Anthropic, a company known for its work in artificial intelligence, has reportedly developed a tool capable of finding vulnerabilities in every major operating system and web browser, some of which have remained undiscovered for decades. According to cybersecurity expert John Carlin, this development could significantly reshape how society contends with persistent and often unfixable security weaknesses, but it also raises major concerns about the speed and scale of potential cyberattacks.

The Magnitude of the Threat

Carlin, a cybersecurity chair at Paul, Weiss, Rifkind, Wharton & Garrison and a former U.S. assistant attorney general for national security, emphasized the seriousness of the issue in a recent interview. Cybersecurity is already a multi-trillion-dollar problem due to constant attacks by criminals, nation-states, and other bad actors. What makes Anthropic’s tool particularly alarming, according to Carlin, is that it lowers the barrier to entry for cyberattacks. “You don’t need to be a cybersecurity expert or a coder,” Carlin explained. “You can be an average person behind your keyboard using this powerful tool, and it’s finding flaws... that no one has ever been able to find before.”

He cited statistics indicating that 40% of vulnerabilities now being exploited are so old they cannot be patched. Legacy systems, many of which lack updates viable for modern security solutions, are a key target. For example, a Cisco report revealed that two of the 10 most frequently exploited vulnerabilities in 2025 were already more than a decade old.

“This is like someone walking through a neighborhood with a scanner and identifying every unlocked door and window,” Carlin said. But unlike a passive observer, this tool can not only locate flaws but also enable rapid exploitation. Once inside a system, a user could use the same capabilities to cause widespread damage in ways previously unimaginable.

An Opportunity to Strengthen Defenses

While the risks are substantial, Carlin also sees an opportunity for improvement. He likened Anthropic’s approach to “sounding the alarm bell” on these vulnerabilities. By working with cybersecurity companies and vulnerable organizations before releasing the tool more broadly, Anthropic is handling the matter responsibly. They aim to give institutions a chance to address security gaps ahead of a potential tidal wave of new attacks enabled by AI tools.

This could serve as a wake-up call for other players in the industry — including tech giants like Microsoft — and government entities to take more proactive measures. Carlin suggests that the discovery of such vulnerabilities by a U.S.-based company sharing allied values may be a momentary advantage but warns of adversaries like Russia, Iran, and China developing similar capabilities.

Impact on Cybersecurity Businesses

The market’s reaction to this innovation has been mixed. Cybersecurity stocks are reportedly underperforming in response to these developments, indicating investor concerns about the implications for the sector. However, Carlin argues that companies should view this as a call to action rather than a source of apprehension.

According to Carlin, businesses, particularly smaller enterprises that lack the resources of Fortune 500 companies, need to adopt newer systems that can be patched and secured. This approach would help them defend against the advanced capabilities being introduced by tools like Anthropic’s.

“We need a new framework to fix these vulnerabilities at scale,” Carlin said, advocating for initiatives that support small and medium-sized businesses alongside critical Fortune 100 and 500 companies. Without such efforts, society risks leaving these smaller entities as sitting ducks for attackers leveraging these powerful tools.

The Role of Governments and Allies

Carlin highlighted the geopolitical dimensions of the issue, noting the roles of hostile nations like Iran, which has explicitly threatened U.S. businesses with cyberattacks in recent months. Given the escalating conflict in cyberspace, governments may need to develop new policies for the regulated use of AI tools like those from Anthropic. Sharing critical information within allied networks is also vital, Carlin suggested, as adversaries are likely to exploit similar vulnerabilities using their versions of these technologies.

However, the appropriate role for government intervention in this space remains unclear. While there might be potential for governments to help reinforce defenses, Carlin pointed out that corporations and private cybersecurity firms also need to increase their efforts.

Looking Ahead

Anthropic’s new AI tool paints a vivid picture of both the peril and promise of artificial intelligence in the cybersecurity domain. On one hand, its ability to uncover decades-old flaws in vital systems highlights the pressing need for technological renewal across industries. On the other, the tool’s ease of use could spark a surge in cyberattacks on a scale never seen before.

Carlin sees no alternative to confronting this head-on. “Having a company that is a U.S. company... get there first [and] sound the alarm bell” is a critical step, he argued. But this must be followed by concerted action across governments, corporations, and even small businesses to prepare defenses for a new era of AI-driven cyber threats.

As the conversation about Anthropic’s AI tool unfolds, one thing remains clear: the cybersecurity landscape is likely to be changed forever. Whether this change is for the better or worse may depend on how quickly society addresses the issues this groundbreaking discovery uncovers.