Technologists have long predicted that AI coding agents would unleash a flood of security vulnerabilities. They were right, but not for the reasons they expected. Within months, coding agents will fundamentally change both exploit development and vulnerability research economics.

Frontier model improvements won't be gradual but will instead arrive as sudden step functions. Soon, substantial amounts of high-impact vulnerability research will happen simply by pointing an agent at source code and asking it to find zero-days. This transformation is already underway and will profoundly impact information security and the internet itself.

At Anthropic, researcher Nicholas Carlini demonstrated this with Ghost CMS, where a simple script generated a broadly exploitable SQL injection vulnerability. The process involves running a basic bash script that prompts Claude Code to find vulnerabilities across every source file, then verifying the results. This approach works across all vulnerability types, not just memory corruption issues. The economics are compelling: agents never tire, can search indefinitely, and leverage billions of dollars in model training to excel at pattern-matching bug classes and constraint-solving. What once required 20% computer science and 80% painstaking puzzle-solving now has a universal solver available to anyone with access to frontier models.