AI is Transforming the Internet
into a Dark Forest

Anthropic's Claude Code Security, powered by Opus 4.6, reads and reasons about codebases like a senior security researcher—tracing data flows, understanding component interactions, surfacing complex logic vulnerabilities that pattern-matching tools miss entirely. In internal testing on open-source software running across enterprise systems and critical infrastructure, it found vulnerabilities that had gone undetected for decades. Markets reacted immediately: CrowdStrike −8%, Cloudflare −8.1%, Zscaler −5.5%, Okta −9.2%.

Stanford's ARTEMIS AI agent outperformed 9 of 10 professional penetration testers in a live enterprise environment, discovering vulnerabilities with 82% accuracy. At $18/hour vs $60/hour for humans, AI hackers are now "dangerously close" to matching—and beating—human capabilities.

AI systems can automatically generate working exploits for newly published CVEs in just 10-15 minutes at ~$1 per exploit, compressing the traditional patch window from weeks to minutes. All generated exploits are publicly available on their research database.

Security researcher Sean Heelan used OpenAI's o3 model to discover CVE-2025-37899, a remote zero-day use-after-free vulnerability in the Linux kernel's SMB implementation (ksmbd)—with no scaffolding, no agentic frameworks, just the o3 API.

For the first time in a decade, automated traffic surpassed human activity (51% vs 49%). Bad bots now account for 37% of all internet traffic, up from 32% the year before. AI is lowering the barrier to entry—simple bot attacks grew from 40% to 45%, while 44% of advanced bot traffic targets APIs. Account takeover attacks increased by 40%, with AI-powered bots becoming more evasive and intelligent than ever.

Google's Project Zero and DeepMind collaboration discovered the first real-world exploitable vulnerability (stack buffer underflow in SQLite) using an AI agent—before it appeared in an official release.

UIUC research shows GPT-4 can autonomously exploit 87% of real-world one-day vulnerabilities when given CVE descriptions, compared to 0% for other models and open-source scanners like ZAP and Metasploit.

Cloudflare accused Perplexity AI of using "stealth crawling" techniques to bypass robots.txt directives, accessing content from websites that explicitly disallow AI scraping.

Reddit filed a lawsuit against Anthropic, alleging the company used automated bots to scrape Reddit user data without consent to train Claude, violating terms of service and user privacy.

Research revealed that OpenAI's models may have "memorized" copyrighted content during training, raising serious legal and ethical questions about AI training data sources and consent.