Neoclouds are fundamentally different from traditional data centers. They are vertically integrated powerhouses; they don't just rent GPUs, they build the specialized, high-density infrastructure required to run them. Their competitive moat is speed-to-power, winning multi-million dollar contracts by delivering gigawatts of compute to frontier AI labs in months, not years.
However, the speed required to stand up these +100 kW-per-rack AI environments is creating a massive blind spot in operational technology (OT) security. This blind spot occurs when rapid commissioning leaves critical cyber-physical systems (CPS), like building management systems (BMS), power systems, and thermal management, exposed on flat networks that allow for direct machine-to-machine communication or running on default factory settings. Unlike standard IT threats such as stolen credentials or denial-of-service attacks, the threat to a neocloud is physical downtime. A compromised cooling or power device could cause a thermal event that melts chips in minutes and permanently destroys multi-million dollar GPU clusters.
Anthropic’s Claude Mythos, trained and hosted inside neocloud data centers, was developed for the purpose of proactively finding vulnerabilities. However, these types of models demonstrate how AI will fundamentally change the threat landscape. By proving that AI can compress vulnerability discovery timelines from weeks to mere hours, systems like Mythos highlight how easily automated tools can be used to uncover those exposed OT devices. Because AI collapses the economic cost of finding these flaws, the rapid-commissioning blind spot is now an existential threat to the neocloud business model.
In this post, we’ll explain:
Why traditional OT patching is obsolete against machine-speed, AI-driven exploits that compress vulnerability discovery from weeks to hours.
How opportunistic attackers are shifting tactics to easily compromise infrastructure, utilizing drive-by attacks instead of bespoke campaigns.
The statistics behind these attacks, highlighting the specific legacy protocols and systems threat actors are targeting today.
Compressing Exploit Timelines from Weeks to Hours
The release of Mythos has fundamentally changed the cybersecurity landscape by automating the vulnerability discovery process at unprecedented machine speed. This capability has collapsed the economic cost of finding exploits, democratizing high-level exploitation and drastically increasing the volume of weaponized risks.
For neocloud operators, the traditional vulnerability management playbook is now obsolete. You can no longer patch faster to stay ahead of the threat. Cyber-physical systems (CPS) like building management systems (BMS), power chains, and thermal management cannot be patched at the speed of AI-driven offense. This is due to stringent uptime constraints and the sheer lack of immediate vendor patches.
Driving Attackers to Scan for Your Exposed, Low-Hanging Fruit
While AI may increase the risk of sophisticated zero-day attacks by making vulnerabilities easier to discover, the reality is that threat actors often do not even need hyper-sophisticated methods or complex exploits to reach your critical infrastructure. Claroty’s Team82 threat intelligence reveals that the floor is already collapsing from geopolitically motivated attackers who are taking advantage of these easily discovered, low-barrier-to-entry points. According to an analysis of more than 200 recent attacks on CPS infrastructure, threat actors are abandoning targeted, bespoke campaigns for opportunistic attacks. They simply use tools like Shodan and Censys to scan the internet for vulnerable, exposed devices.
The statistics are a massive red flag for infrastructure operators:
82% of these attacks involve using virtual network computing (VNC) clients to remotely access internet-facing assets.
66% of incidents include the compromise of human-machine interfaces (HMI) or supervisory control and data acquisition (SCADA) systems that control real-time industrial processes.
Attackers are overwhelmingly targeting insecure-by-design legacy protocols, such as Modbus, which lack basic authentication or encryption.
