AI Writes Code Faster Than Security Teams Can Fix It
Big Picture
The math doesn't work anymore. Every efficiency gain in development, whether from AI code generation, automated deployment, or continuous delivery, creates security debt that compounds faster than humans can triage. Meanwhile, attackers turned the patch window into a race they're winning. This week shows the collision.
AI Code Generation Outpaces Security Remediation Capacity
The timing this week couldn't be more stark. Just as GitHub launched Agent HQ, new research landed showing just how risky AI-generated code can be. An Ox Security analysis of 300+ repositories revealed that AI tools systematically violate at least 10 software engineering best practices. Worse, Trail of Bits demonstrated how AI agents running shell commands can be tricked into executing malicious code—an attack surface your SAST/DAST tools will miss entirely.
The CrowdStrike survey quantifies the pain: 76% of organizations are struggling. AI is creating a massive bottleneck right where you live—in the remediation pipeline. With threats like the GlassWorm malware now actively spreading through VS Code extensions, it's clear attackers are already targeting this new gap.
Takeaways
You're facing a capacity crisis you can't hire your way out of. AI tools are generating code that ignores engineering best practices, creating new attack surfaces faster than your manual triage-and-remediate workflows can possibly handle.
Critical Vulnerabilities Exploited Faster Than Patches Can Deploy
It was a brutal week for patch-and-pray. Five critical vulnerabilities were actively exploited while patch deployment lagged behind.
The Windows WSUS vulnerability (CVE-2025-59287) was weaponized almost immediately after disclosure. The Adobe Commerce "SessionReaper" bug is actively targeting customer accounts on vulnerable sites. CISA's emergency Nov. 12 deadline for the Lanscope CVE shows how fast response windows are closing.
The pipeline is getting fuller. Pwn2Own just dropped 56 new zero-days into the 90-day vendor pipeline, creating a predictable wave of patches coming your way. The gap between disclosure and exploitation continues to shrink.
But this constant firefighting is distracting from a deeper, more systemic risk: the supply chain itself is under attack.
Takeaways
Attackers are weaponizing CVEs in hours, not weeks. Enterprise patch cycles that worked last year are struggling to keep pace. With regulatory deadlines shrinking to days, MTTR is becoming a more critical metric for teams managing this volume.
Supply Chain Attacks Escalate Against AI Development Infrastructure
The big story this week is the path traversal vulnerability in Smithery.ai. The attack compromised over 3,000 MCP servers and exposed thousands of API keys—one of the largest AI supply chain attacks on record. MCP is the framework GitHub just announced for its new AI agent tooling.
This isn't an isolated incident. The Lazarus Group is targeting defense contractors through compromised open-source packages. GlassWorm's self-propagating worm is spreading through developer AI tools. The attack surface is expanding beyond traditional software dependencies into the AI development stack itself.
As these supply chain threats escalate, the broader security market is consolidating around AI-powered approaches.
Takeaways
Supply chain attacks are targeting AI development infrastructure. Teams adopting MCP workflows or AI coding tools are inheriting new exposure in their dependency chains. Third-party dependencies are becoming a more active threat vector, not just a compliance concern.
The AI Security Market Consolidates Around Orchestration
The market moved fast this week. Snyk launched Evo as the "world's first Agentic Security Orchestrator." Opsera's Hummingbird AI Agent appeared in GitHub's official MCP registry. Red Hat Developer Lightspeed expanded its AI workflows. Four major vendors launched AI-focused security platforms in a single week.
The CrowdStrike survey data aligns with this market activity—76% of teams can't keep pace with current remediation workflows.
Takeaways
The vendor landscape is consolidating around AI-powered approaches.