SDLC in the AI-Attacker Era

On this page

Question

How do SDLC, supply chain, identity, and attack-surface assumptions need to evolve when adversaries have frontier AI capability, and which existing controls remain load-bearing versus which need rework? Specifically: which assumptions in SLSA, SSDF, CSAF, and ISO 27001 were calibrated against a human-paced attacker and now require explicit recalibration? Where does the existing Agentic AI Security CMM (which addresses securing AI systems) need extension to address securing non-AI systems against AI-augmented attackers?

Current position

The wiki’s coverage of supply chain, governance, and SDLC controls (supply chain security for agents, AI-BOM, coding-agent governance, least-agency, plan-validate-execute) was framed for securing AI systems. The inverse problem is securing classical SDLC against AI-augmented attackers. The tooling overlaps; the threat model does not. Three claims now carry quantified or government-anchored evidence rather than projection.

First, the time-to-exploit window has collapsed. The median time from CVE disclosure to first observed exploitation fell from 771 days in 2018 to zero-day by 2025, when the exploit now arrives on or before the advisory.1 AI systems generate working proof-of-concept exploit code from a CVE disclosure in 10 to 15 minutes at roughly $1 per attempt.2 In the first quarter of 2025, 28.3% of newly-exploited vulnerabilities had exploitation evidence within a day of disclosure.3 Coordinated-disclosure timelines built on a 90-day human-paced assumption do not hold against this curve; a vulnerability disclosed Monday can be weaponized the same day.

Second, the supply chain is the primary attack surface for AI-augmented adversaries, and the attacks are now observed, not hypothesized. The prt-scan campaign used AI-generated, language-aware payloads to open well over 500 malicious pull requests against public GitHub repositories over roughly three weeks, exfiltrating AWS keys, Cloudflare API tokens, and Netlify auth tokens without a single zero-day, using only default CI/CD permission configurations.4 A new attack class, slopsquatting, exploits the developer’s use of AI tooling rather than any flaw in the registry: adversaries register package names that coding assistants reliably hallucinate.5 Malicious package uploads are rising sharply alongside these named campaigns.6

Third, the control categories the wiki already documents carry into this framing, but the standards do not. Existing primitives apply with little change. AI-BOM, skill-registry scanning, and pre-install vetting from supply chain security for agents hold when the attacker’s tooling is the agentic stack. The Plan-Validate-Execute human-in-the-loop pattern translates to mandatory human review for AI-assisted merges. IEC 42001, NIST AI RMF, and Microsoft ZT4AI anchor the management-system and zero-trust framing. The open question is what these instruments look like when applied to non-AI systems facing AI-augmented attackers. No SLSA, SSDF, or CSAF revision yet addresses that recalibration directly.

Coding-agent governance is the clearest example of a control category that reads both ways. As a defensive control class it covers rules-file integrity, IDE-extension provenance, dependency-name and typosquat defense, and destructive-action classification, the surface that secures an organization’s own AI-augmented developers. Viewed inversely, the same surface describes the attacker’s productivity stack. The category is anchored by the wiki’s guardian-agent vendor set; Knostic is one example among that set. The guidance stands on the control class, not on any single vendor.

Time-to-exploit collapse

The window between disclosure and exploitation is the thesis’s load-bearing quantitative claim. Multiple independent sources now anchor it. The Zero Day Clock places median time-to-exploit at 771 days in 2018 and zero-day by 2025 across a dataset of CVE-exploit pairs.1 The Cloud Security Alliance “Collapsing Exploit Window” whitepaper traces the same curve through median figures: 756 days in 2018, roughly 32 days in 2022, roughly 5 days in 2023, and 32.1% of analyzed first-half-2025 CVEs exploited on or before public disclosure.7 The same whitepaper reports that AI systems generate functional proof-of-concept exploit code from a CVE disclosure in 10 to 15 minutes at roughly $1 per attempt.2 VulnCheck’s Q1 2025 analysis found that, of 159 vulnerabilities first reported exploited in the wild, 28.3% had exploitation evidence within a day of disclosure.3 Rapid7’s 2026 Cyber Threat Landscape Report adds an independent dataset: confirmed exploitation of newly disclosed high/critical vulnerabilities rose 105% year over year, to 146 in 2025 from 71 in 2024, while mean time-to-exploit fell from 61.0 to 28.5 days.8 The Rapid7 mean and the Zero Day Clock median diverge because the distribution is right-skewed: most exploited vulnerabilities are weaponized at or before disclosure, while a slow-exploited tail pulls the mean out to weeks.

Vendor and standards language tracks the same shift. CrowdStrike CTO Elia Zaitsev: “The window between a vulnerability being discovered and being exploited by an adversary has collapsed — what once took months now happens in minutes with AI,” adding that “adversaries will inevitably look to exploit the same capabilities.”9 Palo Alto Networks CPTO Lee Klarich: “There will be more attacks, faster attacks, and more sophisticated attacks. Now is the time to modernize cybersecurity stacks everywhere.”9 Microsoft’s SDL-for-AI post (Yonatan Zunger) frames a parallel speed gap: “AI accelerates development cycles beyond SDL norms. Model updates, new tools, and evolving agent behaviors outpace traditional review processes, leaving less time for testing and observing long-term effects. Usage norms lag tool evolution, amplifying misuse risks.”10 Where CrowdStrike frames the asymmetry as discovery-versus-exploitation time, Microsoft frames it as tool-evolution-versus-usage-norm time; both segments belong to the same collapse, and both invalidate a 90-day coordinated-disclosure assumption. Veracode’s Chris Wysopal states the practitioner view plainly: “The patch window has effectively collapsed. That is not a gradual trend; it’s a structural break.” Every shipped patch is a roadmap that attackers can diff and weaponize faster than enterprises can test and deploy.11

Supply-chain attack surface

The supply chain is where AI-augmented adversaries are now observed operating. The prt-scan campaign (March–April 2026, documented by Wiz) used AI-generated, language-aware payloads to open well over 500 malicious pull requests against public GitHub repositories over roughly three weeks, with an observed success rate under 10% across more than 450 analyzed attempts.4 It verified theft of AWS keys, Cloudflare API tokens, and Netlify auth tokens and compromised at least two npm packages across 106 versions.12 The attack required no zero-day, only default pull_request_target workflow permissions that most organizations have not hardened.13 It is the most concrete public evidence of AI-assisted CI/CD pipeline exploitation at machine speed in the 2026 timeframe.

Slopsquatting names a structurally new attack class: adversaries register package names that AI coding assistants reliably hallucinate. The arXiv study “We Have a Package for You!” tested 16 LLMs across 576,000 Python and JavaScript code samples, finding a roughly 20% package-name hallucination rate; 43% of hallucinated names recurred across repeated requests.5 A proof-of-concept package seeded under a commonly hallucinated name accumulated over 30,000 downloads in three months.14 Typosquatting detectors miss this class because the names are invented, not misspelled. The Citizen Coders dynamic widens the exposure: non-developers generating code through AI are less likely to verify package recommendations against registry histories.

The trend is not confined to single campaigns. Malicious package uploads to public registries rose sharply year over year, with JFrog reporting a 451% surge in malicious npm packages to 171,592 unique instances in 2025, driven by three hijack campaigns that produced more than two million compromised downloads.6 Four discrete AI supply-chain attacks, against Trivy, LiteLLM, Telnyx, and Axios, were disclosed within a 50-day window in early 2026.15

The attack surface also widens from the defender’s own AI-authored code. JFrog attributes part of a 20% year-over-year rise in disclosed CVEs, more than 48,000 in 2025, to AI-generated code that omits secure-coding practices, reviving decades-old injection classes such as cross-site scripting and SQL injection at volume.16 The same tooling that accelerates development reintroduces the weakness classes secure-SDLC programs spent two decades suppressing.

Vendor and standards response

Vendors and government bodies are recalibrating against the same capability shift. The Anthropic 2026 Agentic Coding Trends Report makes the dual-use case at strategic level. Trend 8, “Agentic coding improves security defenses — but also offensive uses,” predicts that security knowledge becomes democratized (“any engineer can become a security engineer capable of delivering in-depth security reviews, hardening, and monitoring”), that threat actors scale attacks (“While agents will benefit defensive uses, they will also benefit offensive uses too”), and that agentic cyber-defense systems rise (“Automated agentic systems enable security responses at machine speed”).17 The report’s closing position states the asymmetry directly: “The balance favors prepared organizations. Teams that use agentic tools to bake security in from the start will be better positioned to defend against adversaries using the same technology.”17 Its named Priority 4 — “Embedding security architecture as a part of agentic system design from the earliest stages” — positions secure-by-design as a strategic recommendation rather than a capability claim.17

Microsoft’s SDL-for-AI announcement is the first major-vendor classical secure-SDLC framework to publish an explicit AI extension scope; its prescribed mitigation pattern is “iterative security controls, faster feedback loops, telemetry-driven detection, and continuous learning.”10 Microsoft SDL is a vendor framework, not a NIST or SLSA standard, so the standards-side gap remains open.

On the government side, the NSA 8-nation joint guidance (March 2026), co-signed by NSA, CISA, FBI, and allied agencies, provides a government-endorsed supply-chain threat taxonomy across six AI/ML components: Training Data, Model Weights, Software Dependencies, Infrastructure, Third-Party APIs, and Deployment. It names slopsquatting-class software-dependency risks alongside training-data poisoning and model-weight backdooring. CISA’s operational response is measurable: the average KEV patch deadline tightened from 19.7 days in 2025 to 14.4 days in 2026, and CISA is reportedly considering a 3-day deadline for KEV-listed flaws.18

Counter-evidence

Calibrated incident data

Public incident reports do not yet systematically attribute attacker capability to frontier-AI assistance. Whether an exploit was AI-assisted is rarely a published field. This makes “the threat model is changing” hard to source rigorously.

Real-world productivity gains may be smaller than capability gains

The METR 2025 RCT found 16 experienced developers were 19% slower using AI tooling on familiar codebases, despite expecting to be faster.19 This bounds the threat-velocity claim symmetrically: if real-world productivity gains lag capability gains for defenders, the same gap applies to attackers. The exploit-velocity figures above measure capability at the point of generation, not sustained operational throughput.

SLSA / SSDF / CSAF updates for AI-augmented attackers

NIST SSDF v1.1 (Feb 2022) addresses the secure-development side but not the AI-augmented-adversary side; its threat assumptions remain human-paced. SP 800-218A (July 2024) extends SSDF for AI model development but does not address deployment, operation, or the inverse problem of defending non-AI systems against AI-augmented attackers — the 2026-Q2 standards review confirms it contributes development-time process tasks only, with no runtime guardrail, egress, or agent-identity control. No SLSA, CSAF, or comparable revision yet addresses AI-augmented adversaries directly. Whether the frameworks should be updated, or whether the rules carry unchanged with tighter tolerances, is unresolved. The Glasswing announcement commits to “collaborate with leading security organizations” on this gap (named areas include vulnerability-disclosure processes, SDLC and secure-by-design, supply-chain security, and standards for regulated industries), but no concrete deliverable has landed yet.

Open sub-questions

  • Does the Agentic AI Security CMM need an extension (new domain D10 “AI-Threat-Calibrated SDLC”) or a parallel companion CMM (“Enterprise SDLC vs AI-Augmented Adversaries”)? Current judgment: too early; defer the artifact decision until evidence accrues.
  • How does the agent availability threats surface translate to defending against availability attacks by AI-augmented adversaries (e.g., autonomous DDoS with adaptive evasion)?
  • See Gaps Index for related open questions.

Notes

Footnotes

  1. The Collapse — Zero Day Clock, Sysdig and collaborators, 2026. Median time-to-exploit across CVE-exploit pairs: 771 days (2018), 84 days (2021), 6.36 days (2023), 4 hours (2024), zero-day (2025–2026). 2

  2. Cloud Security Alliance — The Collapsing Exploit Window: AI-Speed Vulnerability Weaponization, 2026. AI systems generate functional exploit code in 10 to 15 minutes at approximately $1 per attempt. 2

  3. VulnCheck — 2025 Q1 Trends in Vulnerability Exploitation, Patrick Garrity, April 2025. Of 159 vulnerabilities first reported exploited in the wild in Q1 2025, 28.3% had exploitation evidence within one day of CVE publication. Summary: VulnCheck Q1 2025 exploitation trends. 2

  4. Wiz — Six Accounts, One Actor: Inside the prt-scan Supply Chain Campaign, 2026. “Across all six waves, the attacker opened well over 500 malicious PRs”; campaign ran from March 11 to April 3, 2026 (roughly three weeks); “<10% success rate” across over 450 analyzed exploit attempts. See CD Supply-Chain Campaign. 2

  5. arXiv 2406.10279 — We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs, 2024 (Spracklen et al.). 16 LLMs across 576,000 Python and JavaScript code samples; roughly 20% package-name hallucination rate; 43% of hallucinated names recurred across repeated requests. 2

  6. JFrog — 2026 Software Supply Chain Security State of the Union (announcement), 2026, report p.5. Malicious npm packages rose 451% to 171,592 unique instances, driven by three hijack campaigns producing more than two million compromised downloads. See JFrog 2026 SSC State of the Union. 2

  7. Cloud Security Alliance — The Collapsing Exploit Window: AI-Speed Vulnerability Weaponization, AI Safety Initiative, 2026. Median disclosure-to-exploit time 756 days (2018), ~32 days (2022), ~5 days (2023); 32.1% of 432 confirmed-exploitation CVEs in first-half 2025 exploited on or before public disclosure (up from 23.6% in 2024).

  8. Rapid7 — 2026 Cyber Threat Landscape Report, 2026, as reported by CSO Online. Confirmed exploitation of newly disclosed high/critical (CVSS 7–10) vulnerabilities rose to 146 in 2025 from 71 in 2024 (+105%); mean time-to-exploit fell from 61.0 to 28.5 days; median publication-to-KEV-inclusion time fell from 8.5 to 5.0 days.

  9. Anthropic — Project Glasswing, May 12, 2026. CrowdStrike CTO Elia Zaitsev and Palo Alto Networks CPTO Lee Klarich launch-partner citations. 2

  10. Microsoft Security Blog — Microsoft SDL: Evolving security practices for an AI-powered world, Yonatan Zunger, February 3, 2026. 2

  11. CSO Online — Patch windows collapse as time-to-exploit accelerates, April 2026. Chris Wysopal (co-founder, Veracode): “The patch window has effectively collapsed. That is not a gradual trend; it’s a structural break.”

  12. Wiz — Six Accounts, One Actor: Inside the prt-scan Supply Chain Campaign, 2026. “Verified credential theft was observed impacting AWS keys, Cloudflare API tokens, and Netlify auth tokens”; “at least two npm packages with a shared maintainer, across 106 versions.”

  13. Wiz — Six Accounts, One Actor: Inside the prt-scan Supply Chain Campaign, 2026. The attack exploited default pull_request_target workflow permissions and used no zero-day.

  14. SD Times — Hallucinated code, real threat: How slopsquatting targets AI-assisted development, 2025. Bar Lanyado (Lasso Security) registered a commonly hallucinated package name as an empty PyPI package; it received over 30,000 downloads in three months.

  15. VentureBeat — Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren’t covering, 2026. Four disclosed AI supply-chain attacks (Trivy, LiteLLM, Telnyx, Axios) within a 50-day window in early 2026.

  16. JFrog — 2026 Software Supply Chain Security State of the Union (announcement), 2026, report p.5. Over 48,000 new CVEs disclosed in 2025, a 20% increase over 2024; JFrog attributes part of the growth to AI-generated code that omits secure-coding practices, reviving XSS, SQL injection, and other injection classes. See JFrog 2026 SSC State of the Union.

  17. Federal News Network — AI drives new debate around CISA software patching deadlines, May 2026: average KEV deadline 14.4 days in 2026, down from 19.7 days in 2025. SC Media — CISA reportedly considers 3-day patch deadline for KEV flaws, 2026.

  18. METR — Measuring the Impact of Early-2025 AI on Experienced Open-Source Developer Productivity, July 2025 (arXiv 2507.09089). 16 experienced developers measured 19% slower on familiar codebases when AI tooling was enabled. Summary: METR 2025 RCT.