AI Systems and Cybersecurity: Insights from BACS

The Swiss Federal Office for Cybersecurity (BACS) is addressing the integration of artificial intelligence (AI) systems into vulnerability management, as the agency navigates a landscape of increasing cyber threats and systemic pressures on global security databases.

The discussion comes amid a broader effort by the Swiss government to evaluate the opportunities and risks associated with AI in the cybersecurity sector. This strategic focus follows a December 12, 2025, report from the Federal Council regarding the chances and risks of AI systems in cybersecurity, which was produced in response to a parliamentary postulate from June 15, 2023.

Pressure on Vulnerability Management

The drive toward AI-enhanced vulnerability management is partly fueled by the increasing volume of security flaws and the struggle of traditional databases to keep pace. The National Institute of Standards and Technology (NIST) in the United States has experienced significant backlogs in the processing and analysis of entries within the National Vulnerability Database (NVD).

According to reporting from Inside IT, the NVD has faced a flood of reports, with the number of entries increasing by 263% since 2020. This surge has forced the agency to announce deep-seated changes to the database to handle the volume of incoming data.

The Role of AI in Defense and Attack

BACS has highlighted that AI is a double-edged sword in the current threat environment. While AI can be used to automate the detection and patching of vulnerabilities, it is also being leveraged by malicious actors to enhance the sophistication of cyberattacks.

In September 2024, BACS identified the rise of AI-driven social engineering attacks as a primary concern. The agency used the European Cyber Security Month to warn the public and organizations about how AI is making phishing and manipulation tactics more convincing and harder to detect.

For defenders, the goal of incorporating AI into vulnerability management is to close the gap between the discovery of a flaw and the deployment of a patch. Security teams often struggle to react as quickly as cybercriminals due to resource shortages, a challenge that machine learning (ML) and AI tools are designed to mitigate by prioritizing the most critical risks.

Swiss Strategic Framework

The BACS is integrating these technological shifts into a broader operational evolution. Having become an independent federal office within the Department of Defence, Population Protection and Sport in 2024, the agency has focused on consolidating its operational capabilities throughout 2025.

As part of this effort, BACS developed the Cybersecurity and Resilience Method (CSRM), a framework designed to help organizations and companies manage cyber risks. The agency opened this method for testing and feedback through January 2026 to strengthen the overall cyber resilience of Swiss enterprises.

By combining these resilience methods with the cautious adoption of AI for vulnerability management, BACS aims to transition from a reactive posture to a more proactive defense strategy, reducing the window of opportunity for attackers to exploit unpatched software.