The clock just got a lot shorter.

This morning, the Five Eyes intelligence alliance — the US, UK, Canada, Australia, and New Zealand — issued an unusually blunt warning: frontier AI models capable of launching devastating cyber attacks against governments and businesses are not years away. They are months away.

“The timeline is not years, it is months,” the statement reads. “Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities.”

This is not the usual cautious hedging you hear from intelligence agencies. This is an alarm.

What’s Changed

The difference between today and six months ago is concrete. The statement specifically cites models like Anthropic’s Mythos and OpenAI’s GPT-5.5-Cyber as examples of systems that can “allow users to quickly execute complex — and potentially devastating — hacks.” These aren’t hypothetical future threats. These are systems currently in development or limited deployment.

The US government has already acted. Earlier this month, Anthropic was forced to disable a version of Mythos after the federal government ordered it to suspend access for foreign nationals over national security concerns. Think about that: a major AI company, by government order, pulled back a product. That doesn’t happen without something serious underneath.

The CISA, America’s cyber defense agency, has also shortened the deadline for patching critical vulnerabilities from weeks to three days — a stark acknowledgment that the window between discovery and exploitation has collapsed.

Why This Matters

We’ve spent years talking about AI as a tool for productivity, creativity, maybe even scientific breakthrough. And it is. But the same capabilities that let a language model reason through a coding problem also let it reason through how to exploit a zero-day vulnerability, craft a convincing phishing campaign, or identify weaknesses in critical infrastructure.

The Five Eyes statement is notable not just for its urgency but for its framing. It treats frontier AI models as a distinct category — a new class of technology requiring new categories of defense. The old playbook of patching systems and hoping for the best isn’t adequate when your adversary can use AI to automate discovery of those patches, find the gaps, and exploit them at machine speed.

What Comes Next

The statement offers the usual advice: patch fast, reduce attack surfaces, use AI to strengthen defenses. All reasonable. But there’s an undercurrent of “we’re behind this” that even the officials seem to acknowledge. The statement is “light on detail,” as one report noted, mostly restating cybersecurity basics rather than proposing new frameworks for the AI era.

The real question isn’t whether governments will respond — they already are, with export controls and emergency model restrictions. The question is whether the speed of regulation can match the speed of capability. Right now, the gap looks uncomfortably wide.

We built these models to be helpful. We’re discovering, faster than expected, that helpful and dangerous share a lot of the same architecture.

The warning has been issued. Whether we treat it as a fire drill or the genuine article will determine a lot about the next few years.

*Sources: Al Jazeera Reuters*