AI cyber security threats: what ASD’s warning means for you

By Greg Markowski / Jul 12, 2026 / Epic IT News

The Australian Signals Directorate has spent the past few months publishing updates on how powerful AI is changing cyber security. The latest one carries a message every business owner should sit with: the same AI that can find and fix weaknesses in your systems can just as easily find and exploit them. AI cyber security threats are no longer a future problem. They are being built, tested and shipped right now.

Here is the part that should get your attention. ASD’s advice is not aimed only at banks and government departments. It is aimed at organisations of every size, including yours.

What ASD said about AI cyber security threats

ASD’s update focuses on something called an AI model harness. Skip the jargon and it means this: the clever part is no longer just the AI model itself, it is the system built around it. That surrounding system plans tasks, uses tools, checks its own work, and coordinates several AI agents to complete complicated jobs. One of those jobs is finding software vulnerabilities and writing the code to exploit them.

The headline finding is blunt. A well-built harness running mid-tier AI models can match the results of the most advanced, top-tier models. An attacker does not need access to the world’s best AI to cause real damage. Cheaper, widely available models plus good engineering are enough.

That is why AI cyber security threats have moved from theoretical to practical. Microsoft reported that an internal AI system helped its researchers find enough vulnerabilities to drive its largest-ever Patch Tuesday: 206 fixes in a single month. When the biggest software vendor on earth is finding holes at that rate with AI, the people on the other side are doing the same.

Why AI cyber security threats now reach small business

Small and medium businesses in Perth and across Australia have long relied on a quiet advantage: attackers had bigger, richer targets to chase. That advantage is eroding.

AI harnesses lower the cost and skill needed to run an attack. A criminal who once needed a skilled team can now point an automated system at thousands of businesses at once and let it hunt for weaknesses. This helps opportunistic attackers, not just sophisticated ones. You do not have to be a target of interest anymore. You just have to be reachable and unpatched.

ASD is direct about the consequence. The defensive advantage now depends on organisations adopting these tools at least as fast as the attackers do. Standing still is the same as falling behind.

The good news: you do not need the fanciest AI to defend yourself

Here is the flip side, and it is genuinely encouraging. If a capable harness running mid-tier models can match top-tier AI, that maths works for defenders too. You do not need a multi-million-dollar AI budget to get strong protection. You need the discipline to use these capabilities properly.

Several of the tools ASD referenced are open source, which means your security provider can adopt and adapt them. Anthropic released an open reference system for automatically finding and fixing code vulnerabilities. A security firm called Hadrian released a similar open project. The building blocks are on the table for any provider willing to pick them up.

This is exactly the kind of work a capable managed cyber security partner should already be planning for. If yours cannot tell you how they are using AI to find problems before attackers do, that is a gap worth raising.

The catch: finding problems is easy, fixing them is the hard part

There is a trap in all of this. AI is very good at producing a long list of potential weaknesses. It is far less useful if nobody has the capacity to verify those findings and actually fix them.

ASD makes this point clearly. The advantage comes from pairing AI discovery with the ability to act: triage what is real, patch what matters, and confirm the fix held. A report full of AI-generated findings that sits in an inbox protects nobody.

This is the real work behind cyber security, and it does not disappear because AI got clever. Someone still has to run the tools, read the output with a trained eye, and close the gaps. Regular penetration testing and endpoint detection and response are how that discipline shows up in practice. And the Essential Eight remains the baseline ASD expects Australian organisations to reach, with patching and application control doing much of the heavy lifting against exactly this kind of automated attack.

What this changes for how you think about risk

The old mental model was that cyber attacks were mostly manual, so being a small, unremarkable business kept you off the radar. That model is out of date. When attacks are automated and cheap to run at scale, obscurity stops being protection.

It also changes the questions you should be asking your provider. Not “are we protected”, which invites a comfortable yes, but “how quickly would we know if a new vulnerability appeared in our systems, and how fast could we close it”. Speed is the whole game now. ASD’s own framing, set out across its artificial intelligence guidance, is a race, and the winner is whoever moves first.

What you should do now

Ask your IT or security provider how they are using AI defensively. A straight answer should cover how they find vulnerabilities across your environment, how often, and what happens to the findings. Vague reassurance is a red flag. If you do not have a dedicated provider for this, that is the first gap to close.

Check your patching and remediation speed, not just your tools. The ASD update is clear that finding problems is worthless without the capacity to fix them. Look at how long it takes your business to patch a critical vulnerability today. If the honest answer is weeks, automated attackers have a wide window.

Get an independent view of where you stand. Talk to us for a free security gap analysis. We will show you where an AI-driven attacker would probe first, and what it would take to close those gaps before someone else finds them.

Frequently asked questions

What are AI cyber security threats?

AI cyber security threats are attacks where criminals use artificial intelligence to find and exploit weaknesses in your systems faster and at greater scale than a human team could. ASD’s 2026 guidance warns that these tools are now cheap and widely available, so businesses of any size can be targeted by automated attacks.

Do small businesses in Australia need to worry about AI attacks?

Yes. AI cyber security threats lower the cost and skill needed to attack, so criminals can now scan thousands of businesses automatically rather than hand-picking large targets. Being small no longer keeps you off the radar. Reachable and unpatched systems are enough to make you a target.

What is an AI model harness?

A harness is the system built around one or more AI models that plans tasks, uses tools, checks results, and coordinates multiple AI agents. ASD found that a well-built harness running mid-tier models can match the most advanced AI, which is why the tools are so accessible to both attackers and defenders.

How can a business defend against AI-driven cyber attacks?

Adopt the same class of tools defensively and pair them with the capacity to act. That means finding vulnerabilities regularly, patching quickly, and confirming fixes held. Reaching Essential Eight maturity, running penetration testing, and using endpoint detection and response are practical starting points for most Perth businesses.

What did ASD say about frontier AI and cyber security?

ASD published a series of updates through 2026 on how frontier AI is reshaping cyber security. The key message is that the defensive advantage now depends on organisations adopting AI-driven tools at least as fast as attackers do, because the same capability that finds and fixes vulnerabilities can also find and exploit them.

Worried about AI-driven cyber security threats?

Our Perth-based team can show you where an automated attacker would look first. Book a free security gap analysis today and find out how fast you could close the gaps.

Book a Free Assessment

About the Author
Written by Greg Markowski, Founding Director of Epic IT, a CRN Fast50-recognised Microsoft Solutions Partner managing IT and cybersecurity for Perth businesses since 2003. Greg holds a Degree in Computer Science and a Diploma in Computer Systems Engineering from Edith Cowan University, and is ITIL certified.

Further Reading

Previous

Best Cyber Security Companies in Perth: Who Does What in 2026

Return to News
Back to News
Next
No next posts to show