Finding vulnerabilities and fixing them are not the same problem.
A new generation of AI models is demonstrating a genuine capacity to find software vulnerabilities at scale, surfacing flaws that human teams have long overlooked — and in doing so, forcing a reckoning with what security actually means. The discovery of a flaw is not its resolution, and the distance between those two moments is where human judgment, expertise, and strategy remain irreplaceable. Organizations now face a choice familiar to every era of technological acceleration: whether to mistake a powerful instrument for a complete answer. The wiser path, security leaders argue, is to treat AI as an amplifier of human capability rather than a substitute for it.
- AI models are surfacing hundreds of previously missed vulnerabilities in widely used software, making the gap between attacker capability and organizational readiness suddenly, uncomfortably visible.
- The real danger is not that AI finds too little — it is that organizations will see thousands of flagged issues and believe the security problem is solved, when the hardest work of prioritization and remediation still lies ahead.
- Human expertise remains essential for understanding an organization's unique attack surface, managing risk across custom and legacy systems, and making the judgment calls that no model can fully replicate.
- Criminal groups already have access to the same AI tools, and the threat is shifting from automated discovery to automated exploitation — a development that compresses the time organizations have to respond.
- Security teams are adapting their roles rather than disappearing, moving from repetitive scanning toward validation, risk management, and the skilled direction of AI tools — but budget constraints and burnout remain serious obstacles.
- The path forward requires integrating AI with deterministic processes, specialized platforms, and experienced teams — adaptability, not any single technology, will determine which organizations remain resilient.
Artificial intelligence has arrived in cybersecurity with genuine force, and the Firefox case made it impossible to ignore: models trained to hunt software vulnerabilities are finding hundreds of flaws that human teams missed. André Baptista, co-founder and CTO of Ethiack, is not surprised. The underlying capability existed before; what changed is that the public finally noticed. That awareness, he argues, served a purpose — it woke organizations up to a real risk that traditional security practices were failing to keep pace with.
But finding vulnerabilities and fixing them are not the same problem. Not every flaw carries equal weight, and the real expertise lies in deciding which problems matter most and where to concentrate limited resources. Custom-built applications, forgotten infrastructure, and specialized deployments require analysis that general-purpose AI cannot fully provide. The risk, Baptista warns, is that organizations will deploy a vulnerability-finding model, see it surface thousands of issues, and believe the work is done. It is not.
Security professionals should not fear replacement so much as transformation. Teams will spend less time on repetitive scanning and more on review, validation, and risk management. The professionals who thrive will be those who learn to direct AI effectively and validate its output — technical knowledge still matters, but working alongside artificial intelligence has become essential.
Portuguese organizations still have significant ground to cover. Vulnerability exploitation is now a leading cause of data breaches, attack surfaces keep expanding, and many companies do not even know what assets they have exposed. The mentality that treated cybersecurity as a cost center is slowly shifting as boards begin to see concrete metrics on digital risk, but budget constraints remain real.
Ethiack's own research has shown where AI excels — deep analysis of specific applications — and where more deterministic, specialized methods remain necessary for large-scale continuous monitoring. General-purpose models alone cannot guarantee the depth or compliance required in enterprise environments. The more pressing concern, Baptista notes, is not AI discovering vulnerabilities but AI exploiting them autonomously. Discovery allows correction; exploitation is the real threat. For organizations, the message is clear: adaptability, not any single tool, will be decisive for digital resilience in the years ahead.
Artificial intelligence has arrived in cybersecurity with genuine force. Models trained specifically to hunt software vulnerabilities are now finding hundreds of flaws that human teams missed—the Firefox case being the most public example of what happens when these systems get turned loose on widely used code. The discovery is real. The capability is undeniable. But the conversation happening now, between security leaders and technologists, is not about whether AI can find vulnerabilities. It is about what happens next, and whether organizations will mistake a powerful tool for a complete solution.
André Baptista, co-founder and CTO of Ethiack, a cybersecurity platform company, has watched this evolution closely. He does not find the recent breakthroughs surprising. The underlying capability has existed in earlier models; what changed is that the public—and the media—finally noticed. The new generation of AI models delivers better benchmarks and cleaner results, yes, but the real shift was communicative. Suddenly everyone understood that artificial intelligence could do something previously thought to require human judgment: spot the holes in software before attackers do. That awareness, Baptista argues, served a purpose. It woke organizations up to a genuine risk that traditional security practices were failing to keep pace with.
But finding vulnerabilities and fixing them are not the same problem. Security teams have struggled for years to manage the sheer volume of flaws discovered in their systems. Not every vulnerability carries equal weight. A critical flaw in core infrastructure demands immediate attention; a minor issue in legacy code might wait. The real work—the work that requires expertise—is deciding which problems matter most and where to concentrate limited resources. Add to this the fact that many organizations run systems that are not standard: custom-built applications, third-party software, forgotten infrastructure, specialized deployments. These require specialized analysis. AI can help identify common vulnerabilities in common code. It cannot, by itself, understand the full attack surface of a particular organization or anticipate every scenario where things might go wrong.
There is a risk, Baptista warns, that organizations will treat AI as a magic solution. They will deploy a vulnerability-finding model, see it surface thousands of issues, and believe the security problem is solved. It is not. These tools are powerful amplifiers of human capability, not replacements for human judgment. They cannot substitute for a comprehensive security strategy. They cannot eliminate the need for human oversight, validation, and decision-making by experienced professionals.
This does not mean security professionals should fear replacement. The nature of the work will change. Teams will spend less time on repetitive scanning and more time on review, validation, and risk management. The professionals who thrive will be those who learn to use AI effectively—who can integrate these tools into their daily work and amplify their own capabilities. Technical knowledge still matters. Practical experience still matters. But the ability to work alongside artificial intelligence, to direct it and validate its output, has become essential.
Portuguese organizations, Baptista observes, still have significant work ahead. Recent reports show that vulnerability exploitation is now a leading cause of data breaches. Attack surfaces continue to expand. Many companies do not even know what assets they have exposed. Dependencies on external vendors create hidden risks. Critical systems cannot be taken offline for security updates. The complexity of managing risk in this environment grows constantly, and the speed of attackers remains a serious concern. Historically, cybersecurity was treated as a cost center. That mentality is shifting—boards are beginning to see concrete metrics on digital risk and understand the financial impact of a breach—but budget constraints remain real.
When AI models discover vulnerabilities in open-source software, some see a problem. Baptista sees transparency. It is better to find flaws and fix them than to ignore them. Open-source projects benefit from this capability because problems can be identified and resolved faster. The challenge is coordinating the fixes and determining who pays for the work when small teams maintain critical projects. Sponsorship, donations, and support from companies that depend on the software help. The open-source teams themselves are now using AI to accelerate their own work.
Ethiack has been conducting continuous research with different AI models, including open models run on their own infrastructure. The results on identifying vulnerabilities specific to particular organizations—especially custom-built software—have been promising. But the company has also learned where AI excels and where it does not. For deep analysis of a specific application or component, models are highly effective. For large-scale vulnerability discovery and continuous monitoring of vast attack surfaces, more deterministic and specialized methods remain necessary. A specialized platform combines AI with deterministic processes, security rules, control mechanisms, and validation specific to penetration testing. General-purpose models alone cannot guarantee the depth required or ensure compliance with all the security and ethical rules demanded in enterprise environments.
Criminal groups already have access to these technologies. The question now is how to balance democratizing AI access with managing the risks. We are in a period of adaptation. The more pressing concern than AI finding vulnerabilities is AI exploiting them autonomously. Discovery matters because it allows correction. Exploitation is the real threat—and that threat grows as both discovery and exploitation become increasingly automated. For security leaders, the message is clear: traditional security no longer keeps pace with current threats. Organizations must update their risk metrics, protect their teams from burnout, use AI to accelerate defensive processes, and prepare for a higher volume of incidents. Adaptability will be decisive for digital resilience in the years ahead.
Citas Notables
These tools are powerful amplifiers of human capability, not replacements for human judgment.— André Baptista, Ethiack CTO
Traditional security no longer keeps pace with current threats. Organizations must update their risk metrics and prepare for a higher volume of incidents.— André Baptista, Ethiack CTO
La Conversación del Hearth Otra perspectiva de la historia
When you see these new AI models finding hundreds of vulnerabilities in Firefox or other major projects, does that feel like a breakthrough moment, or just the inevitable next step?
It feels inevitable to people who have worked in security for years, but it was a breakthrough for everyone else. The capability was coming. What changed is that suddenly the public understood what was possible. That awareness actually served a purpose—it woke organizations up to a real problem.
So the discovery itself is not the hard part anymore. What becomes hard?
Fixing it. And more importantly, deciding which ones to fix first. You can find thousands of vulnerabilities, but you cannot fix them all at once. You need to know which ones actually threaten your business, which ones matter in your specific environment, which ones you can even address without breaking something else.
That sounds like it requires judgment that AI cannot provide.
Exactly. AI can say "there is a hole here." It cannot say "this hole will cost you millions if it is exploited, so fix it now." That requires understanding your business, your infrastructure, your risk tolerance. That is human work.
Does that mean the security professionals are safe from replacement?
Safe is the wrong word. Their work is changing. Less time scanning for vulnerabilities, more time validating what AI found and deciding what to do about it. The professionals who adapt—who learn to work alongside these tools—will be more valuable than ever. The ones who do not will struggle.
What about the organizations that just deploy an AI tool and assume the problem is solved?
That is the real danger. They will find thousands of vulnerabilities, feel like they have done something, and miss the fact that they have not actually reduced their risk. Security is not a checklist. It is a continuous process of understanding your exposure and managing it intelligently.