Blog

The AI vulnerability storm is coming 

AI has shifted security from planned cycles to a race against time. In practice, this means that the window between vulnerability and exploitation has shrunk dramatically, with traditional patch processes and security assumptions coming under pressure. This blog outlines what is driving this development. From security‑capable AI to accelerated patching, and the implications it has for security architecture and governance. It also sets out the specific actions organisations should prioritise to reduce exposure now.

In April 2026, Anthropic released Claude Mythos Preview, an internal model that autonomously discovered zero-days across every major operating system and browser, achieved a 72.4% exploit success rate against Firefox, and surfaced a 27-year-old vulnerability in OpenBSD (2). Whether Mythos is exactly what the company claims – and the numbers reported by independent partners suggest it largely is – or whether it turns out to be the most effective marketing campaign in the history of technology, the underlying direction is no longer in doubt. A security-capable model of this class is either already here or very close. The asymmetry it creates is structural, not temporary. A month after Mythos, Microsoft disclosed MDASH, a system of more than 100 specialised AI agents that topped a leading industry benchmark (9). If this only surfaced at disclosure, the capabilities we know about are almost certainly not the full picture.

AI is shrinking time-to-exploit for zero-day vulnerabilities

Consider what that means in practice. The mean time between vulnerability disclosure and confirmed exploitation has collapsed from nearly a year in 2021 to just over a day in 2026, with a projected trajectory toward one hour, then one minute. The share of vulnerabilities that were already being exploited at the time of disclosure has risen from 31% five years ago to 73.2% today, and the number of disclosed vulnerabilities that remain unexploited past six weeks has fallen to effectively zero (1).

That collapse is not the result of attackers getting smarter in some general sense. It is the result of AI being pointed at vulnerability research, and the curve has steepened sharply over the past twelve months.

AI lowers the cost and skill floor for finding the first path far faster than any organisation can close the rest. In a formal benchmark against Firefox vulnerabilities, Claude Mythos Preview generated 181 working exploits where the previous-generation model managed two (3). That is not an incremental improvement. It is a step-change in autonomy and reliability, and it will not be the last.

Most security programmes are built for a world that no longer exists

The message here is uncomfortable but worth taking seriously. The assumptions underlying most security programmes today, patch cycles measured in weeks, quarterly penetration tests, human-speed incident response, CVE-driven threat intelligence, were built for a world that no longer exists. An attacker needs one working exploit path. A defender must close all of them.

The patching wave has begun, but it does not scale

Anthropic’s response, Project Glasswing, gave roughly fifty critical-infrastructure providers and open-source maintainers early access to patch their products before disclosure. In its first month, partners identified more than 10,000 high- and critical-severity vulnerabilities (4). It is the largest multi-party vulnerability coordination effort in history, and it is also, by definition, insufficient. Most organisations that build or maintain critical software will never sit inside a curated partner programme like this one. The defensive advantage early access confers is also time-limited. Comparable offensive capabilities are expected in other frontier models within months, and in open-weight models accessible to anyone within six to twelve.

There is a second-order effect worth flagging. Every patch released is, in effect, an exploit blueprint. AI accelerates patch-diffing and reverse engineering of fixes, which means the race no longer starts at disclosure. It starts at the commit.

What does this mean for your organisation?

Over the coming weeks and months, the partners inside Glasswing, and the wider ecosystem catching up behind them, will release a volume of critical patches the industry has not seen before. Palo Alto Networks has already released more than five times its usual number of patches in a single cycle, and Microsoft has indicated that patch volumes will continue growing (5).

If your patching programme is already stretched, if your team is understaffed, if your change management cycle is measured in weeks rather than days, the wave will arrive faster than your current process can absorb it. The window to prepare is now, before the disclosures land. Triage capacity, deployment automation, change approval paths, and rollback procedures all need to be ready to operate at a higher cadence than they ever have.

The organisations that have done this groundwork and implement a Zero Trust approach with the assume-breach mindset will follow along with the wave. The ones that have not will fall behind it, and falling behind, in this environment, is what exposure looks like.

When the patch can’t get there in time

If the window to patch has collapsed to hours, the question for security leaders is no longer “how fast can we apply the fix” but “what happens when we can’t.” The answer lies in architecture, the controls that contain blast radius regardless of which specific vulnerability is exploited. This is the operating assumption behind Zero Trust. Treat every environment as already hostile, every identity as unverified by default, and every successful entry as a partial breach rather than a full one.

Deception is worth adding to this list. Canaries, honey tokens, and decoy assets are attack-tool and vulnerability independent. They identify attackers based on behaviour rather than signature, which makes them durable against AI-discovered zero-days that no detection rule has ever seen. In an environment where threat intelligence is structurally lagging discovery, behavioural traps are one of the few controls that scale.

None of this is new advice. What has changed is the cost of not having it in place. In a world where time-to-exploit is measured in minutes and threat intelligence is structurally late, the architectural controls that contain damage are no longer a maturity goal for next year’s roadmap. They are the difference between an incident and a crisis.

Defenders must adopt AI now, even imperfect AI

There is a paradox at the center of the current moment. Offensive AI capabilities are mature, demonstrated, and becoming widely accessible. Defensive AI products built to detect AI-generated attacks or run autonomous responses are lagging, slower to emerge, and often tied to a single vendor’s ecosystem. The instinct to wait until the defensive category catches up is faulty. The capabilities that matter most right now are not specialised defensive products. They are the same coding agents and large language models (LLM’s) that attackers are already using, pointed inward.

The first move to adoption is the simplest. Any organisation can ask an agent to review its own code for vulnerabilities today, and any organisation can integrate LLM-driven security review into its CI/CD pipeline so that human-written and AI-generated code alike pass through a consistent check before reaching production. This is no longer experimental. It is the cheapest single step that closes the gap between how fast code ships and how fast it is reviewed.

The second move is to give the LLM context. A coding agent that knows nothing about your business is a generic tool. A coding agent that knows which vendors you rely on, which versions you run, which services depend on which libraries, and which systems are business-critical becomes a continuous, asymmetric advantage. Consider what becomes possible. The agent watches public commits and security advisories from the vendors in your stack and flags relevant changes the moment they appear, not weeks later when a CVE is assigned. It maps the upstream and downstream dependencies of a proposed patch against your actual environment, so by the time the patch reaches your change advisory board, you already know what it touches, what it breaks, and what it protects. It runs continuous proactive review against your own codebase using the same techniques attackers will run against it, so the vulnerabilities you ship are the ones you found first.

The third move is operational. Coding agents can already accelerate work the blue team does every day. Triage and validate incoming patches faster than a human queue can absorb them. Run red-team exercises against your own environment on an ongoing basis, not on a quarterly schedule. Automate audit data collection and evidence gathering. Convert alert noise into prioritised, contextualised incidents. None of this requires a new product category. It requires the same agents that are already in widespread use, given the right access, the right instructions, and the right guardrails.

The longer-term direction points to what the industry is starting to call VulnOps. A permanent function, staffed and automated in the way DevOps is, responsible for continuous AI-driven discovery and remediation of vulnerabilities across the entire software estate. Standing one up is a twelve-month project for most organisations. Starting muscle-building now is a this-week project.

Underneath the tooling sits a cultural shift that matters as much as the tooling itself. Every security role is becoming, in part, an AI-builder role. The barrier to entry is lower than most people assume. Teams that lean into this early will operate at machine speed where it counts. Teams that wait will be doing manual triage while their adversaries are not.

The capacity and governance gap

Over the next year, two less visible shifts will separate the organisations that adapt from those that struggle. Neither is technical.

The first is capacity. The industry is investing heavily in AI capability, including frontier models, agent infrastructure, and developer tooling. The parallel investment in the human capacity to defend against the resulting threat landscape has not kept pace. Security teams are absorbing exponential increases in workload, more code shipped faster, more vulnerabilities disclosed, more incidents to triage, more tooling to integrate, typically without corresponding growth in headcount, budget, or wellbeing support. AI productivity gains on the offensive side compound for attackers. On the defensive side, they are too often absorbed as an additional burden on the same people. Burnout and drain of expertise in security functions is not an HR concern. It is a direct operational risk, because the expertise required to navigate this transition takes years to develop and cannot be hired on short timescales. A security team with no room to upskill, stuck reacting to what the rest of the business has already shipped, becomes a liability the moment the threat environment shifts. That moment is now.

Whitepaper

Guide: Secure AI 2026 – effective & future-proof AI

Cut through the hype and standalone technical fixes. Deepen your understanding of AI by recognising that it is not merely a matter of innovation or security, but of governance, responsibility, and lon…

Read

From compliance to accountability

The second shift is governance, and it now has a regulatory dimension. The EU AI Act introduces a risk-tiered framework with four categories: unacceptable risk, high risk, limited risk, and minimal risk. The category that matters most for the majority of enterprise deployments is high risk (6). Under Article 6 and Annex III, AI systems used in areas such as critical infrastructure, employment and worker management, access to essential services, law enforcement, and the operation of biometric or safety components fall into this tier, and trigger obligations around risk management, data governance, human oversight, technical documentation, accuracy, robustness, and cybersecurity.

For security leaders, this is not a future problem. As AI-driven defensive scanning becomes broadly available, the standard of “reasonable care” shifts with it, and boards will increasingly face the question of whether not using the AI tools available to them constitutes negligence.

The practical starting point is straightforward. Map the AI systems already in use across your organisation, classify them against the Act’s risk tiers, and identify which of them fall into the high-risk category. The assessment should start now because the obligations for standalone high-risk AI systems under Annex III become applicable on 2 August 2026, along with separate obligations for providers and deployers (7).

Note: The EU has reached political agreement to defer that date to late 2027 as part of the Digital Omnibus (8), but until the amendment is formally adopted, 2 August 2026 remains the operative date.

Both shifts point in the same direction. Surviving the AI vulnerability storm is not only a matter of better tools and tighter architecture. It is a matter of funding the humans who run them, and clearing the governance path for them to act at the speed the threat environment now demands.

Conclusion: we have done this before

The security industry has met systemic, deadline-driven challenges before. Y2K was a structural threat with a hard date, and it was navigated through coordinated effort, disciplined engineering, and unglamorous, focused work across thousands of organisations. The pattern this moment requires is the same, with two differences. The deadline is shorter, and the tools available to defenders are more powerful than anything that has come before.

Being ready for what comes after Mythos is less about responding to a single model or announcement and more about permanently closing the gap between how fast vulnerabilities are discovered and how fast an organisation can respond. That gap will not close on its own. It closes through architecture designed to contain rather than prevent, through defenders who use AI as routinely as attackers do, through investment in the humans who run the programme, and through governance fast enough to keep pace with the threat.

None of this requires waiting. Every action discussed in this post can begin this week. The organisations that build the muscle now will meet the next wave on their own terms. Those that wait for clarity will meet it on the storm’s terms instead.

About the author