February 9, 2026

4 Min Read

AI can find vulnerabilities with unprecedented speed, but discovery alone doesn’t reduce cyber risk. We need exposure prioritization, contextual risk analysis, and AI-driven remediation to transform findings into security outcomes. 

You’ve probably heard about Claude Opus 4.6, the latest artificial intelligence (AI) model from Anthropic — and the 500 high-severity vulnerabilities it discovered in well-tested open source codebases. 

The revelation about the new model’s vulnerability discovery prowess made a particularly big splash with an unlikely audience: not only developers, security analysts, and vulnerability researchers, but also with Wall Street investors — particularly those who cover the software sector. The news about Opus 4.6 signaled to them that AI was officially on the brink of radically transforming software development and security testing. 

Indeed, Opus 4.6 represents an acceleration of a long-standing trend. Every year, the security industry introduces new tools that uncover more vulnerabilities more quickly. Combined with prior advances in AI-driven vulnerability discovery, including Google Project Zero, the Anthropic team has taken a major step forward, and we’re excited about the vulnerability discovery capabilities of Opus 4.6. 

Finding more vulnerabilities faster is a necessary first step toward reducing cyber risk and shrinking the attack surface. Following discovery, the next steps require correlating the vulnerabilities with business, topology, and threat context to prioritize the ones that really matter. Without those critical post-discovery steps, organizations may not end up more secure. But their security, remediation, and DevSecOps teams will end up more overwhelmed. 

To put a finer point on it: without context and accuracy, more is not better; it just creates noise. 

AI needs to understand risk

Two vulnerabilities with identical CVSS scores can represent wildly different levels of risk depending on where and how they exist in an environment. Indeed, a vulnerability’s real-world risk depends on factors that sit far outside a code repository. Security teams need to consider things like:

• Topology context - Is the vulnerable asset reachable or exposed to the internet?
• Threat context - Is it exploitable in the specific environment and state, despite deployed security controls and guardrails?
• Business impact context - Is it part of a high-risk attack path leading to an organization’s most sensitive systems and data? 

Risk-based prioritization and orchestrated remediation are non-negotiables in the vulnerability management lifecycle. Models like Opus 4.6 can surface issues with incredible efficacy. Security teams will then need additional agentic systems to execute several critical functions: correlating and reasoning over relevant data and signals, including business impact, threat, and topology context, to translate them into actual risk and exposure AND help orchestrate remediation. Without those essential functions, AI is likely to generate more work for already overextended security, IT, and DevSecOps teams. 

The opportunity: AI-driven exposure management

Where AI becomes truly transformative is not only in finding vulnerabilities faster, but in understanding how threat actors could exploit them in the context of other security weaknesses, such as misconfigurations or excessive permissions, and the business risk those exposures create when combined. This is the promise of AI-driven exposure management: proactive context that powers prioritization and preemptive, orchestrated remediation. 

As the pace of vulnerability discovery shoots up, it’s never been more important to have an AI-powered proactive security platform that: 

• Generates a comprehensive, near real-time view of risk.
• Prioritizes exposures across an organization’s entire estate, from the factory floor to IT to code to cloud.
• Creates an orchestration layer mobilizing humans and AI agents to act preemptively before attackers.

Where we go from here 

There is no doubt AI has a central role in the future of cybersecurity. But investors should be wary of narratives that equate more findings with better security. 

The winners in this next phase of AI transformation will be companies that not only discover more issues with AI, but that leverage AI with their vast datasets, combined knowledge, and high-fidelity context to eliminate friction and close the gap from finding to action — delivering clarity over chaos, prioritization over panic, and measurable risk reduction, at machine speed and across enterprise-scale environments. 

Doing so creates a flywheel where more data from more sources, such as native and third-party scanners, sensors, threat intelligence, and vulnerability research, provides more context. And more context, along with human and agentic feedback loops, drives more accurate prioritization and remediation to reduce risk. 

AI is raising the bar on what’s possible in cybersecurity. The question now is how we turn that potential into outcomes. That’s where real value will be created.