Jump to content
  • Newsroom
  • Published on:

When AI becomes a cyber capability: Why companies need to rethink their defense strategy

MHP Point of View by David Urlhart and Benedikt Bauer

The export control directive issued by the US in June 2026 for powerful frontier models such as “Fable” and “Mythos” laid bare a reality that many companies had previously underestimated: Leading AI capabilities for cyberattack and cyber defense are no longer a freely available resource. At the same time, these models are evolving so quickly that they themselves are becoming an operational security factor.

Germany’s Federal Office for Information Security points out that AI is fundamentally changing the cybersecurity situation. While attackers can use AI to analyze, automate, and scale everything more quickly, defenders remain tied to real-world operational limitations – such as testing complexity, approval processes, maintenance windows, manufacturer dependencies, and limited human resources.

AI is no longer just a tool that assists security managers. It is increasingly becoming a cyber capability in its own right

In this particular context, cyber capability does not mean a single model or application. What is meant is the combination of agentic capabilities: identifying vulnerabilities, analyzing code, generating exploit logic, validating attack paths, operating tools, and scaling these activities across large system landscapes. It is precisely this combination that is fundamentally changing the dynamics of the digital security situation. (Figure 1).

Many companies are not yet prepared for this development. While AI pilot projects, proofs of concept, and individual efficiency gains continue to be discussed in boardrooms, the digital defense capability landscape is already shifting. AI no longer only supports existing security processes. It is becoming an operational factor in cyber operations.

The critical factor here is not the individual model, but the combination of several capabilities that reinforce each other. AI systems are increasingly able to transform technical tasks into interrelated processes, from analysis and validation to scalable application in complex IT landscapes, changing the speed, range, and repeatability of attack and defense.

This significantly shortens the time frame between the discovery of a vulnerability and its potential exploitation. Weeks become days; days become hours. For companies, it is then no longer merely a matter of asking the question: “Are we safe?” Rather, the key question is: “Are we able to react quickly enough if AI determines the speed of the attack?” (Figure 2).

This development fundamentally changes the logic of cybersecurity. In the past, it was often about introducing better tools, hiring more experts, and optimizing existing processes. Today, this logic is no longer sufficient. When attacks and defense measures are prepared, prioritized, and partially automated at machine speed, then classic planning and decision-making cycles can become a structural disadvantage.

Those who continue to rely on manual inspection, sequential ticket prioritization, and long escalation chains lose time precisely where speed becomes a critical security resource.
In addition, there is a new form of strategic dependence. Those who base their defense capability on a handful of models or vendors will be linking their defense to factors beyond their control, such as model access, terms of use, geopolitical decisions, export controls, and vendor strategies. Restricting access to centralized models directly reduces the ability to analyze vulnerabilities, simulate attacks, or quickly assess incidents. This risk cannot be offset by higher security budgets alone.
The past few weeks have shown that this development is no longer in the distant future. Vendors are giving certain verified defenders access to cyber-capable frontier models like GPT-5.5-Cyber. Microsoft has built MDASH, a solution that involves several specialized AI agents working together to automatically find and validate vulnerabilities across large codebases and prove exploitable bugs. At the same time, states are responding to these new cyber-relevant AI capabilities with export controls.

The key point is that the ability to make targeted use of powerful frontier models and link them to existing security processes is itself becoming a critical cyber capability, turning the dependence on model access, vendor strategies, and regulatory frameworks into a strategic risk factor for companies.

Herein lies the real management task. In the age of agentic AI, cybersecurity is becoming not only more technical, but also more strategic. It’s not about randomly introducing AI everywhere. Companies must structure their defense capability in a way that ensures they retain the ability to act even in circumstances where there are new dependencies, higher speeds, and growing findings.

This calls for three fundamental changes:

  • Firstly: Defense should not depend on a single model.
    Companies need model-agnostic security architectures, multi-vendor strategies, and clear fallback options. If a company were to lose access to a leading model tomorrow, it should not simultaneously lose the ability to analyze vulnerabilities, simulate attacks, or assess incidents.

    Resilience does not come from the best single model, but from a robust ecosystem. It is essential that companies can combine different models, vendors, and security tools in a way that ensures central defense processes remain able to act even when there is limited availability of individual AI capabilities.

  • Secondly: Reaction processes must be geared toward AI speed.
    Many security arrangements are still designed for human processing speed. This will not be enough. Companies need to understand where their response processes are too slow, which decisions can be prepared automatically, and where human approval remains vitally important.

    An AI response readiness assessment can reveal these very gaps. It shows where manual handoffs, unclear responsibilities, fragmented information, or long approval processes slow down responsiveness. A response automation road map subsequently translates these findings into concrete measures – from automated report aggregation to risk-based prioritization and prepared decision-making templates for critical security events.

  • Thirdly: Companies need to understand their exposure across the entire ecosystem.
    The relevant attack surface does not end within the confines of the company. Suppliers, third-party components, cloud services, legacy systems, and external interfaces are often the actual weak points in the system. If AI agents identify these connections faster than the company’s own setup, it results in a dangerous imbalance.

    An enterprise exposure map and an AI security governance framework create transparency here, while prioritizing matters and making them manageable. They help companies to understand which systems, dependencies, and interfaces are particularly critical, how AI may be used in security processes, and what kind of governance is needed to manage risks across the entire digital ecosystem.

The good news is that artificial intelligence can tip the balance in favor of defense – but only for companies that lay the right foundations now. Anyone who regards AI as just another tool in the security stack is taking too narrow a view. The key factor is not the introduction of individual functions, but the reorganization of the defense capability, moving away from manual reaction toward intelligent prioritization, automated preparation, and strategic resilience to model and vendor dependencies.
It’s about having the ability to act rather than taking aimless action. Companies need to understand now which models and vendors their defenses depend on, where their response processes are too slow, and where there is a lack of transparency in terms of their own exposure.

Those who answer these questions at an early stage will not only be able to assess agentic AI as a risk, but also use it in a targeted manner to strengthen their own defense capability. The main challenge in the coming years will therefore not only be whether companies use AI in the area of cybersecurity. The determining factor will be whether they set up their defenses in a way that enables them to deal with the speed, scale, and dependence of a cyber-reality shaped by AI.

Z. Wang, T. Shi, J. He, M. Cai, J. Zhang, and D. Song, “CyberGym: Evaluating AI Agents’ Real-World Cybersecurity Capabilities at Scale” (2026).
M. A. Merrill et al., “Terminal-Bench: Benchmarking Agents on Hard, Realistic Tasks in Command Line Interfaces” (2026).
C. Bandi et al., “MCP-Atlas: A Large-Scale Benchmark for Tool-Use Competency with Real MCP Servers” (2026).

 

MHP Newsroom

Need information about MHP or our services and expertise? We are happy to help and will gladly provide you with current information, background reports, and images.

All news at a glance