New research shows AI can now turn a freshly released security fix into a working attack in under an hour. For a small business that treats its website as set-and-forget, that collapsing window is the risk worth closing first.
Here is a piece of research from the past fortnight that every small business owner with a website should hear about, even though it was written for security engineers. On 8 June 2026, Anthropic's Frontier Red Team published a study measuring how quickly AI can now build a working cyber attack out of a security fix that has only just been released. The short version: the safe gap you used to have between a flaw being patched and that flaw being used against you has collapsed from weeks to hours.
That gap matters more than it sounds. Most break-ins do not use some exotic, never-seen-before trick. They use a known flaw that already has a fix available, sitting on a system where nobody got around to applying it. Small businesses are the classic victims here, not because anyone targets them by name, but because their websites and the software underneath them are so often set up once and then left alone.
What has changed is the speed. The same kind of automation that helps you draft an email or tidy your books can, in the wrong hands, read a freshly released patch, work out exactly what hole it closes, and write the attack to walk through that hole before you have closed it yourself. Anthropic's researchers showed their own models doing precisely that in a controlled test, and the timeline they recorded should make anyone running on 'I will update it next month' stop and think.
Security people call these N-day flaws. A weakness gets discovered, the software maker releases a patch, and from that moment a countdown starts. Every system that has not installed the update is still exposed, and the patch itself becomes a map. By comparing the old code with the fixed code, an attacker can see exactly what was wrong and how to take advantage of it. The longer your site or the platforms behind it go without the update, the longer that map points straight at you.
Historically, turning a patch into a working attack took real skill and real time. The WannaCry outbreak that swept the world arrived 59 days after its underlying flaw had been patched. Other famous cases took a couple of weeks. In Anthropic's study, an AI model produced its first working proof of concept against a closed-source Windows component in 31 minutes, and turned a stack of separate flaws into working attacks inside a single afternoon, with no specialist on hand to guide it.
A lone operator can now turn a month's worth of patches into working exploits in a single afternoon. The safe assumption is no longer measured in weeks.Anthropic Frontier Red Team
This is a controlled lab result, not a report of attacks already happening in the wild, and it is worth keeping that distinction honest. But the direction is unmistakable, and it sits alongside the broader picture Anthropic has been mapping of how AI changes the threat landscape. The barrier that used to protect slow movers, the sheer effort of building an exploit, is the part AI removes.
A large company has a security team watching for exactly this. A cafe, a clinic, a trades business or an online shop usually does not. The website was built a while ago, the plugins and platforms underneath it quietly fall behind, and nobody is watching the gap. It sits alongside the newer job of keeping the AI tools you bring in safe, and both come down to the same thing: someone has to own it. When the window between a fix existing and you being hit was measured in weeks, a slow update cycle was survivable. Now that it can be measured in hours, set-and-forget has quietly become the riskiest setting you can run.
None of this means the web is suddenly unsafe or that you should rip everything up in a panic. The flaws in question all have fixes already. That is the whole point: staying current, which used to be housekeeping you could let slide, is now the single most valuable security habit a small business has. The businesses that come through this fine will be the ones whose digital front door is actually being looked after, not the ones who assumed no update was ever urgent.
What good looks like once this is handled properly is quieter than most people expect. It is not a wall of dashboards or a constant state of alarm. It is simply this:
The honest first move is simple: know how current your website and systems actually are, and who, if anyone, is keeping them that way. Most owners have never checked, and the person who originally built the site is rarely still watching it. In a world where a known, fixable flaw can be weaponised in an afternoon, that blind spot is the one worth closing first.
This is part of what we do at NextAura. We build and look after the websites and digital systems Australian small businesses run on, which means keeping them current and resilient is our job, not another afternoon you have to find. If you are not sure whether your site is being kept up to date, get in touch and we will tell you exactly where you stand, then carry it from there while you get back to your customers.
Tell us where you are headed. We will come back with a scope, a price, and a launch date you can plan around.
Book a free consultation
EngineeringSecurity firm Wordfence disclosed a critical hole in UpdraftPlus, WordPress's most popular backup plugin, on 11 June 2026. If your business site runs WordPress, here is the two-minute check that could save it.
EngineeringA fast site is not just nicer to use. It ranks higher, converts better, and costs less to run. Here is how we hit a perfect Lighthouse score by default.
AI SEONew figures show most people now read the AI summary before they click anything. Your website traffic is falling, but the visitors who still arrive are a different, higher-intent customer. That is the opportunity hiding in the scary chart.