Israel warns CEOs: AI is lowering the barrier to cyberattacks
National Cyber Directorate warns organizations to prepare for faster, more complex threats.
Israel’s National Cyber Directorate is urging CEOs and board members to prepare their organizations for a new generation of artificial intelligence models with advanced capabilities for identifying security vulnerabilities, tools that could leave companies significantly more exposed to cyberattacks.
“The threat we face in cyberspace is undergoing a dramatic transformation,” wrote the head of the Directorate, Yossi Karadi. “While in the past, complex cyberattacks were the preserve of individual experts, today we are facing a qualitative step change. Traditional defenses are no longer sufficient.”
In April, Anthropic unveiled Mythos, a new AI model with unprecedented capabilities for detecting security flaws. Access to the model has been restricted to a small group of roughly 40 organizations, including Apple, Microsoft, Google, and Goldman Sachs. Even the Pentagon, which has previously labeled Anthropic a supply chain risk and banned its technology from its systems, has reportedly considered making an exception for Mythos.
Shortly afterward, OpenAI introduced GPT-5.4 Cyber, a model with similar capabilities, also made available only to a limited number of entities.
“This new generation of AI models has broken the complexity barrier and is capable of rapidly identifying multiple vulnerabilities and executing an autonomous attack chain,” Karadi warned. “These capabilities are evolving every few months, shifting the battlefield from a human pace to a machine pace. Now, not only critical national infrastructure but any organization, of any size, is a potential target, as the barrier to launching a sophisticated attack continues to fall. Automated attackers will navigate directly to the weakest point in the system.”
In response, the Directorate is recommending a series of measures for organizations preparing for the widespread deployment of such models. First is developing a clear understanding of the risk. “A strategic discussion at the management level should assess the business and operational implications of cyber risk,” the Directorate said. “Organizations should evaluate whether the new reality requires changes to risk management policies. Strong commitment from senior leadership is essential for rapid response and implementation.”
Organizations are also advised to map their IT assets and supply chains, accelerate the pace of security updates, and adopt AI-based cybersecurity tools. “The only effective way to counter machine-driven attacks is with machine-driven defense,” the Directorate noted, recommending the integration of AI solutions and agents into development and maintenance processes.
These steps should be accompanied by standard cybersecurity practices, including enforcing multi-factor authentication, restricting access permissions, updating emergency response scenarios, conducting cyberattack simulations, and developing robust business continuity plans. Such plans, the Directorate emphasized, must assume that breaches are inevitable: “Organizations should operate under the assumption that systems have already been compromised, or will be, and ensure that critical operations can continue under attack.”
“Cyber threats will continue to evolve in both scale and intensity,” Karadi concluded. “To avoid being caught off guard, we must act together, professionally, deliberately, and with a clear understanding of the risks.”
