The cybersecurity agencies of the Five Eyes intelligence alliance — the US's CISA and NSA, the UK's NCSC, Canada's Cyber Centre, Australia's ACSC, and New Zealand's NCSC-NZ — issued a joint advisory on June 22 warning that frontier AI models will reshape offensive cyber capabilities 'in months, not years.' The advisory's framing is unusually direct for a Five Eyes statement: agentic AI systems can chain exploits, adapt to defenses in real time, and scale operations beyond what any human team could manage. Concrete actions the agencies asked organizations to take immediately include cutting unnecessary system access, accelerating patching, and tightening identity controls.
What is notable is the specificity of the timeline. For most of 2025 and the first half of 2026, intelligence community language on AI risk has stayed in the 'years' bucket — speculative, hedged, calibrated for political audiences. The June 22 statement narrows the horizon and pins it. The agencies explicitly named hostile states — China, Russia, Iran, North Korea — as the most likely beneficiaries of offensive AI proliferation, and tied the warning to specific recommended defensive postures rather than calling for new regulation.
The timing was not subtle. OpenAI shipped the full GPT-5.5-Cyber model and a Patch the Planet open-source security initiative the same day. Anthropic's Project Glasswing has been running defensive cyber work with Claude Mythos since April. The Five Eyes advisory reads as a coordinated nudge — defenders should assume the offensive side will soon get the same uplift the defensive side has been getting for several months, and the gap between the two could close fast.
Takeaway for learners: there is a version of this story for everyone who uses a computer, not just professional defenders. Multi-factor authentication, prompt patching, and skepticism of AI assistants that hold secrets are no longer 'nice to have' — they are the baseline. If you are studying security, this advisory is the moment that justifies the path. If you are not, the cheap actions are still worth doing this week: turn on MFA everywhere, update your devices, and assume any AI tool with access to your credentials could be turned against you.