ZERO DAY

Created by Steven J. Berkowitz | Research Assistant: Claude AI

Subscribe to my newsletter and articles on LinkedIn: https://www.linkedin.com/newsletters/7392939880244355072/

or my free Substack:

Credit Union Strategic Insights Newsletter

The free Credit Union Strategic Insights Newsletter provides current news, emerging trends, and thought pieces of interest to credit unions with a focus on why it matters and actions to consider.

By Steven J Berkowitz

AI Can Now Break Into Systems Faster Than We Can Lock Them

A new artificial intelligence tool built by Anthropic can find hidden weaknesses in software and break into those systems on its own, in hours, at a fraction of the cost of traditional methods. This matters to credit unions because it shrinks the time between when a problem is discovered and when criminals start using it.

THE BIG PICTURE

Until now, security experts assumed they had days or weeks after a software flaw became public to fix it before attackers could weaponize it. That window is gone. This AI closes it in hours.

What This AI Actually Did

Anthropic tested the model against real software used by millions of people and organizations. The results show a level of speed and accuracy that caught the security community off guard.

Some examples from the testing:

• It found a security flaw that had been hiding in widely used software for 27 years, one that every previous automated tool and human reviewer had missed.

• It turned a publicly known flaw into a working attack in under one day, at a cost of about $2,000. Security experts used to need weeks to do the same.

• It attacked Firefox 181 times successfully in the same test where the previous best AI managed only 2 successes.

• It broke into a test server on its own and gave itself full administrator access, with no human help after the first instruction.

Anthropic did not build this tool to be a weapon. The capabilities appeared on their own as a side effect of making the AI better at writing and fixing code. That is the unsettling part: the same skills that help AI find and fix problems also help it exploit them.

Why Credit Unions Should Pay Attention

Credit unions hold member financial data, process transactions, and run the core systems that keep money safe. Criminals already target financial institutions. This AI does not create a new type of attack. It makes existing attacks cheaper, faster, and available to a much wider group of bad actors.

Three specific pressures apply to credit unions:

• NCUA examinations: Regulators require timely patching.

• Member trust: Members trust credit unions with their most sensitive financial information. A breach caused by a known, unfixed flaw carries heavy reputational consequences.

• Vendor risk: Many credit unions rely on third-party vendors for core systems. If a vendor patches slowly, the credit union carries the risk.

One Bright Spot

Anthropic keeps this model under strict access controls and launched a program called Project Glasswing to use the AI defensively. Major technology companies are using it to find and fix their own vulnerabilities before criminals get the chance. The concern is not this specific tool. The concern is that similar tools will appear from other sources with no such safeguards.

What Credit Unions Should Do Now

The following steps reflect what security experts recommend for any organization facing faster attack timelines. None of these require advanced technical expertise to initiate, but all require leadership attention and budget support.

Actions to Consider

• Ask your IT team or vendor to confirm that all known software patches are current. Focus first on internet-facing systems: online banking, email, and remote access tools.

• Turn on automatic updates anywhere they are available. The biggest risk comes from delays between when a fix is released and when it gets applied.

• Brief your board. Regulators expect board-level awareness of major cybersecurity risks. This qualifies.

• Contact your core system and technology vendors. Ask them directly how quickly they deploy security fixes and what their process looks like. Push for written commitments if they do not already exist.

• Review your cyber insurance policy. AI-driven attacks will change how insurers price this risk. Get ahead of that conversation with your broker.

• Invest in tools that automate the detection and isolation of threats. When attacks move at machine speed, human-only response processes fall behind.

• Consider having an outside firm test your systems. This type of assessment, where experts attempt to break in using the same tools attackers use, reveals gaps that internal reviews miss.

The Bottom Line

The rules of cybersecurity have not changed. The speed of the game has. Credit unions that keep systems current, hold vendors accountable, and build faster response processes will be far better positioned than those that do not. Waiting for a breach to prompt action is no longer a survivable strategy.

Sources: Anthropic Security Research (April 7, 2026), Help Net Security, The Hacker News, CISA, BleepingComputer