M-Trends 2026: First AI-Generated Zero-Day, Minus-7 Day Exploits

Google’s Mandiant published its M-Trends 2026 annual threat intelligence report this month, and two findings stand out as genuine inflection points: the first confirmed AI-generated zero-day exploit detected in the wild, and a mean time to exploit figure that has gone negative. Both represent qualitative shifts in the threat environment for security teams, not incremental changes to existing trends.

The Zero-Day That AI Built

Google Threat Intelligence Group documented, for the first time, a threat actor deploying a zero-day exploit that GTIG assesses was developed with AI assistance. The targeted system was a widely used open-source web-based administration tool. The exploit was designed to bypass two-factor authentication, and the attacker’s intent was mass exploitation, not targeted deployment.

GTIG detected and blocked the campaign before exploitation began. The broader significance is the confirmation of something the security community has been anticipating: adversaries are now using AI not just to assist in reconnaissance or generate phishing content, but to produce functional exploits for real vulnerabilities. Whether this specific case was fully AI-generated or AI-assisted in development, the operational result is the same.

Defenders have historically relied on the complexity of exploit development as a natural throttle on attacker capability. That throttle is weakening. The skill floor for vulnerability exploitation is dropping, and the speed at which usable exploits can be developed from a vulnerability disclosure is accelerating.

Exploitation Before the Patch Ships

The mean time to exploit figure from M-Trends 2026 deserves attention on its own. Mandiant’s data puts it at -7 days. That negative sign is significant: exploitation is routinely occurring before patches are available.

This is the logical endpoint of a trend that has been developing for several years. Adversaries investing in vulnerability research are finding flaws before vendors do, or are reverse-engineering patches faster than organisations can apply them. The traditional model of “patch after disclosure” is broken when exploitation precedes disclosure.

The 2025 report cited 5 days as the median time to exploit following public disclosure. The shift to pre-patch exploitation in 2026 means the patch window, already short, has effectively closed for some vulnerability classes. Detection-first and architecture-first approaches become the only viable posture for high-value targets.

LLM Integration in Adversary Operations

M-Trends 2026 tracks what Google describes as a transition from nascent AI-enabled operations to industrial-scale application, with adversaries applying generative models across multiple stages of the attack chain.

Documented use cases from Mandiant incident response engagements include: using LLMs to generate detailed organisational hierarchies of target entities including departmental structures and key personnel; automating analysis of third-party supplier relationships for supply chain attack targeting; and accelerating the creation of personalised spear-phishing content at scale.

This is not theoretical capability. It is recorded operational behaviour from real incident cases. The effect is to significantly reduce the per-target reconnaissance burden, enabling threat actors to maintain wider target pools without proportionally increasing analyst time.

The TeamPCP Supply Chain Pattern

The March 2026 campaign attributed to TeamPCP (tracked by Google as UNC6780) illustrates how AI tooling’s supply chain has become a primary attack vector. TeamPCP compromised Trivy, the open-source security scanner, and used that access to embed the SANDCLOCK credential stealer in CI/CD pipelines connected to LiteLLM, BerriAI, and Checkmarx. Cloud credentials, AWS keys, and GitHub tokens were harvested from build environments.

The pattern is consistent with what M-Trends describes as supply chain attacks on developer infrastructure: compromise a trusted tool to inherit trust in downstream environments. For organisations deploying AI infrastructure built on open-source components, this represents a specific supply chain exposure that differs from traditional software dependencies. The components are newer, the vetting is less mature, and the blast radius of a credential compromise in an AI API gateway can extend across every system that gateway touches.

What Defenders Should Take From This

Three operational conclusions follow from the M-Trends 2026 findings.

First: detection posture matters more than patch cadence for pre-disclosure exploitation. If patches aren’t available, the only question is whether your detection capability would identify exploitation when it occurs. For organisations with high-value data or systems, this means investing in behavioural detection rather than relying on signature-based approaches that require known indicators.

Second: AI-assisted exploit development lowers the bar for targeting. Previously, the resources required to develop a working exploit were a natural filter against lower-tier adversaries. That filter is thinning. Organisations that have operated under the assumption that they are not sufficiently high-value to attract sophisticated targeting should revisit that assumption.

Third: AI development toolchain components (LLM gateways, model serving infrastructure, AI API intermediaries) need the same supply chain scrutiny applied to traditional software dependencies. Treat open-source AI components with the same scepticism you would apply to any unvetted dependency.

References

• Google Cloud Blog — Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access
• Google Cloud Blog — M-Trends 2026: Data, Insights, and Strategies From the Frontlines
• SecurityWeek — Google Detects First AI-Generated Zero-Day Exploit
• Complex Discovery — Twenty-Two Seconds to Hand-Off: Inside Mandiant’s M-Trends 2026 Findings
• Snyk — How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM