How AI Is Turning Amateurs Into Serious Cyber Threats

The Barrier to Entry Has Collapsed

On April 28, The Verge published a deep investigation into a phenomenon that cybersecurity professionals have been warning about for months: AI is supercharging so-called "script kiddies" — amateur attackers with little to no technical skill — and turning them into genuinely dangerous adversaries. The report focused on the impact of Anthropic's Mythos model, which industry experts say has made 2026 "the make-it-or-break-it year" for cybersecurity.

For decades, launching a cyberattack required at least some technical knowledge. You needed to understand networking, operating systems, and exploit development. AI has collapsed that barrier. Today, a motivated amateur can describe their goal to an AI tool in plain English and receive working exploit code, detailed reconnaissance reports, and step-by-step attack instructions in return.

What AI-Enabled Amateurs Can Actually Do

The capabilities now available to unskilled attackers are sobering. AI tools can autonomously scan target networks for open ports and vulnerable services, identify unpatched software, and generate custom exploit code tailored to the specific versions running on those systems. They can craft convincing phishing emails that mimic a target's writing style, complete with personalized details scraped from social media and company websites.

Perhaps most concerning, AI models can now discover zero-day vulnerabilities — previously unknown security flaws that have no available patch — by analyzing source code at a speed and scale no human researcher can match. This was once the exclusive domain of elite nation-state hacking teams. It is now accessible to anyone with an internet connection and a few hundred dollars for AI API credits.

Why Small Businesses Are the Primary Target

Sophisticated attackers with AI tools are not exclusively targeting Fortune 500 companies. In fact, the opposite is true. Small businesses are ideal targets precisely because they typically lack the security resources that larger enterprises deploy. An AI-powered attacker can scan thousands of small business networks in an afternoon, identify the ones with obvious vulnerabilities, and launch simultaneous attacks against all of them.

The economics have shifted dramatically in the attacker's favor. Where a human attacker might spend a week researching and attacking a single target, an AI agent can attack hundreds in the same timeframe. For small businesses, this means the odds of being randomly targeted have increased substantially — not because you were specifically chosen, but because AI makes indiscriminate, large-scale attacks cheap and efficient.

Defending Against the New Threat Landscape

The good news is that the same AI tools enabling attackers are also available to defenders. AI-enhanced security monitoring can detect unusual network behavior, flag suspicious login attempts, and automatically isolate compromised devices faster than any human team. The key is to deploy these tools before an attack occurs, not after.

Start by ensuring your foundational controls are solid: multi-factor authentication on every account, automated patching across all systems, offline backups that are tested regularly, and security awareness training that teaches employees to recognize AI-generated phishing attempts — which are often more polished and convincing than traditional ones. Then add a layer of AI-enhanced monitoring through your managed security provider. The attackers are using AI. Your defenses need to as well.