timeline, lowering the cost barrier, and automating the execution of sophisticated cyber attacks, while also creating the foundational toolkit for a new generation of defensive capability.
For Alphabet Inc., this dynamic isn't abstract. As the operator of Google Cloud, the steward of Vertex AI and Gemini model security, and a direct competitor in the frontier-model race, the company sits at the precise intersection of both the threat and the response. The claims that follow illuminate a landscape in which the offensive capability of AI models is improving at a rate that demands defensive innovation, governance innovation, and — critically — customer trust innovation.
Offensive AI Capabilities Have Crossed a Threshold
Let's start with the data that should keep every CISO awake at night. The UK AI Security Institute (AISI) evaluated multiple frontier models and found that both OpenAI's GPT-5.5 and Anthropic's Mythos have reached "similar high levels of cyber-offensive capability" 11. The AISI described GPT-5.5 as "one of the strongest models tested" in terms of cyber capabilities 6, while separately warning that Mythos represents a "step up" in cyber threats 28. These aren't theoretical assessments — these are evaluations against real attack simulations.
The performance numbers bear this out. In a 32-step corporate network attack simulation called "The Last Ones" (TLO), GPT-5.5 succeeded in 3 of 10 attempts 11,22. Anthropic's Mythos also achieved 3 successes out of 10 attempts, averaging 22 completed steps out of 32 per attempt 23. Mythos Preview succeeded in 2 of 10 attempts on the same simulation 22. And here's the really telling data point: GPT-5.5-Cyber became only the second system ever to complete the AISI's multi-step attack simulation end to end 12.
Beyond the Benchmarks: Automation of Core Attack Functions
What makes these results genuinely concerning is what they represent about the automation of core attack functions. AI models are being applied to automate vulnerability discovery 2. Consider this: Anthropic engineers with no formal security training could instruct Mythos to find remote code execution vulnerabilities overnight and receive a complete, working exploit by morning 27. Mythos constructed detailed exploit pathways by chaining code fragments across multiple network packets to achieve full remote control of target systems 5. Advanced AI models have demonstrated automated exploit-chaining capabilities, linking multiple vulnerabilities to create more complex, multi-stage attacks 27.
One data point in particular stops me cold: a line of code that had passed 5 million tests was identified as flawed by Mythos 27. Five million tests. And the model has autonomously hacked into "software infrastructure systems believed to be among the most secure in history" 27. The scale is already substantial — tens of thousands of critical software vulnerabilities have already been discovered by an AI model 29.
The Economics of Attack Are Being Rewritten
This is the part where the math changes in ways that most organizations haven't yet internalized. One analysis estimates that complex advanced persistent threat (APT)-style attacks that previously required roughly $500,000 to $1 million in labor could potentially be executed for approximately $10,000 to $50,000 using AI tools 34. That's a 95% cost reduction. Traditional APT reconnaissance commonly takes weeks to months; AI-accelerated attacks can compress reconnaissance to hours or days 33. The Guardian's editorial captured the dual dynamic succinctly: AI technology can scale both cyber-attack and cyber-defence capabilities simultaneously 4. The question is which scales faster.
The Defensive Response: Product, Governance, and Detection
The good news is that the defensive community isn't standing still. OpenAI has responded with a structured governance approach that may well become the template for the industry. Its Cyber tool performs both defensive functions — penetration testing and vulnerability identification 14 — and, by design, offensive functions including vulnerability exploitation and malware reverse engineering 14,21. The tool explicitly targets "critical cyber defenders" — cybersecurity professionals and teams protecting critical software 21.
The TAC Model: Tiered Access as Governance
OpenAI's Trusted Access for Cyber (TAC) program is particularly interesting from a governance perspective. It's explicitly tiered, with higher-level models requiring higher credential verification 14, and has scaled to "hundreds of teams responsible for protecting critical software" 14. Verified defenders approved through TAC can access GPT-5.5 Cyber with less friction from safety safeguards 21. CrowdStrike was selected for the TAC program 3, adding credibility to the access-control model.
But here's the scary part: an unauthorized group accessed Mythos, a restricted-access AI cybersecurity tool, demonstrating that restricted-access AI tools can themselves be breached 21. This is a critical finding — if the governance model for these tools can be circumvented, then the entire trust architecture needs rethinking.
Google Cloud's Defensive Posture
For Google Cloud specifically, the defensive posture is multi-layered. Google Cloud advised that defenders must correlate disparate events across the browser, local Python environments, and cloud egress points to detect sophisticated attacks 18. Google expected real-world adversaries to exploit indirect prompt injection vulnerabilities 15 and expected both the scale and sophistication of such attacks to grow 15. Vertex AI vulnerability scanning covers the underlying operating system and language packages 19.
A broader consensus on defensive evolution is emerging across the industry. Security is expected to shift from reactive protection to continuous, AI-assisted threat detection and automated response within five years 36. Transputec claims its cloud-based AI cybersecurity solutions can achieve up to 40% cost reductions in detection and response 38 and that AI-powered cybersecurity can reduce average incident costs by 25–45% while improving detection speeds tenfold 38. The ACM recommended using formal verification methods and AI models tuned specifically for security vulnerability detection 35.
The Real-World Threat Landscape Is Already Intensifying
Let's ground this in the numbers that matter. The UK government's 2025/26 Cyber Security Breaches Survey, corroborated across multiple sources, found that 43% of British businesses experienced at least one cyber breach or attack in the past 12 months 11,41 — translating to approximately 612,000 businesses 41. The prevalence was unchanged from the prior year 41. That's not stability; that's a persistently elevated threat level that the market has normalized to. Phishing remains the most common attack vector, affecting 38% of businesses — also unchanged year-over-year 41. Over 65% of UK small and medium-sized enterprises experienced a cyber incident 38.
State-Sponsored Activity: The Dominant Concern
Nation-state activity remains the dominant concern for national cybersecurity authorities. The UK experiences four nationally significant cyber attacks per week, with the majority originating from hostile states 26. The Five Eyes advisory reported that Chinese state-sponsored group Volt Typhoon has pre-positioned for future attacks on critical national infrastructure in the United States, targeting communications, energy, transport, and water services 26, and has maintained covert access to critical IT systems for five years or more 26. Chinese hacking groups have used UK-based infected devices as staging posts to attack UK-based companies 26.
Countries including North Korea and Iran have used AI systems to conduct cyber attacks 30, and state-sponsored groups have been involved in AI-driven attacks against Mexico's critical infrastructure 8. Notable active campaigns include UNC6692, a sophisticated multi-stage intrusion combining social engineering and custom malware that used "living off the cloud" techniques to blend malicious traffic with legitimate traffic 18. A covert campaign named "ClawSwarm" is actively compromising AI agents to perform cryptocurrency mining operations 7. Tools observed in attacks include AutoHotKey, Python, FTK Imager, and Windows Task Manager 18.
Emerging Attack Vectors in the AI Stack
Beyond traditional threats, new vulnerabilities specific to AI-integrated environments are emerging. The Model Context Protocol (MCP) is being exploited as a new attack vector for remote access trojans targeting AI developers 13. Palo Alto Networks Unit 42 observed an MCP-themed remote access trojan targeting AI developers in February 2026 13. Every tool call, MCP connection, and ingested document in an agentic AI system represents a potential attack surface 17. Attacks against MCP trust boundaries are identified as an emerging vector 9.
For healthcare AI systems specifically, four key attack vectors have been identified: data poisoning, model evasion, model inversion, and adversarial attacks 31. And a broader concern that should resonate with every engineering leader: AI-generated code that engineers cannot fully explain is identified as a potential cybersecurity vulnerability 10. If you can't explain it, you can't defend it.
Limits of Current AI Offensive Capability — For Now
Despite the rapid progress, and I want to be clear about this, important limitations remain. No model solved the "Cooling Tower" industrial control system (ICS) attack simulation in the AISI evaluation 11. GPT-5.5 got stuck on the IT sections of the simulation, leaving its ICS-specific capabilities untested 11, and both GPT-5.5 and Mythos Preview failed the Cooling Tower power plant disruption simulation 22. The AISI tests of Mythos did not include active defenders, detection tooling, or alert penalties 23 — meaning real-world performance against defended networks would likely be lower.
A universal jailbreak was discovered in six hours that bypassed safeguards across all malicious cyber queries 11, but it required expert red-teaming effort 11. NCSC chief Richard Horne stated that the UK was not yet seeing significant new attacks driven by advanced AI systems, though he warned of potential future impacts 37.
Here's the really interesting bit: these limitations may be temporary. The evaluation observed that rapid improvement on cyber tasks appears to be part of a general trend across multiple model developers 11. The UK AISI found materially improved multi-step offensive cyber performance in successive evaluations 32. AI-powered cyberattacks are expected to proliferate within months rather than years 20. This is not a static picture — it's a rapidly moving target.
The Dual-Use Dilemma and Governance Imperative
The automation of vulnerability discovery by AI creates inherent dual-use risks: the same tools can be used for both defensive security testing and malicious exploitation 1. One article asserts that only the AI industry, and not government, can currently contain the risks of what it terms "perhaps the most devastating cyberweapon capability in history" 27. That's a sobering claim, and one that places enormous responsibility on companies like Alphabet.
The UK's Department for Science, Innovation and Technology published, then unpublishe d, its original flawed AI datacentre emissions projections 24 — a reminder that governance challenges in AI policy-making extend well beyond security. Meanwhile, UK officials noted strong international interest in learning from the UK AI Security Institute's work 39, suggesting that the governance models being developed now will have disproportionate influence going forward.
Implications for Alphabet Inc.
For Alphabet, these claims collectively paint a picture of an environment in which the competitive moat around enterprise cloud and AI services will increasingly depend on demonstrated security capability. Let me walk through the specific strategic implications.
Google Cloud as a Security Differentiator
The claims about Google's detection methodology — correlating disparate events across browser, Python, and cloud environments 18 — and its expectations around indirect prompt injection attacks 15 suggest that Google Cloud is investing seriously in AI-specific threat detection. With Vertex AI vulnerability scanning 19 and the Google Threat Intelligence Group's detection capabilities 18, Google has a real opportunity to position GCP as the secure platform for AI workloads.
The finding that no model has yet solved an ICS/OT attack simulation 11 is also strategically significant. It suggests that industrial and operational technology security remains a domain where defensive preparation can be meaningfully ahead of offensive AI capability — an area where Google's existing strengths in cloud-native security could be extended as a competitive advantage.
The OpenAI TAC Governance Model Sets a Precedent
OpenAI's tiered access control for Cyber models 14,21 creates a governance template that may become an industry standard. For Alphabet, which competes through Google DeepMind's Gemini models, the pressure to implement equivalent or superior access controls for any offensive-capable models will be high — particularly given the demonstration that restricted-access tools can be breached 21. The TAC program's scale to "hundreds of teams" 14 validates the market demand for authorized, safe access to powerful cyber AI.
Token Efficiency as a Competitive Metric
Here's a dimension that might not get the attention it deserves. The finding that GPT-5 was the most token-efficient model among eight frontier LLMs on agentic coding tasks, consuming dramatically fewer tokens than Claude-Sonnet-4.5 and Kimi-K2, with a per-task gap exceeding 1.5 million tokens 16, is strategically important. In cybersecurity use cases where each API call carries cost and latency implications, token efficiency directly translates to operational advantage. For Google DeepMind's Gemini, achieving comparable or superior efficiency on security-relevant tasks will be critical to capturing enterprise security workloads.
The Cost Compression Threat to Security Economics
The estimate that APT-style attacks can be reduced from $500K–$1M to $10K–$50K 34 fundamentally changes the threat economics that underpin enterprise security spending. If sophisticated attacks become affordable to a much wider range of actors, the total addressable market for cybersecurity solutions expands — but so does the required investment. For Google Cloud's security offerings, this represents both a demand tailwind and a product-development challenge.
Regulatory Tailwinds from Government Attention
The UK government's active surveying 25, the Five Eyes advisories 26, and international interest in the UK AISI's work 39 all point toward increasing government focus on AI security. The UK NCSC's recommendation that passwords alone are insufficient and that multi-factor authentication is essential 40 represents the kind of baseline regulatory push that benefits established cloud platforms with mature identity and access management capabilities — areas where Google Cloud competes strongly.
Key Takeaways
-
Offensive AI capability is improving faster than defensive adaptation in key areas. The convergence of autonomous exploit discovery, dramatic cost compression (from >$500K to ~$10K per APT-style attack), and compressed reconnaissance timelines (from months to hours) means the threat environment is structurally shifting. For Alphabet, the strategic imperative is to ensure Google Cloud's security posture evolves at least as fast as the offensive frontier — and to communicate that capability credibly to enterprise customers.
-
The OpenAI TAC governance model creates a competitive template that Alphabet must match or exceed. Tiered access control for cyber-capable models, with verified credentialing and graduated model access, is emerging as the industry's best current answer to the dual-use problem. Google DeepMind's Gemini strategy must incorporate equivalent or superior governance to maintain trust with enterprise and government customers.
-
Token efficiency in security-relevant agentic tasks is an underappreciated competitive differentiator. With per-task token usage gaps exceeding 1.5 million tokens between frontier models, the economics of running AI-powered security operations will vary dramatically by model choice. Alphabet should prioritize benchmark visibility on this dimension for Gemini.
-
Industrial control systems (ICS/OT) remain a defensive sanctuary — for now. The consistent failure of all tested models on the Cooling Tower simulation suggests that operational technology security is several steps ahead of offensive AI capability in this domain. Google Cloud should lean into this asymmetry as a marketing and product advantage for industrial and critical infrastructure customers, while preparing for the moment when the frontier inevitably advances.
Sources
1. “Superhackers”… Real Threat or Tech Hype? theconversation.com/claude-mytho... #newsbit #newsbits #do... - 2026-04-16
2. “Superhackers”… Real Threat or Tech Hype? theconversation.com/claude-mytho... #newsbit #newsbits #do... - 2026-04-16
3. CrowdStrike - 2026-04-20
4. '... Claude Mythos: when AI finds every flaw, who controls the internet?' www.theguardian.com/commen... - 2026-04-24
5. Researchers Reproduce Anthropic-Style AI Vulnerability Findings Using Public Models at Low Cost #Ant... - 2026-05-01
6. 🤖 Our evaluation of OpenAI's GPT-5.5 cyber capabilities AISI's cyber evaluation of OpenAI's GPT-5.5... - 2026-05-01
7. Tech News Briefing — #ArtificialIntelligenceEvolution #FutureOfWork #AIInnovation #TechInvestments #... - 2026-04-29
8. AI-Driven Cyber Threats Challenge Mexico's Critical Infrastructure 🤖 IA: It's not clickbait ✅ 👥 Usu... - 2026-04-28
9. The latest update for #Wallarm includes "Attacking the MCP Trust Boundary" and "The Governance Gap: ... - 2026-04-25
10. 🤖 AI writes the code. But who owns the risk? @BotGaugeAI CEO Pramin Pradeep on shadow code, governan... - 2026-04-02
11. Our evaluation of OpenAI's GPT-5.5 cyber capabilities - 2026-04-30
12. OpenAI locks GPT-5.5-Cyber behind velvet rope - 2026-05-01
13. That AI Extension Helping You Write Emails? It’s Reading Them First - 2026-04-30
14. After dissing Anthropic for limiting Mythos, OpenAI restricts access to Cyber, too - 2026-04-30
15. Google Online Security Blog: AI threats in the wild: The current state of prompt injections on the web - 2026-04-23
16. How Do AI Agents Spend Your Money? Analyzing and Predicting Token Consumption in Agentic Coding Tasks - 2026-04-24
17. The Consequences of Agentic AI - 2026-04-24
18. How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite | Google Cloud Blog - 2026-04-23
19. Introducing Gemini Enterprise Agent Platform | Google Cloud Blog - 2026-04-22
20. Alphabet Expands Robotaxis and Cybersecurity Coalition - 2026-04-09
21. After dissing Anthropic for limiting Mythos, OpenAI restricts access to Cyber, too - 2026-04-30
22. Amid Mythos' hyped cybersecurity prowess, researchers find GPT-5.5 is just as good - 2026-05-01
23. Claude Mythos Preview Review: Escaped Its Sandbox - 2026-05-01
24. DSIT gets sums badly wrong on AI datacentre carbon footprint | Computer Weekly - 2026-04-27
25. Over 40% of UK firms suffered cyber attack last year, survey finds - 2026-04-30
26. Chinese hackers using compromised networks to spy on Western companies, says Five Eyes | Computer Weekly - 2026-04-23
27. Six Reasons Claude Mythos Is an Inflection Point for AI—and Global Security | Council on Foreign Relations - 2026-04-15
28. Why Anthropic's new Mythos AI model has Washington and Wall Street worked up - 2026-04-14
29. Tech 24 - Why Anthropic's new AI model is too powerful to release - 2026-04-12
30. Anthropic develops AI ‘too dangerous to release to public’ - 2026-04-08
31. Healthcare AI Disruption: Innovation, Security, and Ethical - 2026-04-03
32. $NVDA $MU $SNDK $LITE - I listened to this Jensen interview in its entirety. The thing it did unques... - 2026-04-15
33. Vercel CEO Guillermo Rauch just provided detailed response on the breach. One phrase worth paying a... - 2026-04-19
34. @rauchg Vercel CEO Guillermo Rauch just provided detailed response on the breach. One phrase worth ... - 2026-04-19
35. 🔧 ACM's call: organizations must compensate with governance and technical checks. Formal verificatio... - 2026-04-28
36. VAI Cloud: The Cloud as a Strategic Innovation Platform - The DaVinci Awards - 2026-04-15
37. UK could face ‘hacktivist attacks at scale’, says head of security agency - 2026-04-22
38. AI in Cybersecurity for SMEs | Transputec - 2026-04-14
39. UK Collaborates with Middle Powers to Shape Global AI Security - 2026-04-28
40. Data Protection Every UK Business Must Have | 2026 Guide - 2026-04-30
41. Over 40% of UK Firms Suffered Cyber Attack in 2025 - 2026-04-30
