
The Small Target Test: Why AI Cyber Capability Doubling Every 4 Months Just Made Your Business the Easiest Hack on the Internet
You know how cybersecurity reports usually feel?
Vague. Future-tense. Somebody else's problem.
This one is not.
On May 4, 2026, Air Street's State of AI report confirmed what the UK AI Security Institute had warned about two weeks earlier. A second frontier model has now solved a 32-step, end-to-end corporate network attack (Air Street Press).
OpenAI's GPT-5.5 cleared the same cyber range that Anthropic's Claude Mythos Preview cleared first, just three weeks later (Air Street Press).
AISI's headline number: frontier AI cyber-offense capability is now doubling every 4 months (Thomas Murray).
Eight months ago, that doubling rate was 7 months (Thomas Murray).
That is not a curve. That is a vertical line.
Now read AISI's actual conclusion, because it names you directly.
"Mythos Preview's success indicates it is at least capable of autonomously attacking small, weakly defended, and vulnerable enterprise systems where access to a network has been gained" (AI Security Institute).
Small. Weakly defended. Vulnerable enterprise systems.
If you read that and thought "that is not us, we are too small to be a target," I have bad news.
That sentence describes most small businesses on the internet right now.
This is what I call The Small Target Test, and it is the single most important AI conversation a business owner can have this quarter.
What did the UK AI Security Institute actually find?
AISI evaluated Claude Mythos Preview against a benchmark called The Last Ones, or TLO (AI Security Institute).
It is a 32-step simulated corporate network attack, from initial reconnaissance to full network takeover. AISI estimates a human expert would take 20 hours to complete it (AI Security Institute).
Mythos Preview cleared TLO end-to-end in 3 of its 10 attempts. Across all attempts, it averaged 22 of 32 steps. The next-best model, Claude Opus 4.6, averaged 16 (AI Security Institute).
On expert-level capture-the-flag tasks, Mythos hit 73% success (CyberScoop).
Before April 2025, no frontier model could solve a single expert-level CTF problem (CyberScoop).
Three weeks after Mythos, OpenAI's GPT-5.5 matched the result with 2 of 10 end-to-end solves and 71.4% on expert tasks, with the same caveats about defenders being absent (Air Street Press).
Two frontier models. Same threshold. Same month.
That is what doubling every 4 months looks like in production.
Why does AI cyber capability doubling every 4 months matter for small businesses?
Here is the math no one is doing out loud.
If frontier cyber capability doubles every 4 months, and you are running the same security posture you were running 12 months ago, you are not just behind. You are 8x further behind than you were last spring (Thomas Murray).
Three observations sharpen the point.
First, the UK government did not publish this as a thought experiment. The NCSC issued an open letter on April 15, 2026 telling businesses AI will "almost certainly increase frequency and intensity of intrusions" (Let's Data Science).
Second, AISI's lab caveats actually understate real-world risk for small businesses. The lab range had no active defenders and no defensive tooling (AI Security Institute). Most small businesses do not have those either.
Third, the bar to weaponize this is dropping. AISI ran the cyber ranges with a 100M-token budget and noted performance kept scaling up to that limit (AI Security Institute). With long-context inference cheapening every quarter, a determined attacker can buy more capability than they could six months ago.
Translation. If your business looks like the lab targets, you are now in the threat model.
What is The Small Target Test for AI cyber risk?
Here is a framework I want you to run on your business this week.
I call it The Small Target Test.
Four questions. Each one is binary. Score yourself honestly.
Question 1. Patch latency. Is every internet-facing system, including email, CRM, accounting, and your website, on a security update that landed in the last 30 days?
Question 2. Access controls. Is every employee account, including admins, protected by multi-factor authentication, with a clear list of who has admin rights?
Question 3. Configuration hygiene. Have you reviewed the default settings on your top three SaaS tools in the last 90 days, including who has external sharing rights?
Question 4. Logging and detection. If someone logged into your accounting software at 3am from a new country tonight, would you find out within 24 hours?
If you scored less than 4 yes answers, you fit AISI's literal definition of "small, weakly defended, and vulnerable" (AI Security Institute).
The point of the test is not to scare you.
The point is to convert a vague headline into one weekend of work.
These are the exact "cyber security fundamentals" AISI itself recommended in response to the Mythos finding, in their own words: "regular security updates, access controls, security configuration, and logging" (AI Security Institute).
The most advanced AI safety lab in the UK government just told you exactly which four things to fix.
Do them.
How can a small business use AI to defend against AI-powered attacks?
Now the offense side.
Yes, AI just got better at attacking weak networks. AI also just got dramatically better at defending them, especially for businesses that could never afford a full security operations center.
Here is the part most owners miss.
If a frontier model can autonomously execute a 32-step intrusion in 20 human-hours of compressed time, the same family of models can autonomously run 32-step monitoring routines on your stack (AI Security Institute).
Three concrete moves you can make this month.
Move 1. Turn on AI summarization in your security tooling. Tools like 1Password, Microsoft Defender, Google Workspace Admin, and Cloudflare all now offer AI summaries of suspicious activity. Most owners never enable them. Spend 30 minutes turning them on.
Move 2. Use a frontier model as a security reviewer. Take the configuration export from your top SaaS tool, paste it into a current frontier model, and ask "what security misconfigurations would a penetration tester flag in this setup?" You will be shocked what gets flagged for free.
Move 3. Build an AI-watched alert flow. Use a workflow tool like Zapier, n8n, or Make to send any new admin login, new admin user, or large outbound data export to an AI agent that summarizes risk and pings you on Slack or SMS. Setup time, less than a Saturday.
This is the asymmetry AISI's report quietly hands you. The same capability gain that lets attackers automate intrusions also lets you automate the four boring things you have been putting off.
If you want a head start with prebuilt AI agents and tools you can plug straight into your business workflow, look at the 8 Figure AI Toolkit. It is what we use ourselves to keep operations tight.
What does "doubling every 4 months" actually mean for AI strategy in 2026?
Step back from cyber for a second.
The "doubling every 4 months" finding is bigger than security. It is the new clock speed of AI capability (Thomas Murray).
Apply it as a planning rule.
If a workflow you use today, like AI sales emails, AI customer support, or AI content production, runs at "okay" quality, that same workflow will be running at meaningfully better quality 4 months from now without you doing anything.
That changes how you should buy AI in 2026.
You should not be building giant 12-month roadmaps. You should be building 90-day cycles, then re-testing.
The Pentagon went from 18 months to under 3 months for new AI vendor onboarding for exactly this reason (Breaking Defense). They saw the doubling curve and rebuilt their procurement clock.
You probably do not have a procurement department. That is actually an advantage.
You can re-test your AI tools every 4 months in a single afternoon. Most enterprise buyers cannot.
The lesson. AI capability doubling every 4 months is bad news if you stand still. It is great news if your default is to ship, measure, and re-test.
What should business owners do this week about AI cyber risk?
Do not let this article become another "I should get to that" tab.
Here is your one-week plan, in plain English.
Monday. Run The Small Target Test. Write down your four answers. No judgment, just truth.
Tuesday. Pick the lowest-scoring question and fix it. If it is patches, install them. If it is MFA, turn it on for everyone today.
Wednesday. Pick a second one and fix it. By Wednesday night you should be at 2 of 4 if you started below.
Thursday. Open a frontier model. Paste in your top SaaS tool's sharing settings or admin user list. Ask for security risks. Read the answer.
Friday. Set up one AI-watched alert flow on the workflow that touches money or customer data.
That is one week. Zero new spend. Massive risk reduction.
You just outpaced 80% of small businesses on the internet.
TL;DR
- On May 4, 2026, Air Street's State of AI report confirmed that OpenAI's GPT-5.5 matched Claude Mythos Preview's solve of AISI's 32-step end-to-end cyber attack range, three weeks after Mythos cleared it (Air Street Press).
- The UK AI Security Institute now estimates frontier AI cyber-offense capability is doubling every 4 months, up from 7 months at the end of 2025 (Thomas Murray).
- AISI's evaluation explicitly names the at-risk targets: "small, weakly defended, and vulnerable enterprise systems" with network access (AI Security Institute).
- AISI recommends four fundamentals: security updates, access controls, security configuration, and logging (AI Security Institute).
- Business owners should run The Small Target Test, fix the four basics, and use AI on the defense side too with summarization, security reviews, and AI-watched alert flows.
FAQ
What is the AISI cyber range and why does it matter? The AI Security Institute, a UK government body, runs cyber ranges that simulate corporate network attacks. The "TLO" range is a 32-step end-to-end attack from reconnaissance to full takeover, estimated at 20 expert human hours. It is now the most-cited benchmark for autonomous AI offensive capability (AI Security Institute).
Is my small business actually a likely target for AI-powered cyber attacks? Yes, especially if your patching, MFA, configuration, and logging are inconsistent. AISI's wording is unusually direct: small, weakly defended, vulnerable enterprise systems with network access are exactly what current frontier models can autonomously compromise (AI Security Institute).
How fast is AI cyber capability actually growing in 2026? AISI estimates frontier cyber-offence capability is doubling every 4 months in 2026, up from a 7-month doubling rate at the end of 2025 (Thomas Murray).
What is The Small Target Test? A four-question check covering patches, access controls, configuration, and logging. If you cannot answer "yes" to all four, your business fits AISI's at-risk profile.
Should small businesses use AI for defense, not just worry about AI used for offense? Yes. AI summarization in security tools, frontier-model security reviews of SaaS configs, and AI-watched alert flows give small businesses a level of monitoring that used to require a full security team.
Your move
Real talk.
Most business owners read security headlines, get worried for an afternoon, and then go back to their inbox.
The Mythos and GPT-5.5 results are different.
They are not predicting future risk. They are documenting current capability against the exact profile of your business.
The fix is not exotic. It is patches, MFA, configuration review, and logging. Plus AI on your side, doing the watching while you sleep.
If you want help mapping all of this to your actual stack, with no fluff and no upsell, that is what we do.
We run free 1-on-1 AI Implementation Sessions where we map your AI workflows, find your weakest security and operations links, and give you a 90-day plan to outpace AI's doubling curve.
Book a complimentary AI Implementation Session here.
The doubling clock does not stop. The good news is you only need one strong week to leave The Small Target Test behind.
Run it this week.
