WASHINGTON—Hackers are rapidly infusing artificial intelligence (AI) into offensive cyber operations, driving up risks for US national security. Over the past six months, nation-states and criminal groups have leveraged AI to conduct offensive operations at scale against the United States.
Just last week, Google reported a pivotal moment—for the first time, hackers used AI to discover and exploit a zero-day, the most serious type of security flaw because it has not been detected by security companies and has no known fix. This zero-day was particularly dangerous as it would have bypassed two-factor authentication across Google products. Zero-days are typically both rare and expensive, requiring skilled talent to discover and exploit them—this development changes that. By collapsing the cost, time, and expertise required to find and weaponize zero-days, AI is primed to recharacterize the offensive playing field in ways defenders are not yet equipped to match.
The spyware market—private firms that target devices for surveillance and data extraction—is particularly poised to take advantage of this shift. In 2025, spyware vendors topped Google’s list of groups exploiting zero-days, surpassing even nation-states such as China. In effect, the spyware market runs on a pipeline of zero-days, and AI will make that pipeline significantly cheaper and quicker to fill. A technical barrier that once constrained this industry is eroding. This creates a troubling asymmetry: Surveillance tools are becoming faster to build, easier to deploy, and increasingly autonomous, while accountability and policy oversight fall further behind.
To some extent, difficulty discovering vulnerabilities has kept the spyware market in check. This has been particularly true with vulnerabilities that require a degree of technical talent that only a handful of vendors can maintain, such as zero-days for Apple’s iOS. Further complicating hackers’ quest are defensive efforts that technology companies have developed, such as Apple’s Lockdown Mode. As a result, some of the most notorious vendors, such as the NSO Group, reportedly maintained multiple zero-day exploits, cycling through them to sustain system access as companies deployed patches. AI-assisted tools can now complement every stage of the vulnerability and exploitation pipeline—from scanning code for exploitable patterns to identifying attack surfaces, which are all entry points into a system an attacker can take advantage of, ultimately minimizing the hacking talent needed. The result is a fundamental shift in what a moderately resourced spyware vendor can produce, making existing spyware vendors more dangerous and lowering the barrier to entry for entities wanting to enter the market.
This drives proliferation in three key ways. First, it enables moderately skilled spyware vendors that are already in the market to scale their operations. AI is increasing speed and lowering cost, which, in addition to enabling vendors to scale operations, also drives down financial pressure to recoup costs, making it more difficult to make certain spyware vendors unprofitable via sanctions and other constraining policy measures.
Second, by making it cheaper and quicker to develop spyware capabilities, AI reduces the capital barrier of entry for new vendors. This poses a significant US national security and human rights risk, as these tools are often utilized to monitor, suppress, and threaten targets, including American citizens at home and abroad. It might also decrease demand, enabling nation-states, including US adversaries, to develop their own in-house tools.
And third, by automating expertise required to operate these tools effectively, it broadens the pool of actors who can deploy them beyond spyware vendors. Evidence of this effect already exists. Sophisticated kits that package together iOS exploits such as Coruna and DarkSword have emerged outside the traditional vendor ecosystem, reaching organized criminal groups and others that would previously have lacked either the funds or the technical depth to use these exploits.
But AI is also a defensive tool. The same capability that helps attackers find vulnerabilities faster can also help companies audit their own code more thoroughly. For example, SentinelOne’s autonomous cybersecurity platform identified and contained a zero-day supply chain attack, according to the company. Defensive AI agents can monitor network traffic, triage alerts quickly, and initiate containment protocols faster than any human team. Therefore, policymakers should focus on creating conditions for defensive tools to scale to meet the growing threat environment.
To counteract the threat-multiplier characteristics AI now poses, policymakers should:
1. Invest in defensive AI technologies rather than just offensive ones
The US National Cyber Strategy emphasizes the role of offensive cyber operations, including the private sector’s role in contributing to national resilience. That same logic should extend to defense. Private firms are already developing and deploying tools capable of autonomously detecting and disrupting AI-enabled threats, as is the case with SentinelOne. Federal policy should support this market by funding stress tests, pilot programs, and sector-specific resilience exercises that evaluate defensive AI tools against agentic attacks.
2. Don’t let up on spyware
Spyware vendors are the most robust users of zero-days. Continuously applying pressure to these firms is vital to contain the shape and threat of this industry. Continuing to engage in international forums, maintaining and building sanctions on spyware vendors, and keeping entity listings up to date are critical to avoid giving these entities a leg up.
3. Bolster memory safety
Memory-safe programming languages, such as Rust, structurally eliminate entire classes of vulnerabilities that spyware exploits depend on. The United States has begun pushing federal agencies and contractors toward memory-safe code, with the Cybersecurity and Infrastructure Security Agency and National Security Agency renewing that push in June 2025. Accelerating that transition, particularly in the firmware and operating system layers that spyware targets, could meaningfully shrink the attack surface over time.