With the advent of AI-powered vulnerability scanning tools, there is arguably no reason for technology firms to be unaware of bugs in their products, according to the European Union Agency for Cybersecurity’s (ENISA) chief cybersecurity officer.

“Now, there is no reason anymore for any company to say, ‘I didn't know about our glitch or our vulnerability in our application’ because you can actually, right now, see it and fix it,” said Hans de Vries, chief cybersecurity and operational officer at ENISA, speaking during the ESET World conference on 19 May. 

AI-powered vulnerability scanning technology has advanced rapidly in 2026, highlighted by the launch of new frontier models like Claude Mythos and OpenAI's GPT5.5-Cyber and that can identify and fix software bugs at unprecedented speed and scale.

De Vries noted that the EU’s Cyber Resilience Act (CRA) already demands cybersecurity by default and cybersecurity by design. The CRA entered into force in December 2024 and the main obligations introduced by the Act will apply from December 11, 2027, with reporting obligations to apply as of September 11, 2026. 

“For me, doing security by design and by default is actually the license to do business right now,” said de Vries. “If you haven't done so, your adversary definitely will make a misuse of [vulnerable software], and you'll probably be litigated because you should have seen the problem in the first place.”

“If you’re not using AI in a coherent manner, you probably won’t be successful in a year or two.”

Speaking during the same event, Paul Chichester, director of operations at the UK’s National Cyber Security Centre (NCSC), said we are entering a phase where poorly coded systems will have vulnerabilities found in them.

However, he commented that just one vulnerability doesn’t mean you’re automatically compromised.

“I think finding more vulnerabilities may harm some. For instance, if they are running shadow IT or don’t have that very sophisticated layered defense but looking ahead I think there’s going to be a time where the vendors are going to be really keen to use AI themselves to drive those vulnerabilities out of their products.”

AI, he said, will allow software products to be assured in a much more uniform way.

During ESET World in Berlin, the Slovakia-based cybersecurity firm announced a €40m investment to increase its research and development team and accelerate the development of cybersecurity-first foundational AI models, a layered AI stack and a new generation AI SOC.