Five Eyes: AI cyberattacks are accelerating, timelines measured in months — businesses must act now

Cybersecurity agencies from the Five Eyes countries — Australia, Canada, New Zealand, the UK, and the US, including the NSA and CISA — have issued a joint statement that changes the rules of the game in cybersecurity. The document, titled The AI shift in cyber risk: why leaders must act now, was released on June 22 and sends an unequivocal signal to businesses and governments: the era of slow, predictable cyberattacks is over.
The analysts' main conclusion: advanced AI models are already capable of transforming both offensive and defensive capabilities in cyberspace. And the key factor here is speed. As the statement directly notes, "timelines are measured not in years, but in months." This is not just a warning — it is an acknowledgment of a new reality.
What exactly does AI change?
According to Five Eyes, artificial intelligence radically lowers the barrier to entry for attackers. Now, carrying out a complex attack no longer requires a team of highly skilled hackers — just the right prompt and computing resources are enough. The time between vulnerability discovery and exploitation is compressed to a minimum. On the other hand, the technology also gives defenders powerful tools: faster identification of weaknesses, improved code quality, automatic anomaly tracking, and incident response.
It is important to emphasize: the statement itself does not name specific models or developers. However, the context is clear. It refers to the capabilities of systems such as Anthropic Mythos and OpenAI GPT-5.5-Cyber, as well as their newer versions — Anthropic Fable 5 and OpenAI Daybreak. These names are already circulating in the professional community, and they are behind the regulators' concerns.
Why businesses need to act now
Five Eyes emphasizes: cyber risk is not just a technical problem. It is a matter of operational resilience, market trust, and personal responsibility of leadership. Boards of directors and top managers are urged not just to check whether protective mechanisms exist, but to ensure they can withstand a real incident.
Among the basic but critically important measures are reducing the attack surface and external system accessibility, accelerating security update deployment, abandoning unsupported legacy systems, and strengthening access control and authentication. And most importantly, incident preparation must happen before incidents occur, not after. The principles of secure-by-design and secure-by-default are becoming not a recommendation but a necessity: systems must be designed with security in mind from the outset.
Real numbers: from theory to practice
A March blog post from the UK's National Cyber Security Centre (NCSC) showed staggering dynamics. Over 18 months, the best AI models went from near-zero progress in a simulated corporate attack to completing over half of the scenario. The best model at that time — Claude Opus 4.6 — completed an average of 15.6 out of 32 steps, corresponding to about 6 hours of work out of the 14 needed by a human expert.
But the real breakthrough came after the release of Claude Mythos Preview. According to the UK AI Security Institute (AISI), this model became the first to complete a 32-step simulation of an attack on a corporate network from start to finish — in 3 out of 10 attempts. On average, it performed 22 out of 32 steps. For comparison, a human would need about 20 hours for such a scenario. By May 13, a newer version of Claude Mythos Preview had completed this test in 6 out of 10 attempts and, for the first time, passed a second, more complex scenario.
At the same time, AISI honestly notes the limitations of the tests: the simulation reflects a poorly protected network without active defenders. In reality, an attack would be much more complex. But the direction and speed of change leave no doubt: progress is steady and accelerating.
OpenAI and the new cybersecurity standard
On June 22, OpenAI released the full version of the GPT-5.5-Cyber model to a limited circle of verified defenders. The model set a new efficiency standard on the CyberGym platform with a score of 85.6% — compared to 81.8% for the base version. Additionally, the Patch the Planet initiative was launched in partnership with Trail of Bits and HackerOne, which will help open-source projects move faster from vulnerability discovery to remediation. There have already been initial successes in patching critical vulnerabilities in browsers, network infrastructure, FreeBSD, and the Linux kernel.
Agentic AI: a separate risk
Special attention should be paid to the May Five Eyes guidance on the secure deployment of agentic AI systems. Such services, which use LLMs, external tools, and memory to autonomously perform tasks, expand the attack surface. Vulnerabilities can arise not only in the model but also in tools, integrations, and downstream services. Particular risks highlighted include prompt injection and misinterpretation of goals. The regulators' recommendation is to deploy agentic AI in stages, starting with low-risk tasks, and never grant it broad access to critical systems without strict segmentation and rights control.
My comment as an analyst: The market, unfortunately, often ignores regulators' warnings, considering them overly cautious. But in this case, Five Eyes relies on real tests and numbers, not hypothetical scenarios. The speed at which AI is mastering complex cyberattacks exceeds all expectations. For the crypto industry, where the security of smart contracts and wallets is a matter of survival, this is a signal to immediately reassess defense strategies. Ignoring this trend means voluntarily opening the door to attackers who have already obtained a fundamentally new weapon.