AI security metrics show rapid abuse

A cluster of recent security reports is giving defenders a harder set of numbers for AI-era abuse. Google Cloud’s Mandiant said in April that the mean time to exploit a vulnerability had fallen to negative seven days, meaning exploitation now routinely begins before a patch is released. GreyNoise said in a separate April study that it tracked 147.8 million sessions across 18 vendors over 103 days and found pre-disclosure attack surges ahead of public CVE advisories. Sonatype’s 2026 software supply chain report said attackers are increasingly using open-source ecosystems as a delivery channel, while IBM has reported that only 24% of current generative AI projects are being secured. ### Where does the “negative seven days” figure come from? Google Cloud published M-Trends 2026 in April and said the mean time to exploit vulnerabilities dropped to an estimated negative seven days. The report said exploitation is “routinely occurring before a patch is even released,” based on more than 500,000 hours of Mandiant incident investigations in 2025. GreyNoise published related findings on April 20. (cloud.google.com) Its “Ten Days Before Zero” research said it tracked 147.8 million sessions, identified 68 pre-disclosure surges and documented patterns that appeared before public CVE advisories. GreyNoise said those signals can give defenders time to harden systems before disclosure. ### What do the package-ecosystem numbers show? Sonatype’s 2026 State of the Software Supply Chain report said open-source registries are under “sustained strain” and that attackers increasingly treat open source “as a delivery channel, not an afterthought.” The company said 2025 showed malware campaigns optimized for developer workflows, including credentials, CI secrets and build environments. (cloud.google.com) (greynoise.io) Sonatype has separately said software supply chain attacks targeting open-source ecosystems have increased by more than 700% in recent years. That figure is broader than a single 2026 year-to-date snapshot, but it aligns with the rise in malicious package activity cited in current AI-security discussions. ### How much AI-targeted abuse are vendors seeing inside LLM systems? The specific claim of more than 91,000 adversarial sessions in three months could not be independently verified from a primary report in the materials I found. (sonatype.com) What is verifiable is that vendors are reporting large-scale hostile activity against AI systems and agent pipelines, and that runtime monitoring is expanding beyond prompts to include tools, function calls and downstream workflows. Protect AI says its runtime product tracks “the entire conversation flow,” including tools and multi-turn attacks. (sonatype.com) Google Threat Intelligence Group said on May 11 that it is tracking a “maturing transition” from early AI-enabled operations to the “industrial-scale application” of generative models in adversary workflows. The group said threat actors are using AI for vulnerability discovery, exploit generation, malware development and attack-lifecycle support. (protectai.com) ### Why does the staffing gap keep coming up? IBM said only 24% of current generative AI projects have a security component, despite 82% of surveyed executives saying secure and trustworthy AI is essential to business success. IBM repeated that figure in more recent product and research materials tied to agentic AI and AI security governance. IBM also said in a 2026 study with Palo Alto Networks that 67% of surveyed executives reported being targeted in the past year by an AI-enabled cyberattack, and 61% said their organization’s AI models, assets or data had been compromised. (cloud.google.com) Those figures do not measure dedicated AI security teams directly, but they support the broader point that adoption is outpacing defensive maturity. (ibm.com) ### What should readers watch next? GreyNoise’s April research, Google Cloud’s M-Trends 2026 report, IBM’s AI security studies and Sonatype’s 2026 supply-chain report are the clearest primary documents behind this story. The unverified social-media figure of 91,000 adversarial sessions should be treated cautiously until the underlying dataset or vendor report is published. (greynoise.io) (ibm.com)