Key Takeaways
- Artificial intelligence is drastically shortening the time needed to discover software vulnerabilities, turning days‑long exploits into matters of minutes.
- Low‑cost AI tools—some built on publicly available models like OpenAI’s GPT series—can uncover flaws in legacy and government systems for as little as €10.
- Dutch cybersecurity officials warn that while defenders currently hold an edge, cybercriminals are likely to adopt the same AI‑assisted techniques within months.
- Older, “cheaper” AI systems have already proven capable of identifying serious flaws, indicating the threat is not limited to cutting‑edge models.
- The Netherlands’ highly digitalized infrastructure makes it especially vulnerable; accelerating patch management and defensive readiness is now urgent.
AI Accelerates Vulnerability Discovery
Dutch cybersecurity officials and experts warned on Friday that artificial intelligence is dramatically speeding up the identification of weaknesses in computer systems. According to Matthijs van Amelsfort, director of the Dutch National Cyber Security Centre (NCSC), AI‑powered tools can locate security flaws far faster than human analysts. “In the past, it took days before an attacker exploited a vulnerability; now it is hours,” he said. “That will become minutes.” This compression of the discovery window raises the prospect that malicious actors could weaponize AI on a much broader scale than before.
Expert Warnings from Dutch NCSC
Van Amelsfort emphasized that the Netherlands, with its highly digitized critical infrastructure, remains a prime target for cyberattacks that could disrupt ports, steal data, or cripple services. He warned that the advantage defenders currently enjoy may be short‑lived, as adversaries are likely to adopt the same AI‑driven techniques after a brief lag. “Attackers and defenders will continue to battle each other, also with this AI development,” he noted, urging organizations to ensure their defensive posture is robust and up‑to‑date.
Real‑World Demonstration by Hadrian
Cybersecurity firm Hadrian illustrated the potency of inexpensive AI tools by showing how a low‑cost system could uncover a serious flaw in a government website. Rogier Fischer, a hacker employed by Hadrian, used an AI model developed by OpenAI—the same company behind ChatGPT—to scan the site’s code. The analysis revealed a vulnerability that granted access to restricted files, and Fischer famously displayed the exposed passwords during a live demonstration. The entire operation cost roughly €10 (about $11), underscoring how accessible powerful exploit‑finding capabilities have become.
Cost and Accessibility of AI‑Powered Exploits
The Hadrian case highlights a troubling trend: sophisticated vulnerability discovery no longer requires nation‑state budgets or specialized expertise. By leveraging publicly available AI models and modest computing resources, attackers can automate the scanning of large codebases, pinpointing weaknesses that might have remained hidden for years. This democratization of offensive AI lowers the barrier to entry for cybercriminals, increasing the likelihood that more actors will attempt to exploit newly discovered flaws before defenders can patch them.
Findings from AISLE and Historical AI Use
Another Dutch firm, AISLE, reported that it has identified more than 200 software vulnerabilities using various AI systems since September 2025. Jaya Baloo, a senior analyst at AISLE, cautioned against the narrative that AI’s vulnerability‑finding prowess is a sudden breakthrough. “The story was that AI was ‘suddenly’ very good at finding vulnerabilities,” she said. “But we could find those same flaws with older AI systems. So why ‘suddenly’? We’ve been doing this for months.” Her comment suggests that even earlier generations of AI have been effective, implying that the current acceleration stems from broader adoption and improved integration rather than a singular technological leap.
Defender‑Attacker Arms Race Intensifies
Experts agree that the cybersecurity landscape is entering a new phase of the classic attacker‑defender arms race, now amplified by AI. While defenders can also employ AI to prioritize patches, automate threat hunting, and predict likely exploit paths, the speed at which attackers can discover and weaponize vulnerabilities threatens to outstrip traditional response cycles. Van Amelsfort warned that countries with extensive digital infrastructure—like the Netherlands—must accelerate their defensive measures to keep pace, or risk suffering disruptive attacks on essential services.
Urgent Call to Accelerate Patching and Defense
Both van Amelsfort and Dimitri van Zandvliet, chairman of the CISO Platform, stressed the need for organizations to shorten the window between vulnerability discovery and remediation. “We need to accelerate so that we fix those errors before they are exploited,” van Zandvliet said. This involves adopting continuous monitoring, integrating AI‑driven vulnerability scanners into dev‑ops pipelines, and ensuring that patch management processes are agile enough to apply fixes within hours rather than days. Investment in training, threat intelligence sharing, and incident response readiness is also critical to mitigate the heightened risk posed by AI‑assisted hacking.
Conclusion: Preparing for AI‑Driven Cyber Threats
The warnings from Dutch officials and cybersecurity practitioners make clear that AI is not merely a defensive tool; it is a force multiplier for offensive operations as well. The ability to uncover flaws in legacy systems for a few euros, combined with the rapid tempo of discovery, demands a proactive and adaptive security posture. Organizations must invest in AI‑enhanced defenses, streamline patching workflows, and foster collaboration between public and private sectors to stay ahead of adversaries who are increasingly likely to wield the same technology. Only by treating AI as both a threat and an asset can the Netherlands—and similarly digitized nations—hope to safeguard their critical infrastructure in the evolving cyber landscape.