AI is materially changing the speed, scale, and accessibility of cyberattacks. Canadian organizations across every sector are facing a threat environment that is now outpacing traditional defenses.
$6.98M CAD - Average cost of a data breach for Canadian organizations in 2025, among the highest in the world.
83% - Mythos exploit creation success rate on first attempt with no human guidance required.
84% - Rise in attacks on OT/industrial control protocols globally in 2025. Energy and utilities are at the forefront.
In April 2026, Anthropic introduced Claude Mythos Preview as part of Project Glasswing, describing it as a frontier model with unusually strong cyber and software security capabilities. Anthropic says it has helped identify thousands of high-severity vulnerabilities, including issues affecting major operating systems and web browsers.
Public guidance from government cyber agencies suggests the broader takeaway is not one model headline, but that AI is accelerating vulnerability discovery and exploitation, compressing the time organizations have to patch, detect, and respond.
Anthropic has also said it is investigating reported unauthorized access through a third-party vendor environment, reinforcing the importance of supply-chain and third-party risk.
The message for organizations is straightforward: AI is helping threats move faster, so organizations need stronger visibility, response readiness, and resilience. As vulnerability discovery accelerates, the window between exposure and exploitation continues to shrink; organizations relying on traditional patching cycles and perimeter defenses are increasingly at risk.
Many organizations are actively reassessing their exposure in light of recent developments. Immediate focus areas include:
Validate exposure across critical systems and unpatched assets.
Stress-test detection and response capabilities against faster attack timelines.
Assess how quickly critical and internet-facing systems can be patched and remediated.
Review OT and legacy environments where patching is limited.
Reassess identity, access, and data architecture as primary attack surfaces.
AI doesn’t require deep expertise to deploy offensively. The CCCS identifies “cybercrime-as-a-service” where sophisticated tools are distributed to less technically skilled actors through criminal marketplaces as a primary threat vector. AI tools now make it faster and easier to turn a known vulnerability into a working exploit. Canadian organizations that rely on patch cycles as their primary defence are working on a timeline and even an IT resourcing model that no longer matches the threat.
Operational technology in energy, utilities, and public infrastructure was built before modern security principles. Many systems simply cannot be patched without shutdowns. Mythos-class tools specifically excel at finding vulnerabilities in long-lived and rarely-updated codebases. The same systems that keep the lights on and water flowing. Nova Scotia Power’s March 2025 ransomware attack, which exposed data for nearly 280,000 customers, is a Canadian example of what’s at stake when critical infrastructure systems are compromised.
Faster vulnerability discovery means the gap between a flaw being found and being exploited is shrinking. Organizations need detection and response capabilities that can identify unusual behaviour in near-real-time rather than just controls designed to keep attackers out. Recent security studies have found that while Canadian detection times have improved, incident success rates and downtime are rising, driven by cloud complexity and faster lateral movement. Despite AI driving ever-increasing requirements, the perimeter-first model is no longer adequate.
Where data lives and how it’s structured shapes your AI-era risk exposure. A recent analysis of 40 million exposures found that 80% originated from identity and credential misconfigurations, often in cloud environments. Organizations building or modernizing data warehouses and AI infrastructure need to treat security architecture as a core design input, not a layer applied afterward. Third-party and vendor risk is increasingly critical, as faster vulnerability discovery expands exposure across supplier and platform ecosystems.
Nova Scotia Power’s 2025 ransomware attack exposed nearly 280,000 customers’ personal and financial data. Suncor’s 2023 incident disrupted Petro-Canada payment systems coast to coast. Canadian energy infrastructure is a demonstrated target, not a hypothetical one.
OT environments running on decades-old industrial protocols can’t be patched on a regular cycle. AI-assisted tools can now probe those systems autonomously for vulnerabilities that have gone undetected for years, making compensating detective controls essential.
The City of Hamilton’s 2024 ransomware attack disrupted municipal operations for weeks. Nova Scotia’s MOVEit breach exposed 100,000 current and past government employees. Third-party and supply chain risk is a consistent pattern across Canadian public sector incidents.
Quebec’s Bill 64 and federal PIPEDA obligations create material compliance exposure when breaches occur, with fines up to $25M or 4% of global turnover. Regulators are watching, and mandated incident reporting requirements are tightening.
Five Southern Ontario hospitals were taken offline by ransomware in 2023 through a shared IT provider — a single vendor compromise with cascading effects. SickKids was hit by LockBit the year prior. Healthcare breach costs globally average $9.77M, and Canadian healthcare data carries PIPEDA liability.
Clinical devices including imaging systems, infusion pumps, and patient monitors have long lifecycles and limited patch paths, mirroring the OT risk in energy. AI-enhanced phishing now specifically targets clinical workflows, where a single deceptive communication can provide lateral access to sensitive patient data.
CIRO’s 2025 breach, traced to a phishing attack, exposed 750,000 investors’ SINs and financial data in the largest investor data exposure in Canadian history. Desjardins’ insider breach affected 9.7 million individuals over 26 months before detection.
AI-generated fraud is a growing line item. Deepfake-enabled fraud losses exceeded $200M globally in Q1 2025 alone. Business email compromise, now enhanced by AI-generated voice and video, is increasingly targeting Canadian finance teams.
London Drugs’ 2024 ransomware incident forced temporary store closures across Western Canada. Canadian retailers face the same risk pattern: high transaction volumes, extensive customer data, and complex vendor relationships. These make the sector a consistent target globally, with retail absorbing over 10% of all cyberattacks.
Retail data environments like warehouses holding purchase history, loyalty data, and payment records, are often built for performance rather than security. As AI-enabled reconnaissance tools can autonomously map data infrastructure, retailers need to assess cloud and data warehouse architecture as part of their security posture, not just their perimeter controls.
Compugen operates at the intersection of IT, OT, and data, where this risk is showing up in real environments. We support Canadian organizations in assessing and responding to these risks across complex, hybrid environments.
Resilience + OT/IT security - Risk assessments, resilience planning, network segmentation, and compensating controls for environments that can't patch on traditional cycles. Particularly relevant for OT-heavy, highly regulated, and mission-critical environments across sectors.
Detection + Response - AI-augmented MDR, SIEM, and SOAR capabilities that match faster threat timelines with faster detection, moving from perimeter defence to continuous monitoring and rapid containment.
AI-ready Data Architecture - Compugen helps organizations design or modernize data warehouses, cloud environments, and AI pipelines with security built in so that your data investments don't become your largest attack surface.
Infrastructure Management + ITR - Expertise and extra manpower to respond to patching requirements exposed by AI. Compugen’s Managed Service customers get patched immediately so that IT can focus on strategic priorities.
Most organizations are starting with a rapid security and resilience assessment to understand where they are exposed and where immediate action is required.
Compugen offers Security Controls and IT / OT Security Assessments: practical assessments of your current posture against the emerging threat landscape, with clear next steps tailored to your sector and environment. Contact our team.