While frontier models like those from OpenAI and Anthropic dominate headlines with their impressive cyber capabilities, a quieter but no less significant revolution is unfolding in the open-source AI space. Medium-sized, uncensored models (20-35 billion parameters) are rapidly closing the gap, demonstrating remarkable potential in vulnerability discovery and exploit generation.

The Willingness vs. Ability Divide

A key factor in this shift is relationship between willingness and ability; a distinction highlighted in the "MalcodeEval: Towards Verifiable Progression-Based LLM Cyber Code Evaluation" paper. While commercial models are constrained by guardrails and ethical guidelines, some variants of open-source models can operate without such restrictions. This lack of censorship allows them uncover vulnerabilities that might otherwise remain hidden and create actionable proof-of-concepts with significantly less refusals. That's the secret in Mythos and the OpenAI (5.5) Trusted Access for Cyber - they are unlocking willingness as they already have the ability.

Pairing of offline models like Qwen3.6 (27B) and Devstral-Small-2 (24B) have shown exceptional reasoning capabilities, reducing complex vulnerabilities into actionable exploits.

Single-File Source Code Analysis

Gone are the days of manual code reviews. Now, simply providing a single file of source code and asking a well-formulated question can yield precise vulnerability assessments; reducing false positives and highlighting critical flaws. This is no longer a futuristic concept; it’s happening now, and the impact is already visible in rising CVE numbers.

Automated Deep Research & Multi-Agent Validation

The next evolution involves AI agents that:

• Automatically pull target source code for analysis.
• Cross-check findings using multiple AI agents to prioritize vulnerabilities.
• Integrate with test environments to automate PoC generation and validation. [1][2][3]

These capabilities are already in use, and the flood of new vulnerabilities suggests we’re only scratching the surface.

Traditional vulnerability disclosure programs (VDPs) and bug bounty guidelines often exclude older software versions. But AI doesn’t care about such limitations—it can analyze outdated code just as effectively as the latest release.

Similarly, silent patches (without advisories or CVEs) are no longer viable. AI agents can:

• Scan Git history for suspicious commits.
• Cross-reference with known CVEs to identify unassigned vulnerabilities.
• Detect insufficient patches by analyzing code changes and their effectiveness.

The Race is On: Whoever Looks First Wins

The cybersecurity arms race is accelerating. While defenders scramble to patch vulnerabilities, attackers (and now AI-powered tools) are moving faster than ever. The question isn’t if AI will dominate exploit discovery, it’s how soon it will become the primary method.