Anthropic’s release of Fable 5 yesterday has reignited discussion about what AI means for cybersecurity. That’s understandable given the model is derived from Mythos, which remains restricted because of its advanced capabilities in areas including vulnerability research. When the company building the technology is cautious about how broadly it should be deployed, security teams should pay attention.

But I think much of the conversation is focused on the wrong problem.

The headline is that AI can find vulnerabilities faster than humans. The reality is that most AppSec teams aren’t struggling to find vulnerabilities in the first place.

If you’ve spent any time running an application security program, you know the challenge isn’t a lack of findings. It’s figuring out which findings actually matter.

For more than a decade, the industry has invested heavily in detection. We’ve deployed SAST, SCA, IaC scanning, fuzzing, runtime analysis, bug bounty programs, and a growing list of specialized security tools. Every generation of tooling has promised better visibility and more coverage.

The result hasn’t been fewer findings. It’s been more findings.

AI is simply the next step in that progression.

As these models become more capable, they’ll identify issues at a scale that’s difficult, if not impossible, for human teams to match. That’s impressive from a technical standpoint. But generating more findings doesn’t automatically translate into lower risk.

In many organizations, the opposite can happen.

Every AppSec leader has seen it. A new scanner gets deployed and coverage improves as findings increase dramatically. Engineering teams are suddenly presented with hundreds or thousands of new issues. Security teams spend months triaging, prioritizing, and explaining results. Meanwhile, the actual risk profile of the organization may not change much at all.

The bottleneck was never detection.

The bottleneck is understanding which issues are exploitable, which issues create meaningful business risk, and which issues deserve engineering attention right now.

That’s where the discussion around AI-powered vulnerability discovery often falls short.

A vulnerability by itself doesn’t tell you very much.

What matters is the context around it. Is the affected application exposed to the internet? Does it process sensitive customer data? Is there a realistic attack path? Is the vulnerable component deployed in production? Can an attacker actually reach it?

Those are the questions that determine risk.

I’ve seen teams spend days investigating vulnerabilities that looked severe in isolation but turned out to be effectively unreachable. I’ve also seen relatively minor findings become top priorities once deployment context, business criticality, and exposure were factored into the equation.

The vulnerability didn’t change. The context did.

That’s why code-level analysis alone is no longer enough.

Modern application risk extends far beyond source code. It spans cloud infrastructure, CI/CD pipelines, secrets management, identities, third-party dependencies, deployment configurations, and the countless connections between them.

Looking at code without understanding the environment it’s deployed into provides only a partial picture. The more sophisticated AI becomes at finding issues, the more important that broader context becomes.

This is one reason Application Security Posture Management (ASPM) has gained so much momentum in recent years.

Security teams need a way to correlate information from across the software delivery lifecycle and connect technical findings to actual risk. Scanner results, cloud posture data, exposure information, secrets detections, supply chain intelligence, and deployment metadata all tell part of the story. Viewed independently, they create noise. Viewed together, they create context.

As AI-driven detection becomes table stakes, the ability to correlate and prioritize will become a bigger differentiator than the ability to generate findings.

The second takeaway from the Fable 5 launch may be even more important.

Anthropic built a model capable enough that it chose not to release its most advanced version broadly. Instead, it shipped a constrained version with additional safeguards.

That decision reflects a reality many organizations are beginning to confront: AI doesn’t just help defend systems. It creates new attack surfaces as well.

Security leaders are increasingly focused on how AI is being integrated into software development workflows. Development teams are using AI to generate code, accelerate delivery, review pull requests, write tests, and automate repetitive tasks. The productivity gains are real.

So is the risk.

Every increase in development velocity creates the potential for risk to move faster as well. Organizations that generate significantly more code need to be prepared to evaluate, secure, and govern that code at the same pace.

Waiting until software reaches production is no longer sufficient.

The most effective security programs are shifting left and embedding controls directly into the development process. They are identifying risky patterns earlier, preventing secrets exposure before code is committed, enforcing security guardrails throughout CI/CD pipelines, and helping developers resolve issues before they become production problems.

There’s another emerging challenge that deserves attention.

As organizations deploy AI agents throughout development workflows, those agents themselves become targets. Prompt injection attacks, poisoned context, compromised integrations, malicious tooling, and manipulation of agent decision-making introduce risks that traditional AppSec programs were never designed to address.

Securing applications now increasingly includes securing the systems that help build those applications. That’s a significant shift.

The broader lesson from Fable 5 isn’t that AI can find vulnerabilities. Most security professionals already assumed we would get here. The more important lesson is that vulnerability discovery is becoming cheaper, faster, and more accessible. When that happens, finding issues stops being the hard part.

The organizations that come out ahead won’t necessarily be the ones generating the largest number of findings. They’ll be the ones that can understand which findings matter, connect them to real-world risk, and build security controls that keep pace with increasingly AI-driven development.

The future of AppSec isn’t about detecting everything. It’s about understanding what matters and acting on it before attackers do.