**Spy Turned Startup CEO Warns: 'The WannaCry of AI Will Happen'**
Sanaz Yashar, CEO of Zafran Security, has seen it all - from the high-stakes world of 0-day development to the rapid evolution of artificial intelligence in cyber threats. Her past life as a "hacking architect" inside Israel's elite cyber group, Unit 8200, has given her a unique perspective on the changing threat landscape.
Yashar recalls the good old days when developing a zero-day exploit would take a year or more. "In my past life," she says, "it would take us 360 days to develop an amazing zero day." But times have changed. The increasing use of AI has accelerated the speed and efficiency of breaches, making it possible for attackers to exploit bugs before patches are even released.
This is reflected in Mandiant's recent analysis, which found that the average time-to-exploit (TTE) hit -1 in 2024 - a first-ever negative TTE. In other words, crims are getting to exploit bugs a day before they're patched now. And AI is playing a significant role in this process.
"AI is helping the threat actors do more, and faster," Yashar warns. "We saw 78 percent of the vulnerabilities being weaponized by LLMs and AI." She's concerned not just about the speed and efficiency of breaches but also about the expanding attack surface created by organizations' increasing use of AI.
As attackers misappropriate corporate AI systems, they're finding new ways to bypass safety guardrails, develop exploit chains, or access data they shouldn't have. And there are software vulnerabilities within the AI systems and frameworks themselves - a ticking time bomb that could unleash devastating collateral damage if exploited by junior hackers or governments.
"Sometimes the ones that don't understand what they're doing are more dangerous than Russia, Iran, Israel, US, China," Yashar explains. "They don't have the same level of expertise, but they can still cause catastrophic damage." She points to the 2017 WannaCry ransomware attack as a cautionary tale - one that she believes will be repeated in some form.
"I do think the WannaCry of AI has not yet happened," Yashar says. "It's going to happen. I don't know where it's going to come from, but it's going to happen." The question is, how can organizations mitigate their risk and prepare for this inevitable threat?
According to Yashar, the answer lies in AI itself - specifically, in using AI-powered platforms like Zafran's to identify and remediate exploitable vulnerabilities and perform proactive threat hunting. "The way we do security is going to completely change," she predicts.
"Companies that just show you insight wouldn't be enough," Yashar warns. "They have to get the job done." To get the job done, organizations will need to use AI agents that can investigate and triage threats, develop action plans for mitigation, and even build packages according to their risk appetite.
But humans will still be in the loop - at least for now. "Human behavior changes slower than technology," Yashar notes, adding that turning over complete control to AI agents is not yet feasible.
The future of cybersecurity may be uncertain, but one thing is clear: the WannaCry of AI will happen, and it's up to organizations to prepare and mitigate their risk before it's too late.