AI just compressed the offense-defense gap into a single week

On December 26, 2025, a single person started typing into Claude Code. Five days later they had remote access to Mexico's national tax authority. Within weeks, nine Mexican government organizations were compromised, hundreds of millions of citizen records exfiltrated, and a forensic team at Gambit was reconstructing the campaign from three VPS servers. Claude generated about 75% of the RCE commands. A 17,550-line Python harness fed the output to GPT-4.1, which produced 2,957 structured intelligence reports across 305 servers — lateral movement opportunities, OPSEC notes, the works.

The guardrail bypass was a text file. The attacker wrote a penetration testing cheat sheet into Claude's persistent context (claude.md), and the model rewrote its own operational frame. Safety refusals kept firing. They functioned as speed bumps.

This is the same week Apiiro published its analysis of tens of thousands of Fortune 50 repositories. AI coding assistants produce 3-4x more commits and 10,000+ new security findings per month — a 10x spike in six months. Privilege escalation paths up 322%. Architectural design flaws up 153%. Snap simultaneously disclosed that AI writes 65% of its new code, used the disclosure to justify cutting 1,000 engineers, and the stock popped 8%.

If you're keeping score: offense got cheap, defense got noisy, and the market rewarded the noise.

The defensive stack is failing in three places at once

Start with AWS. Sonrai and OFFENSAI released notyet, an open-source tool that exploits IAM eventual consistency. When your IR team deletes a malicious inline policy, deactivates an access key, attaches a permission boundary, or runs AWS's own AWSSupport-ContainIAMPrincipal SSM runbook, notyet detects the action during the propagation window and reverses it within seconds. The researchers tested seven standard containment methods. Seven failed. Only Service Control Policies survived — because member accounts can't modify SCP attachments even with wildcard permissions.

This isn't a CVE. There's no patch coming. It's an architectural property AWS documented years ago, weaponized into a Python script. Every AWS incident response runbook written before this week assumes a containment model that doesn't work.

Meanwhile, the dependency layer is on fire. Axios — the JavaScript HTTP client you almost certainly have in production — got a CVSS 10.0 for header injection that bypasses URL allowlists and exfiltrates cloud IAM credentials via the instance metadata service. If you run Node.js services on EC2 without IMDSv2 enforced at hop limit 1, an attacker can steal your role credentials through any header-tainting input. Microsoft's Patch Tuesday added 243 CVEs including a wormable IKE RCE on VPN gateways and an authenticated RCE on domain controllers. Django, pgx, OAuth2 Proxy, Tomcat, Airflow, OpenSSL FIPS — all 9.1+, all in the same advisory cycle. Your security vendors are vulnerable too: FortiSandbox at 9.8, IBM Verify at 9.3, Juniper shipping a default password in 2026.

And NIST just admitted it can't keep up. NVD enrichment is now formally narrowed to CISA KEV, federal systems, and EO 14028 critical software. Everything else gets a bare CVE record — no CVSS, no CPE, no CWE. CVE submissions surged 263% from 2020 to 2025. Your scanner's prioritization logic, your patch SLA, your GRC dashboard — all of it assumes metadata that won't arrive for the long tail of CVEs sitting in your dependency tree.

The market is two things at the same time

Anthropic is rejecting offers above $800 billion on revenue that went from $9B to $30B in months. That's not froth — at 27x revenue with that growth rate, it's arguably underpriced if you believe enterprise AI is a real market. The same week, Allbirds sold its shoe business for $39M, rebranded as "NewBird AI" for GPU leasing on $50M of convertible notes, and surged 580% in a day. CoreWeave's 2026 capex is $35 billion. NewBird has 0.14% of that and a stock chart.

Both are true. Anthropic shipped a Figma competitor, Mike Krieger left Figma's board the same day, Figma is down 45% YTD. LinkedIn's Hiring Assistant is growing 36% week-over-week at $1,000+/user/month while Microsoft's Office 365 Copilot sits at 3% adoption at $30/user. Vertical agents with proprietary data and one obvious workflow are commanding 33x the price of horizontal copilots and growing exponentially faster. The companies winning are doing one thing for one persona, measurably better than humans.

The companies losing are sprinkling "AI features" across products that were already commoditizable.

What to actually do this week

Rewrite your AWS IR playbooks around SCPs. Pre-stage deny-all SCPs attached to a quarantine OU, document the exact CLI commands to move a compromised account into it, and tabletop the move against notyet running in staging. If you don't have the OU hierarchy for this, that's the work — every other containment method is provably bypassable.

Run npm ls axios across every Node.js service today. Patch, then enforce IMDSv2 with hop limit 1 on every cloud instance as the defense-in-depth layer. While you're in the dependency tree, hit Django, pgx, OAuth2 Proxy, Tomcat, Airflow, and the security vendor products on the same sprint.

Add security findings per AI-assisted commit as a first-class engineering metric, alongside deploy frequency and lead time. Apiiro's 10x number isn't going to show up in your existing dashboards because your existing dashboards measure velocity, not the debt velocity creates. Move SAST and SCA off PR triggers and onto commit triggers, because GitHub now allows repos to disable PRs entirely and your agents may be committing directly.

Then pick one workflow. Not a copilot. Not a sidebar. One workflow your product owns where an AI-native version would measurably outperform the human baseline, and where you have proprietary data the model providers don't. Build that. Everything else on the AI roadmap is training your future competitors.