It is 4:14 AM. A security researcher is staring at a memory corruption bug that doesn’t quite look right. The assembly is clean, the logic is tight, but there is a strange, repetitive quality to the way the exploit handles memory offsets—almost like it was generated by a statistical model rather than a human who hates their life. They lean back, rub their eyes, and realize they are looking at the first evidence of a machine-authored zero-day.

Or at least, that is the narrative Google wants us to buy.

Google’s Threat Intelligence Group (GTIG) recently announced they stopped a zero-day exploit that they claim was developed using AI. According to a report via The Verge, “prominent cyber crime threat actors” were gearing up for a mass exploitation event. Google caught it in time, stopped the bleeding, and then did the most Google thing possible: they framed the entire event around the AI angle.

The claim is that the attackers used AI to find the vulnerability and craft the exploit. This is the kind of news that makes C-suite executives panic and immediately authorize a 20% budget increase for “AI-driven security posture management.” It sounds like the plot of a mid-budget thriller where the robots start hacking the mainframe. But for those of us who actually write code, the “AI-developed” label feels like a convenient marketing wrapper for something much more mundane.

Let’s be honest about how exploits are actually found. Most zero-days aren’t the result of a genius sitting in a dark room typing frantically. They are the result of fuzzing—throwing millions of permutations of malformed data at a target until something breaks. AI is very good at optimizing fuzzing. It can suggest better seeds or identify patterns in crashes that a human might miss.

Calling a zero-day “AI-developed” because an LLM helped optimize a fuzzer is like saying a professional athlete is “robot-enhanced” because they use a high-tech treadmill. The tool is helpful, but the fundamental physics of the game haven’t changed. The attacker still had to identify the target, understand the memory layout, and figure out how to bypass modern mitigations (which are a nightmare to deal with, by the way).

Google is playing a dangerous game of narrative inflation here. By attributing the exploit to AI, they shift the focus away from the fact that a zero-day existed in their ecosystem in the first place. It turns a failure of secure coding into a triumph of AI detection. If the “bad guy” is an omnipotent AI, then Google isn’t just a company with a bug; they are the brave defenders of the digital frontier.

It’s just a fancy way to describe automated fuzzing.

We have seen this pattern before with the “AI-generated” phishing emails that everyone panicked about last year. Yes, the grammar is better and the lures are more personalized, but the underlying mechanism is still just a link to a fake login page. The “AI” part is just a layer of paint.

Does this mean we should ignore the threat? No. But we should stop pretending that LLMs are suddenly writing complex, multi-stage exploits from scratch. The leap from “writing a Python script that calls an API” to “crafting a stable zero-day for a hardened kernel” is massive.

That said, the industry is now in a feedback loop. Google claims the attackers used AI, so the attackers will now try to use AI more aggressively to prove the point. This will lead to a flood of “AI-native” security tools that are essentially just wrappers for existing scanners with a GPT-4 prompt on top. By Q3, we will see a dozen new “AI Security” startups emerge from the wreckage of this news cycle, promising to stop “AI-generated” threats with “AI-powered” shields.

(I suspect most of them will just be selling overpriced dashboards).

The real question isn’t whether AI can find bugs—it can, and it always has, in the form of static analysis and fuzzing. The real question is why we are so eager to credit the machine for the brilliance of the hack while giving the humans the credit for the fix.