When AI Finds Zero-Days First: Spyware, Surveillance, and the New Threat Surface

Zero-Days Used to Be Expensive. Now They’re Getting Cheap.

A zero-day is the crown jewel of offensive hacking — a flaw unknown to defenders, with no patch in sight. Historically, finding one required rare talent, deep pockets, and time. That combination kept the market small and, to some degree, manageable.

AI just collapsed that equation.

By automating the grunt work — scanning code for exploitable patterns, mapping attack surfaces, identifying entry points — AI tools can now compress what once took months of skilled labor into something far faster and cheaper. The technical moat is draining. And the people watching most closely? Spyware vendors.

The Spyware Industry Was Already Running on Zero-Days

Here’s the uncomfortable context: in 2025, spyware vendors — not China, not Russia — topped Google’s list of zero-day exploiters. These are private firms whose business model is literally built on finding cracks in your device and slipping through them.

Notorious players like NSO Group reportedly maintained rotating stockpiles of zero-days, cycling through them as patches arrived. It was expensive, talent-intensive, and operationally complex. That friction was, in a perverse way, a constraint.

AI removes the friction.

Three Ways This Accelerates Proliferation

The threat doesn’t arrive as one big wave. It compounds across three vectors.

3. The Operator Pool Widens

Perhaps most unsettling: AI doesn’t just help vendors build these tools — it helps less sophisticated actors use them. Exploit kits like Coruna and DarkSword have already surfaced outside traditional vendor ecosystems, reaching organized criminal groups that previously lacked the funds or technical depth to deploy iOS-level exploits.

The supply chain for surveillance is getting longer, cheaper, and harder to trace.

Defense Is Playing Catch-Up — But It’s Not Losing Yet

The same capability that finds vulnerabilities faster can also audit code more thoroughly. Defensive AI agents can monitor network traffic, triage alerts, and initiate containment protocols at machine speed — no human bottleneck required.

SentinelOne’s autonomous platform reportedly identified and contained a zero-day supply chain attack in real time. That’s not a hypothetical. That’s the defensive playbook working.

The asymmetry isn’t permanent. But it requires deliberate investment to close.

What Needs to Happen Next

The policy response isn’t complicated — it’s just underway too slowly.

Fund defensive AI, not just offensive capabilities. The US National Cyber Strategy leans heavily on offense. The same energy should flow into stress-testing and scaling defensive AI tools — pilot programs, sector-specific resilience exercises, and federal support for firms building autonomous threat detection.

Keep the pressure on spyware vendors. Sanctions, entity listings, international coordination — none of it is glamorous, but all of it matters. Spyware firms are the most aggressive zero-day consumers on the planet. Letting up now, as AI lowers their costs, would be a serious miscalculation.

Accelerate the shift to memory-safe code. Languages like Rust structurally eliminate entire classes of vulnerabilities that spyware depends on. CISA and NSA renewed that push in mid-2025. Prioritizing memory-safe transitions in firmware and operating system layers — the exact layers spyware targets — shrinks the attack surface before AI even gets involved.

The Takeaway

The first AI-discovered zero-day wasn’t a curiosity. It was a signal. The spyware industry heard it clearly, and they’re already positioned to act on it.

Defenders have the same tools. The question is whether the institutions, policies, and investments will move fast enough to matter — before the asymmetry becomes structural.

Observe the threat. Then choose to close the gap.