A single person. A flaw in a football club’s app. And, with it, the keys to the kingdom.
In March 2026, RTL Nieuws revealed that Ajax — one of the most-watched football clubs in the Netherlands — had been hacked through its ticketing app. The technical detail was simple: every user of the app carried the same digital key to reach their season ticket, so getting hold of one meant you could reach anyone’s. RTL proved the point by lifting the season ticket of Ajax’s own director, Menno Geelen, and with it access to the VIP boardroom box. The same access let you attend matches on stolen tickets, lift stadium bans, and view the personal data of more than 300,000 supporters — including the 538 people flagged with a ban. In May, Dutch police arrested a 35-year-old man from Buren on suspicion of computer intrusion.
This wasn’t a state actor, and it wasn’t a crew with a zero-day arsenal and years of tradecraft. It was one individual, one bespoke app, one mistake — chasing a payoff (football tickets and stadium-ban lists) that not long ago no serious attacker would have spent weeks of skilled reverse-engineering to reach. The economics simply didn’t add up. And increasingly, they do.
I’ve spent almost two decades helping organizations defend against attackers, and this is the clearest local sign yet of something I’ve been watching arrive globally. The reason those economics now add up is that the thing which used to gate this kind of attack — the specialized human effort of digging through an unfamiliar app until you find the one mistake that opens everything — is precisely what AI now does for almost nothing. AI hasn’t made hackers smarter. It has made effort free. And “effort was expensive” was the load-bearing assumption underneath almost every security strategy we’ve built. Take it away, and a lot of things we assumed were safe simply aren’t anymore.
The world we’re leaving behind
For thirty years, offensive capability was gated by human talent. Finding a genuine vulnerability in a large, unfamiliar codebase was slow, specialized work. A senior researcher might spend weeks or months on a single high-impact bug in brand-new code. That scarcity shaped everything downstream. Attackers concentrated on high-value targets because effort had to be justified by payoff. Obscure software that only one company ran was, in practice, safe — not because it was secure, but because nobody would bother. And the window between a vulnerability becoming known and a working exploit existing in the wild was often long enough to patch in.
The “script kiddie” — the no-skill attacker running tools they ripped from the internet without understanding them — was a nuisance precisely because they couldn’t do the hard part themselves. They were limited to whatever someone else had already weaponized.
Every one of those assumptions is now obsolete.
What actually changed: effort went to zero
Talk to the people building AI bug-finding systems and the numbers are startling. At DARPA’s AI Cyber Challenge, automated systems scanned tens of millions of lines of code and found not only the flaws that had been deliberately planted, but more than a dozen real bugs nobody had inserted on purpose. Tim Becker, a security researcher at Theori, put the shift bluntly to The Verge: work that used to take him weeks or months now takes hours. “The bar to diving into a new million-line codebase and finding a bug is so much lower than it used to be.”
When effort collapses, the economics of attack invert — and three defender assumptions break at once.
Target selection inverts. As Dan Guido of Trail of Bits framed it, “because effort is cheap, you can do things that are lower down the food chain.” You can write an exploit for software that only one company runs, in one configuration, on the fly, in the middle of an intrusion. The obscure line-of-business app that was safe-by-obscurity is now a legitimate target, because pointing an AI at it costs almost nothing. Ajax’s ticketing app was exactly this kind of target.
Disclosure-to-exploit collapses toward zero. The comfortable gap between “a vulnerability is announced” and “an exploit exists” is closing to nothing. When a patch itself is enough for an AI to reverse-engineer the bug and produce working exploit code, the clock you thought you had to patch is largely gone.
The script kiddie becomes genuinely dangerous. The no-skill attacker is no longer limited to yesterday’s weaponized exploits. They can grind a novel target at machine speed — “point an LLM at that wall,” as Guido put it, and let it iterate until something works. The dangerous attacker of 2026 doesn’t need to be an expert.
None of this is hypothetical. Fortinet reported ransomware victim counts up 389% amid the rise in AI-powered attacks. Katie Moussouris of Luta Security warns the coming wave won’t just be a “vulnpocalypse” of new bugs — it’ll be a “patchpocalypse,” as organizations drown in more fixes than they can safely test and deploy. As she puts it, we can’t incident-respond our way out of this. The consensus in the field is uncomfortably unanimous: 2026 is the make-it-or-break-it year.
The real lesson: it’s not the model, it’s the harness
Here’s where most of the coverage goes wrong, and where the actual strategic insight lives.
The instinct is to fixate on the model — specifically Anthropic’s Mythos, the frontier model that reportedly finds vulnerabilities in nearly everything it’s pointed at.
But when Cloudflare got hands-on access to Mythos Preview and pointed it at more than fifty of their own repositories under Project Glasswing, the lesson they came away with wasn’t about the model’s raw intelligence. It was about structure. What made Mythos frightening wasn’t that it found bugs — plenty of models find bugs. It was two things: it could chain several low-severity primitives into a single working exploit the way a senior researcher would, and it could prove exploitability by writing, compiling, and running proof-of-concept code, then reading the failure and trying again until it worked. A suspected flaw is speculation; a flaw with a working proof is a weapon.
And crucially, Cloudflare found that pointing even a brilliant model at a repo and saying “find vulnerabilities” doesn’t work well. The model wanders, hedges, and drowns you in “possibly” and “could in theory.” What worked was building a harness around the model: a pipeline that does reconnaissance, fans out dozens of narrowly-scoped hunter agents in parallel, puts a second adversarial agent in deliberate disagreement with the first to kill false positives, deduplicates, and traces whether attacker-controlled input can actually reach each bug. Their conclusion, in their words: the model is one input; the system is the product.
That reframing is the most important thing in this entire story. The frontier is no longer the model. It’s the orchestration around it — and the operational judgment encoded into that orchestration. A capable model in a crude loop is a noisy toy. A merely-good model in an excellent harness is a machine that outperforms most human teams. Which means the durable advantage — for attackers and defenders — belongs to whoever implements it first, not whoever has API access to the smartest weights this quarter.
The mirror: defenders got the exact same superpower
If that were the end of the story, it would just be despair. It isn’t — because the harness cuts both ways, and the defensive side of the industry is moving fast.
Microsoft’s answer is the clearest illustration of a broader doctrine I’d call defend at machine speed, and it has two halves.
The first half is discovery. Microsoft built a multi-model agentic scanning harness (codename MDASH) with almost exactly the shape Cloudflare described — a pipeline of specialized agents that prepare, scan, then debate each finding for and against its exploitability, deduplicate, and prove. On a test codebase it found 21 of 21 planted vulnerabilities with zero false positives. On real Windows code it contributed 16 CVEs to a single Patch Tuesday across the network stack, and hit 96% recall against five years of historical bugs in one component and 100% in another. Their conclusion is a near-verbatim echo of Cloudflare’s: the harness does the work, and the model is one input. That portability matters — when the next model lands, the targeting, debating, deduping, and proving carry over intact.
The second half is response — and this is where I’d point you back to something I wrote about earlier this year. At Experts Live, Raviv Tamir described Microsoft’s shift to a “fire first, ask questions later” model, where automated systems executed hundreds of defensive actions inside 50 minutes during an active attack — isolating accounts, revoking tokens, blocking lateral movement — faster than any human SOC could. That capability, Attack Disruption, is the defensive mirror of the machine-speed attacker. When the adversary can move at the speed of an AI agent, a human-paced response loop isn’t slow — it’s irrelevant. Detection that only creates a ticket for a human to investigate tomorrow is, as I’ve said before, just watching yourself get robbed in high definition.
Put the two halves together and the picture is symmetrical: agentic offense meets agentic defense, and the humans move up the stack — from doing the work to governing it. The contest is harness versus harness. The organizations that lose won’t be the ones without AI. They’ll be the ones who bolted a chatbot onto their SIEM, called it transformation, and still run every real decision through an overwhelmed analyst queue.
So how do you actually deal with this?
None of this is a reason to despair, and it’s certainly not a reason to freeze. As Moussouris frames it, this is a moment to shore up defenses and finally get budget for the things you’ve been putting off. Here’s where I’d focus — principles first, with the Microsoft stack as one concrete way to implement them.
1. Assume exploitation, not just vulnerability. Patching faster is necessary but it will never be sufficient — you cannot win a race where exploit code ships the same hour the CVE does. The higher-leverage move, as Cloudflare argued, is architecture that makes exploitation harder even when a bug exists, so the gap between disclosure and patch matters less. That means defense-in-depth in front of the application, blast-radius containment so a flaw in one place can’t reach everything, and the ability to roll a fix everywhere at once. In Microsoft terms: rigorous segmentation, Conditional Access as a control plane, phishing-resistant MFA, and just-in-time privilege via Entra PIM so a compromised session isn’t a master key.
2. Compress your response loop with a harness, not headcount. You will not hire your way to machine speed. High-confidence threats should trigger automated containment — disable the identity, revoke the tokens, isolate the device — with humans arriving after the bleeding stops, not before it starts. This is exactly what Microsoft’s Attack Disruption does by default for classes like ransomware and hands-on-keyboard attacks. The key, echoing Raffy Marty’s work on the AI-native SecOps control plane, is disciplined automation: deterministic playbooks and policy-as-code where safety matters, generative AI reserved for reasoning and investigation, and guardrails — approval gates, rollback paths, audit trails — around all of it. Risk becomes the control signal: the same event on a test box and on a privileged identity should not get the same response. And if you don’t run a 24/7 SOC yourself, this is exactly what a modern Managed Detection and Response (MDR) service should now deliver — not analyst labor bolted onto your alerts, but the AI-native SecOps control plane Raffy Marty describes, operating the detection-to-response loop on your behalf while you set the policy and own the high-risk decisions.
3. Govern your AI agents like privileged insiders. Researchers have already shown that an AI browser assistant, handed a signed-in admin session, can enumerate and dismantle an entire Microsoft 365 tenant in seconds — not by inventing a new attack path, but by making an existing administrative workflow instant and hands-free. Any agent — browser assistant, copilot, automation — that can act with a user’s session inherits that user’s blast radius. Apply least privilege to agents, not just people. Lock down and monitor Graph activity, restrict OAuth consent and device-code flows via Conditional Access, enforce token protection so tokens can’t be lifted and replayed, and layer Purview data protection so bulk exfiltration hits a wall even when identity controls are bypassed. Microsoft’s emerging answer to this is Agent 365 — a control plane to inventory every agent, give each one its own identity in Entra, scope and gate what it can touch, and watch it with Defender and Purview. Ask the uncomfortable question: if one of our admins’ browser sessions were quietly driven by an AI right now, what could it do in sixty seconds — and would we even see it?
4. Prioritize by reachability, not CVSS. The patchpocalypse is a triage problem, not a volume problem. When AI generates more findings than you can ever action, a flat severity score is worse than useless — it sends you to fix a critical bug buried behind three internal controls while an ignored medium sits exposed on your perimeter. This is the graph thinking I keep coming back to: model your environment as attack paths, and fix the edges that actually sit on a route to something that matters. In Microsoft terms, that’s attack path analysis in Microsoft Security Exposure Management — it maps the real routes to your critical assets and surfaces the chokepoints where removing a single edge collapses many paths at once. And you can get ahead of the queue entirely by pointing the same kind of harness at your own code before an attacker does: Microsoft’s MDASH is the in-house example, and because it proves exploitability rather than just flagging candidates, the findings that reach a human are already the ones that matter. You don’t need to fix everything. You need to break the reachable paths first.
5. Keep humans where judgment lives — and staff for it. The reflex to cut security headcount because “AI is more efficient” gets the lesson exactly backwards. AI dramatically accelerates senior people, but it can hollow out the pipeline that creates them if juniors never learn to think because the machine thinks for them. You still need humans for prioritization, threat hunting, and the high-risk decisions no policy engine should make alone. Point the automation at the toil so your people can do the judgment. As Moussouris put it: you can’t incident-respond your way to resilience.
6. Treat your apps and APIs as the front line. Come back to how the Ajax hack actually worked: the pivot wasn’t a server or an endpoint — it was a key inside a mobile app that unlocked the API behind it, and the API handed over everything. That is the pattern to internalize. As AI makes probing bespoke apps and their interfaces almost free, the application layer becomes the cheapest route into your data and infrastructure — and it’s the layer most organizations still under-instrument. Treat APIs as first-class attack surface: discover every one you expose (including the forgotten and undocumented ones), enforce real authentication and authorization on each, rate-limit and monitor for the abuse patterns an AI-driven attacker will generate, and shield them so exploitation is blocked even when the app behind them has a flaw. This gap is exactly why we built a dedicated API Protect offering at Wortell — because the ticketing app that leaks hundreds of thousands of records tomorrow will almost certainly leak them through an API.
The uncomfortable symmetry
Here’s the thought I can’t shake, and I’ll leave it with you.
The same class of tool that can write your code, review your architecture, and defend your tenant at machine speed is the same class of tool that turns a bespoke app nobody thought was worth the effort into a weekend project for one motivated person — and could enumerate and wipe your identity plane in the length of a coffee break. The capability is neutral. The intelligence is genuinely available to both sides. What’s left as the actual differentiator is no longer talent, and it’s no longer the size of your tooling budget.
It’s whether you’ve implemented it before your adversary did. Whether you’ve built the harness, wired detection to machine-speed response, governed your own agents, protected your apps and APIs, and shifted your people to judgment — or whether you’re still treating AI as a feature you’ll get to next quarter while someone with a laptop and a weekend treats it as a weapon today.
Effort is free now. For everyone. The only question left is who put it to work first.
So here’s the one I’d take into your next Monday: if an AI agent had your most privileged admin’s session open right now, how far could it get before anything in your environment noticed — and who, or what, would stop it?
If you can’t answer that with confidence, you already know where to start.
Sources: This post draws on The Verge — “Attack of the killer script kiddies”, Cloudflare — “Project Glasswing: what Mythos showed us”, Microsoft Security — “Defense at AI speed”, Raffy Marty — “Next-Gen MDR Has To Become An AI-Native SecOps Control Plane”, Netwrix — “Automating Entra ID Tenant Destruction with AI”, RTL Nieuws’ reporting on the Ajax ticketing-app hack (25 March 2026) and NOS — “Verdachte aangehouden voor hack bij Ajax”, and reporting on AI-powered ransomware growth via Dr. Philippe Vynckier. It also builds on my earlier post, Blueprint for a Modern Defense Stack.