The cybersecurity industry’s giving Chicken Little a run for his money. Companies have been quick to proclaim that AI will fundamentally change the security landscape, which means every new capability added to a large language model (LLM) can be made into a “the sky is falling” moment, with the latest example being the development of AI malware that can successfully work around Microsoft Defender.
Dark Reading reported Wednesday that researchers from Outflank plan to show off this new AI malware at Black Hat 2025 in August. So does that mean Microsoft Defender, the antivirus-cum-endpoint-detection-and-response tool saddled with the unenviable task of preventing the average Windows user from catching more viruses than a toddler at daycare, will suddenly be about as effective as a stern reminder not to sneeze directly into each other’s mouths? Not in the short term. (To say the least.)
According to its website, Outflank is a “highly skilled red team composed of experienced professionals” who “specialize in assessing resilience against advanced threats and training security teams for enhanced incident response.” Its principal offensive specialist lead, Kyle Avery, told Dark Reading that he spent three months and approximately $1,500 training the open-source Qwen 2.5 LLM to bypass Microsoft Defender. That’s a fairly steep but not insurmountable upfront cost for this capability.
But here’s the rub: the report said Avery’s “model was able to generate malware capable of totally bypassing Microsoft Defender for Endpoint about 8% of the time.” That compares favorably to other models—he told Dark Reading that “Anthropic’s AI could do the same less than 1% of the time, and DeepSeek’s less than 0.5% of the time,” which means his model is significantly more effective at this task—but it’s hardly the kind of plug-and-play performance most script kiddies would expect.
Models like this are expected to get better over time. Apparently, the chatbot barons have discovered reinforcement learning, a technique used by machine learning researchers to improve the performance of their models since the ’90s, so they could theoretically be flogged enough to improve their ability to meet this task. (Stop! Sneezing! In! Each! Others! Mouths!) An enterprising cybercriminal with a surplus of GPUs on hand might be willing to devote more time and money to this task.
Which leaves us with two questions: Are we sure there isn’t an upper bound on these capabilities, and what happens when Microsoft Defender is improved to compensate? Microsoft isn’t exactly known for keeping its software up-to-date with bleeding-edge features, but hell, even Notepad supports Markdown now. And that’s free! The company sells Defender for Endpoint to its enterprise customers; does anyone really think it won’t happily tack on a surcharge for AI that beats AI at… AI? (Three questions.)
None of this is to belittle Outflank’s findings. This research is a somewhat proficient proof of concept for all the doom-saying the security industry’s been doing since it hitched its wagon to the AI hype caravan. But I’d be more worried about leaked red teaming tools being used to deploy malware, the fact that one person falling for a social engineering attack is still enough to disrupt a company’s operations, and the ability for hackers to piggyback off the surveillance state than about vibe hacking.
Follow Tom’s Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.