Matt Bares, Signal Consulting
Last month, Anthropic built an AI model so effective at finding security flaws that they refused to release it. In testing, it reportedly found a vulnerability in widely used firewall software that had gone undetected for over two decades, and another in a common media processing tool that had survived millions of security scans. It didn't just find individual flaws — it combined multiple minor weaknesses into working attacks.
Anthropic pulled dozens of the world's largest companies into a room — Apple, Microsoft, Google, JP Morgan — and launched a 100-day emergency effort to fix what they'd found before the technology becomes widely available. Your firm wasn't in that room. But the software your firm depends on was built by companies that were.
You don't think about cybersecurity in terms of technical vulnerabilities. You think about what happens when something goes wrong: a client learns their privileged communications may have been exposed. A cyber insurance claim gets denied because your firm's security didn't match what was on the application. A malpractice carrier starts asking questions.
That's the right lens here. What changed last month isn't a technical detail. It's the risk landscape your firm operates in.
The tools that find weaknesses in your systems are about to be available to everyone. The same AI capability being kept under wraps right now will be replicated by freely available AI models — many of them coming out of China — within months, not years. Once those tools are in the wild, the people looking for ways into your systems will have the same capabilities that just uncovered decades of missed flaws in some of the most heavily scrutinized software on earth.
The security methods most firms rely on today are the same ones that missed these flaws. Millions of scans against one of these systems. Same approach every time. Didn't catch it once.
And "we didn't know" won't hold up anymore. ABA Formal Opinion 483 requires firms to act when they know or reasonably should know that client data may have been compromised. Rule 1.6 requires reasonable efforts to prevent unauthorized disclosure. What counts as "reasonable" shifts based on what's publicly known. As of last month, this is publicly known.
This is why we've been aggressively hardening our clients' environments. The capability is real, the timeline is short, and waiting is not a strategy we're willing to apply to client data.
Firms that outsource IT entirely: your provider is your entire security posture. The questions below aren't optional.
Small internal IT teams are likely using the same tools that didn't catch these flaws. Not their fault — those tools weren't built for this. But you need a fresh set of eyes looking for the kinds of weaknesses that just made headlines.
If your firm has a CISO or vCISO, this belongs on the agenda at your next executive committee meeting. Not as a technical update. As a business risk discussion.
If your provider gives clear, specific answers, that's a good sign. If they hedge or don't know what you're referring to, that tells you everything.
The firms that take this seriously now will harden their environments before these tools are commonly available. After that, we're in a permanent arms race. The firms that used this window will be in a fundamentally different position than the ones that didn't.
I'm telling my clients to act now. The cost of being proactive is trivial compared to a breach, a denied claim, or a client notification letter.
Matt Bares is the founder of Signal Consulting, where he advises mid-size law firms on technology strategy, cybersecurity, and IT operations.