Among the industries that AI is reshaping, cybersecurity is one that is shifting at an unprecedented speed – transforming how vulnerabilities are discovered, disclosed, exploited and fixed across enterprise environments.
As frontier AI models like Mythos and GPT 5.4-cyber accelerate vulnerability research, security teams are facing mounting pressure to manage a surge in patches, rising cyber risk and shrinking response windows.
This growing challenge is exposing the limitations of traditional patch management and forcing organisations to adopt more agile, risk-based security strategies.
In this Q&A with Cyber Magazine, Chris Goettl, VP of Product Management at Ivanti, explores how AI is changing the vulnerability lifecycle, why out-of-band patching is becoming more disruptive and how organisations can strengthen cyber resilience through continuous exposure management, automated remediation and smarter vulnerability prioritisation.
“Patch Apocalypse” describes the recent and continuing scenario where AI tools like Mythos dramatically increases the volume of disclosed vulnerabilities, creating sustained operational pressure on security and IT teams.
The pace and volume of these patches will eventually exceed what many IT and security teams can handle through traditional patch remediation approaches. The concern is not just that more vulnerabilities will be discovered but that they will be identified, validated and weaponised faster than many organisations can realistically respond to.
The industry is already struggling with patch fatigue. In fact, our research shows one in three organisations struggle to prioritise risk remediation in key areas like patch management. Most enterprises still rely on monthly maintenance cycles and reactive workflows, while exploited vulnerabilities increasingly emerge outside of those windows.
Additionally, a structural shift at NIST compounds the risk. The National Vulnerability Database will no longer enrich thousands of CVEs with CVSS scores or severity analysis, leaving programs that depend on NVD data with growing, uncounted blind spots.
At the same time, this is not purely a negative development. AI-driven vulnerability discovery will help vendors identify flaws earlier and improve software quality over time. The challenge is the transition period. Organisations that continue relying on legacy prioritisation approaches and static patching models will struggle.
While those adopting continuous exposure management and risk-based patching will be significantly better positioned to address the increase in CVE disclosure and more aggressive release cycles from vendors.
We are entering a period where vulnerability discovery is becoming more industrialised. Historically, identifying exploitable flaws often required highly specialised expertise and significant manual effort. Large AI models are beginning to change that dynamic.
Initiatives like Mythos and Project Glasswing point towards a future where coordinated disclosure programmes operate at far greater scale. In the near term, that likely means more vulnerabilities being responsibly disclosed in a timely manner.
At the same time, the same technology also lowers the barrier for identifying weaknesses in already deployed software and rapidly shrinking the time between disclosure and exploitation. As adoption of advanced LLM models broadens, we are likely to see more zero-day discoveries, faster exploitation of n-day vulnerabilities and greater focus on widely used open-source components and enterprise platforms.
The result is a disclosure ecosystem moving at machine speed, pushing traditional vulnerability management models beyond their limits. The operational challenge becomes less about awareness and more about how quickly organisations can assess exposure, prioritize risk and respond effectively.
AI is compressing the entire exposure lifecycle. Vulnerabilities are discovered at scale, disclosed at higher velocity and potentially weaponised almost immediately, shifting the primary challenge from finding flaws to managing real-time exposure.
On the defensive side, organisations are using advanced models to analyse large codebases, identify risky patterns and validate exploitability far faster than traditional manual approaches. That has enormous potential for improving software quality and reducing vulnerabilities before release.
However, adoption remains moderate. While 60% of organisations are investing in Gen AI for security use cases, only 43% currently use AI for threat intelligence correlation and 47% for vulnerability scanning and prioritisation. This highlights a gap between intent and real-world execution.
Another challenge is that threat actors are gaining access to many of the same capabilities. AI models can assist with reconnaissance, vulnerability research and exploit development, significantly reducing the time between disclosure and active exploitation. The result is a rapid compression of attack timelines, with the window between discovery and exploitation shrinking from weeks to hours.
This creates a more asymmetric environment for defenders. Security teams not only have to identify vulnerabilities quickly but also determine which ones represent genuine business risk before attackers move.
The organisations that succeed will be those that move beyond vulnerability management toward continuous exposure management – combining comprehensive visibility, real-time threat intelligence and automated, risk-based remediation.
Out-of-band patching places enormous strain on operational teams because it disrupts the structured maintenance cycles many organisations rely on.
Most IT environments are designed around planned change windows, testing procedures and resource allocation. When a critical vulnerability is actively exploited, those processes are compressed into hours rather than weeks.
The challenge is rarely patch deployment alone. Teams must first assess exposure, determine business impact, validate compatibility, communicate with stakeholders and avoid introducing operational instability.
That becomes particularly difficult in large enterprises with complex hybrid environments and legacy systems.
At the same time, security teams are managing an increasing number of urgent disclosures. AI-driven vulnerability discovery will only intensify this pressure by increasing the frequency of high-priority updates.
This is why many organisations are moving towards greater autonomous patch management and risk-based decision-making. Manual triage does not scale effectively when patch volumes rise.
Mature organisations are increasingly adopting exposure management platforms that can correlate exploit intelligence, asset criticality and active risk signals to streamline remediation decisions and reduce operational bottlenecks.
Organisations need to move beyond traditional, CVSS score prioritisation and focus on real-world risk. In a “patch apocalypse” scenario, the volume and speed of vulnerabilities rising due to AI means legacy, linear approaches simply cannot keep up.
Instead, prioritisation frameworks must be continuous and risk-driven. This means making the most of the decisions in advance of the event. This shifts the focus to vulnerabilities that are actively being exploited, systems that are exposed to the internet or if it impacts a critical system.
Not every issue needs to be fixed immediately, and with clarity organisations can focus their efforts on the issues that pose the greatest risk.
To accomplish this, automation is essential. Security teams cannot manually triage thousands of new vulnerabilities at machine speed every day or even every week, so organisations need systems that continuously assess risk, adjust priorities and accelerate remediation in real time.
An organisation’s goal should be to reduce exposure quickly by focusing effort where it matters most, rather than trying to patch everything at once.
A mature, continuous risk-based patch management model is built around visibility, context and speed. Rather than relying on fixed monthly cycles, with the right tools’ organisations can continuously monitor their environment for new vulnerabilities, exploit activity and changes in exposure.
In practice, this means integrating vulnerability data, threat intelligence and asset information into a single workflow. Teams can quickly see which systems are most at risk and automate remediation based on predefined thresholds, rather than relying on manual intervention.
Mature organisations are also able to focus on business context. They know which systems are critical, internet-facing or linked to sensitive data and prioritise updates accordingly. Automation plays a central role, enabling patches to be deployed quickly and safely at scale.
Ultimately, maturity is defined by resilience: the ability to continuously reduce exposure and adapt in real time as the threat landscape evolves.
Vice President Of Product Management
Cyber Magazine connects the leading cybersecurity executives of the world's largest enterprises. Our platform serves as a digital hub for connecting cybersecurity & technology leaders with the latest cybersecurity news, articles and interviews and provides a wide range of services including media and advertising, events, research reports, weinars, podcasts, demand generation, information, and data services. With our comprehensive approach, we strive to provide timely and valuable insights into best practices, fostering innovation and collaboration within the cyber community. Join us today to shape the future for generations to come.
Leave a Reply