AI Raises the Bar on Vulnerability Awareness and Secure-by-Design Soft

Artificial intelligence is collapsing the window for ignorance around software flaws. That was the clear message from Hans de Vries, chief cybersecurity and operational officer at the European Union Agency for Cybersecurity (ENISA), who told ESET World attendees that modern AI scanners make it indefensible for vendors to miss bugs lurking in their code.

“See it and fix it”: AI makes blind spots indefensible

“Now, there is no reason anymore for any company to say, ‘I didn’t know about our glitch or our vulnerability in our application’ because you can actually, right now, see it and fix it,” de Vries said on 19 May at the ESET World conference.

The comment reflects a rapidly shifting landscape in 2026, fueled by powerful new AI models—such as Anthropic’s Claude Mythos and OpenAI’s CPT5.4-Cyber—designed to identify and even remediate software vulnerabilities at speed and scale. These systems don’t just flag bugs; increasingly, they propose or automate patches, integrate into CI/CD pipelines, and prioritize issues by exploitability and business risk.

De Vries framed this as a business imperative as much as a security one. “For me, doing security by design and by default is actually the license to do business right now,” he said. “If you haven’t done so, your adversary definitely will make a misuse of [vulnerable software], and you’ll probably be litigated because you should have seen the problem in the first place.” He added a blunt forecast: “If you’re not using AI in a coherent manner, you probably won’t be successful in a year or two.”

Regulation catches up: the EU’s Cyber Resilience Act

The regulatory backdrop is hardening too. The EU’s Cyber Resilience Act (CRA) codifies “cybersecurity by design and by default,” pushing vendors to build and maintain secure products throughout their lifecycle. Key dates include:

• Entered into force: December 2024
• Reporting obligations start: 11 September 2026
• Main obligations apply: 11 December 2027

As AI-native tooling normalizes systematic code review, dependency risk management, and runtime telemetry analysis, regulators and courts may judge “we didn’t know” defenses far less sympathetically. Vendors will be expected to operationalize continuous discovery and timely remediation, not simply publish security policies.

NCSC: more bugs found doesn’t equal instant compromise

Paul Chichester, director of operations at the UK’s National Cyber Security Centre (NCSC), echoed the inevitability that weak code will be exposed. “We are entering a phase where poorly coded systems will have vulnerabilities found in them,” he said. Yet he cautioned that discovery itself isn’t the breach.

“I think finding more vulnerabilities may harm some. For instance, if they are running shadow IT or don’t have that very sophisticated layer of defense,” Chichester noted. “But looking ahead I think there’s going to be a time where the vendors are going to be really keen to use AI themselves to drive those vulnerabilities out of their products.”

Chichester expects AI to standardize assurance practices: “AI will allow software products to be assured in a much more uniform way.” In practice, that points toward consistent secure coding guardrails, automated SBOM validation, and continuous verification baked into delivery pipelines—reducing variance in product security posture across teams and suppliers.

From checkbox to capability: what “secure by design” now means

Secure-by-design is moving from a policy box-tick to a measurable engineering discipline. For product teams, that increasingly entails:

• Embedding AI-powered static and dynamic analysis directly into developer workflows
• Instrumenting applications and infrastructure for real-time anomaly detection and exploit prevention
• Automated patch generation, testing, and rollout with clear rollback plans
• Supply chain scrutiny, including AI-assisted SBOM review and dependency risk scoring
• Documented, repeatable secure development lifecycle (SDLC) controls tied to CRA timelines

The business upside is tangible: faster time-to-fix, fewer escaped defects, and clearer evidence of due diligence for regulators, customers, and insurers.

Industry response: ESET’s €40m bet on AI

Signaling where the market is heading, Slovakia-based cybersecurity firm ESET used its Berlin event to announce a €40 million investment aimed at expanding R&D and accelerating “cybersecurity-first” foundational AI models. The roadmap includes a layered AI stack and a next-generation AI SOC, underscoring how detection, response, and assurance are converging around AI-driven telemetry and analytics.

The takeaway

Between maturing AI scanners and looming CRA obligations, the bar for vulnerability awareness and secure-by-design software is rapidly rising. The message from Europe’s top cyber officials is unambiguous: attackers will find weaknesses, and now so can you—faster. The winners will be those who operationalize AI coherently across the SDLC, turning continuous discovery and remediation into a core product capability rather than a crisis response.