Security research group Epoch AI has flagged a sharp spike in publicly registered software vulnerabilities, tying the jump to the growing use of large language models (LLMs) in bug hunting. Their analysis found that critical and high-severity issues reported have soared by 3.5 times over recent months. In just one month, 21 organizations collectively disclosed around 1,500 new CVEs, with a notable portion of the surge linked to tools powered by Anthropic and OpenAI LLMs.
Epoch AI’s report focuses on programs that leverage LLMs to scan code and identify bugs before they enter the public domain. Standout initiatives include Claude Mythos and Daybreak, which use a simple workflow: the AI model rapidly flags suspicious code segments, human experts verify the findings, then official vulnerability reports are filed with CVE authorities or vendors.
The study relies on data from the CVE Program registry and the cvelistV5 database, which index vulnerabilities based on their public disclosure date, not when they were discovered. This timing often inflates the statistics-vulnerabilities might have been under review for months, or vendors may release patches addressing multiple bugs simultaneously, all appearing as a sudden surge. Epoch AI also points out that this spike is partly driven by evolving reporting practices among CNA (CVE Numbering Authorities) organizations, not just AI-assisted discovery.
For example, Linux’s vulnerability counts have jumped recently following changes in how backported fixes are handled in CVE assignment. When major projects begin listing not only new bugs but also backported patches, reported CVE numbers climb quickly. So while 1,500 CVEs in a month sounds dramatic, it doesn’t mean all were initially found through neural networks.
Still, the overall trend is credible. In 2023, CVE publications shattered records, approaching 29,000 entries. This year, major players have been openly showcasing AI’s role in real-world bug detection. Google’s Big Sleep agent, for instance, reportedly identified a vulnerability in SQLite before attackers could exploit it. Epoch AI’s findings suggest we’re entering a new phase of automation in vulnerability research: AI may not increase the total number of bugs, but it’s definitely making large-scale detection and reporting faster and easier.
This development signals an industry shift toward integrating AI into security workflows at scale, raising questions about how vulnerability management will adapt. Will AI-driven tools further accelerate patch cycles, or might they flood the system with noise? The next challenge will be balancing this flood of AI-flagged issues with effective prioritization and remediation processes.

