Five Eyes warns AI models compress cyber timelines to months, not years

The Five Eyes intelligence alliance just delivered a blunt warning to cyber defenders: the timeline for frontier AI models is “not years, it is months.” In a three-page statement released on Monday, officials said these AI systems are “anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities.”

That “months” line matters because it changes how boards and operators think about risk windows. You cannot treat AI-enabled threats as a slow-burn planning item. The statement is light on technical specifics, but it is direct about what defenders should do now: patch faulty software quickly and do not put systems online unless necessary.

This is not a generic alarm. It comes from the same intelligence-and-regulatory ecosystem that has been tightening its posture as generative AI models get more capable, especially for code generation, automation, and tool use. The Five Eyes message also urges defenders to use AI “to strengthen defence,” including by identifying weaknesses sooner and responding more quickly to incidents. The subtext is clear: if attackers can compress reconnaissance, exploitation, and iteration, defenders have to compress detection, triage, and remediation.

The warning also signals growing official concern about frontier models that could let users execute complex hacks quickly. The statement points to models such as Anthropic’s Mythos or OpenAI’s GPT-5.5-Cyber, which are “said to allow users to quickly execute complex - and potentially devastating - hacks.” Even though the statement does not provide a detailed technical breakdown, it frames the category risk: frontier AI can reduce the time and expertise barrier required to carry out high-impact cyber activity.

That concern is playing out in the real world beyond government statements. Earlier this month, Anthropic was forced to disable a version of Mythos after the US government ordered it to suspend access to the models for foreign nationals over alleged national security concerns. This matters for executives because it shows how quickly regulators and national-security authorities are willing to intervene in AI capability access, not just talk about “best practices.” In other words, the compliance and governance burden around advanced models is getting real, fast.

The Monday statement is also co-signed by the US cyber-defense agency CISA, which recently reduced deadlines imposed on government officials to deal with serious digital vulnerabilities in their networks to three days, citing AI threats. That gives the warning a measurable operational anchor. For security and operations leaders, the pattern is consistent: policy timelines are being rewritten around AI-enabled attack speed. For boards, that means cyber risk oversight needs to be able to handle faster cycles, not just bigger incidents.

There is a second-order implication here for companies outside government too. When the public sector accelerates patching expectations and incident response timelines, vendors and enterprise customers usually follow. If your supply chain is serving government agencies or regulated industries, you can expect customer pressure for quicker remediation, more evidence on patch SLAs, and stronger controls around which systems are internet-exposed. Even organizations not directly targeted will feel the knock-on effect through procurement, audits, and contract terms.

Finally, this warning is a reminder that the cyber battle is moving from manual skill to automation at scale. Frontier models are positioned as tools that can both improve offensive capabilities and improve defensive capabilities. That dual-use framing matters strategically: the same acceleration that threatens defenders is also what can be leveraged to harden systems, hunt faster, and reduce time-to-fix. The decision for leaders is whether to treat this as an abstract future threat or an operational mandate. Given Five Eyes’ “months” timeline, the latter is quickly becoming the only defensible posture for security leaders, risk committees, and executives across industries.