AI Agent Breaches FreeBSD in 4 Hours — How Far Are We From "Autonomous Hackers"?

I was stunned when I saw this news over the weekend.

A Claude-based AI Agent, without any human guidance, breached FreeBSD in 4 hours. Not finding a simple configuration vulnerability — it discovered a kernel-level zero-day vulnerability (CVE-2026-4747), hijacked kernel threads, wrote shell code through network packets, and finally obtained root shell.

Fully autonomous. Zero human intervention.

FreeBSD is no niche system — Netflix’s streaming infrastructure runs on it, PlayStation’s network services run on it, WhatsApp’s backend runs on it. This is not a “toy-level” security demonstration.

Honestly, when I first saw this news, I thought it was fake.

But thinking about it carefully, the logic makes sense. What is the core work of security research? Reading large amounts of code, understanding system architecture, hypothesizing attack paths, verifying one by one. These are all things LLMs are good at. Packaging these capabilities into an Agent that can autonomously execute commands — what it does is not fundamentally different from a senior security researcher — except it doesn’t need coffee, doesn’t need sleep, and doesn’t get tired after hour 8.

Previously, a security team would take weeks or even months to find this level of kernel vulnerability. Now an Agent took 4 hours.

This matter has two sides.

The optimistic side: If the good guys (white hats) also use the same Agent, vulnerability discovery speed will increase dramatically. Operating systems and infrastructure software security may actually improve because of this — vulnerabilities will be discovered and patched faster, rather than waiting there to be exploited by real attackers.

The scary side: Tools are neutral, but the people who use them are not. Previously, the threshold for kernel-level attacks was extremely high — perhaps only a few thousand people worldwide could do it. Now with AI Agents, this threshold has been lowered to “knowing how to write prompts.”

I personally tend toward the “offense and defense together” view. Blocking AI’s security research capabilities is unrealistic — you restrict Claude from doing security analysis, open-source models can still do it. Rather than blocking, it’s better to let defenders also use the same level of AI tools.

But there’s a premise: the progress speed of AI security attack capabilities must match the development speed of defense tools. If attack Agent capabilities double every six months, while defense Agent capabilities only double every year — then the window in between is a disaster.

This reminds me of a view I’ve studied before: The ultimate form of AI security is not “humans defending against AI attacks,” but “AI defending against AI attacks.” The human role will change from “security engineer” to “security policy maker.”

4 hours to breach FreeBSD. This isn’t the future — this happened last weekend.