The Five Eyes intelligence alliance warned Monday that advanced AI models are poised to transform offensive hacking capabilities within months, urging governments and businesses to strengthen their defenses immediately.
"Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities," the agencies said in the joint statement. "The timeline is not years, it is months."
The warning was signed by the heads of cyber security agencies across all five member nations, including National Security Agency Cybersecurity Directorate Director David Imbordino and acting Cybersecurity and Infrastructure Security Agency Director Nick Andersen, along with counterparts from the U.K., Canada, Australia, and New Zealand.
According to the agencies, AI has made it easier for bad actors to mount attacks and has shortened the time between when a software flaw is discovered and when it is weaponized. They said frontier models will accelerate that trend, making cyber risk a core business and leadership issue rather than a technical one. "Cyber risk can no longer be treated as a purely technical issue," the statement said. "This is a core business risk and leadership responsibility."
The statement outlined several practical steps organizations should take, including reducing unnecessary internet-connected attack surface, accelerating software patching, replacing legacy systems, tightening identity and access controls, and testing incident response plans before a breach occurs. The agencies also urged defenders to adopt AI tools themselves to detect vulnerabilities, monitor unusual behavior, and respond faster to attacks.
"Adversaries are already using AI to move faster and more effectively," the agencies said. "Defenders must do the same."
The warning arrives against a backdrop of growing concern over AI models with demonstrated offensive capabilities. The alliance anticipates that offensive capabilities on par with those demonstrated by models including Anthropic's Fable 5 and OpenAI's Daybreak will reach the general public within twelve months, even as AI developers attempt to gate or withhold access. Because open-source releases have historically trailed the leading commercial labs by roughly half a year, capabilities that are tightly controlled today tend to circulate freely in short order, according to CyberScoop.
The emergence of Anthropic's Mythos model, which drew attention in Washington for its ability to identify vulnerabilities in widely used software, shaped the policy environment leading up to the warning. The Trump administration subsequently ordered Anthropic to suspend foreign national access to its most capable models. Separately, CISA tightened its patch mandate for federal agencies, cutting the window for addressing critical network vulnerabilities to 72 hours in response to AI-driven threat concerns, according to Reuters.
"Success will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy," the agencies said. "Those that do not will face growing operational and strategic disadvantage."
