Why patching velocity matters as Claude Mythos supercharges vulnerability discovery

Patch management is already challenging, but the issue is about to get worse as artificial intelligence (AI) tools such as Anthropic’s Claude Mythos Preview and OpenAI’s GPT-5.5 Cyber find and work out ways to exploit software flaws at scale.

So much so that the threat is being recognized at a national level. The UK National Cyber Security Center’s (NCSC)’s CTO Ollie Whitehouse has warned UK organizations to get ready for an expected surge in new software updates as the powerful new AI tools rapidly discover vulnerabilities.

Part of the attraction of frontier AI models such as Claude Mythos and GPT-5.5 is their ability to discover security issues more quickly. But their capabilities also put pressure on businesses to apply patches more rapidly than before.

It comes as vulnerability exploitation overtakes stolen credentials as the leading initial access vector in attacks, according to Verizon’s latest Data Breach Investigations report.

The issue

The capabilities of frontier AI models are a stark challenge to traditional patching cycles. “The old assumption was that defenders had at least some time on their side to assess, prioritize , and patch before exploitation became realistic at any considerable scale,” says Rik Ferguson, vice president of threat intelligence at Forescout.

While that assumption has been weakening for several years, the threat has now become “supercharged”, he says.

The UK AI Security Institute has published benchmark data demonstrating how GPT-5.5 completed a 32-step simulated corporate attack chain end-to-end in two out of 10 runs. Meanwhile, Anthropic's Claude Mythos Preview performed the attack in three out of 10 cases. “Before Mythos, no AI model had completed that test at all,” Ferguson tells ITPro.

The benchmark data shows the need to address patching velocity is arriving faster than most organizations are ready for, according to Ferguson. “More fixes are coming. The question is whether your operating model is built to absorb them.”

Why AI tools add risk

Tools such as Mythos are designed for white-box, deep code analysis. “This is the kind that has the potential to surface undiscovered issues or vulnerabilities that signature-based scanning doesn’t reach,” according to Daniel Bechenea, security manager at Pentest-Tools.

When vendors run that continuously on their own products, the result is “more patches, shipped faster”, he says. “But that’s the upstream change. The downstream problem is, none of that vendor-side progress makes the organizations receiving those patches any faster at deploying them.”

Frontier AI tools will show up any gaps firms have in their patching processes. The immediate danger for most organizations is that existing weaknesses become “less forgiving, faster”, says Ferguson. “If you already struggle with asset visibility, patch prioritization, change windows, dependency mapping, or testing updates safely, AI-assisted vulnerability discovery makes those operational gaps more consequential.”

He says the pressure has shifted from "can we patch eventually?" to "can we absorb a much faster cadence of new fixes without breaking the business?"

It is as much a resilience problem as a security one, according to Ferguson. “And it can’t be solved by just buying a new tool. If the fundamental processes are not there, you have other work to do first."

The organizations most at risk are those that haven’t built the operational infrastructure – asset inventory, ownership mapping, evidence-based triage – to process findings at current volumes, Bechenea says.

And the problem will only get worse as more frontier AI models enter the cybersecurity market. Broadly, it will lead to faster vulnerability discovery and exploit development, as well as machine paradigm attack vectors, according to Ferguson. “These are attacks no human adversary would have designed, discovered by systems that don't think the way defenders were trained to anticipate. There will be far greater pressure on human-speed remediation processes,” he warns.

Ivan Milenkovic, VP risk technology EMEA at Qualys, concurs with this analysis. He thinks frontier AI will make individual timelines shorter, putting the standard “CVE release-patch before exploit” approach under “significant pressure”.

Prioritizing fixes

Rather than simply increasing the speed at which you patch, experts agree that prioritizing fixes is important. In 2025, there were more than 48,000 vulnerabilities discovered, and it will become an even greater issue with more powerful AI models in the mix, according to Milenkovic.

“The response to this can only be hyper-prioritization of issues, and fixing them – or at least the bulk – at machine speed,” he says.

The foundational security basics will also go a long way. The NCSC recommends measures beyond patching alone. Whitehouse advises focusing on “cyber security fundamentals” to raise resilience and to reduce the impact of breaches – including Cyber Essentials, or the Cyber Assessment Framework for organizations operating essential services.

AI tools can assist with specific parts of the workflow: For example, matching patches to affected assets, surfacing the highest-priority items, and flagging vulnerable components in your environment, says Bechenea.

Ferguson agrees that AI can “absolutely help”, inside governed boundaries. “Used properly, AI can improve vulnerability triage, code review, dependency analysis, test generation, and patch validation. It can help organizations decide what matters first and accelerate the surrounding work that usually creates delay.”

But to boost patching velocity, firms must ensure accurate asset inventory, dependency visibility, clearer prioritization based on exposure and business impact, tighter testing discipline, and pre-agreed decision paths for urgent updates, says Ferguson. “The organizations that patch faster successfully are the ones with fewer unknowns, fewer approval bottlenecks and better segmentation, so each patch carries manageable rather than existential operational risk.”

The goal is to reduce the time between knowing and doing, while “proactively managing the potential blast radius when you cannot patch immediately”, he advises.

The best responses will be based on understanding the business impact of any risk and how likely that is to be exploited, says Milenkovic. “That risk rating will change over time, based on what threat actors are doing and what other factors are in play.”

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.