Reporter, Infosecurity Magazine
As two of the leading frontier AI labs, OpenAI and Anthropic, expand access to their most advanced large language models (LLMs), Claude Mythos and GPT5.5, with evidence of their capabilities to autonomously find and fix vulnerabilities at scale, the way organizations patch flaws is evolving.
First, the patching lifecycle will likely speed up in many companies. Speaking at Infosecurity Europe, Kevin Jones, Group CISO at Bayer, said IT vendors he spoke to, including cloud hyperscalers, assessed that the mean time to exploit a vulnerability has gone from days to hours.
“Normally, from a patch being released with no known public exploit in the wild, you give yourself seven to 10 days to be able to scale up that patch, deploy it on a few isolated systems, test it, deploy it on your internet-facing systems. It used to be the window it would take for attackers to really reverse engineer it, find the vulnerabilities, write the exploits, deploy the exploits and scale them,” he explained.
Now, vendors told him it took threat actors down to six hours and 40 minutes between the time a patch was being released with no known exploit in the wild and when somebody started exploiting the vulnerability.
In response to this, India’s Computer Emergency Response Team (CERT-In) recently set a new bar for response times with an expectation to patch actively exploited internet-facing vulnerabilities within 12 hours, exposed critical flaws within a day and high-severity bugs within five days.
Speaking to Infosecurity, Andrey Lukashekov, head of revenue at Vulners, said such a mandate “sounds decisive.”
However, he noted that in large, global organizations, tight deadlines collide with time zones, approval chains and change controls, turning a well‑intended rule into “a logistical nightmare” that can actually impede safe remediation.
In Lukashenkov’s view, such mandates push the emphasis onto producers and rapid patch delivery, yet they risk encouraging rushed fixes or breaking change processes when coordination is infeasible.
By contrast, Lukashenkov framed the EU’s approach under the Cyber Resilience Act as more explicitly producer‑centric.
He said the CRA “leans on vendors to own product security,” creating obligations for secure development, disclosure and user notification.
Lukashenkov described this approach as sensible from a policy standpoint because it aligns legal responsibility with the parties that build the code, but he cautioned that compliance does not automatically translate into shortened exploitation windows.
“Regulation can move the needle on accountability, but it won’t replace sound architecture and resilient operations,” he said.
Also speaking to Infosecurity, Michael Price, VP of product engineering at VulnCheck, contrasted the EU’s vendor-focused posture under rules like the CRA with the more market-driven, user-focused approach he sees in the US.
He said that Europe “is trying to force responsibility upstream,” by placing legal and technical obligations on software producers to design and ship more secure products. That, he said, shifts cost and accountability toward vendors and can drive systemic improvements – albeit at the expense of potentially slowing innovation.
By contrast, Price said, the US model often puts more of the burden on users and operators to defend themselves.
“In the US, you see an emphasis on avoiding regulation because regulators can slow down growth,” he explained. As a result many companies optimize for time-to-market rather than security.
He warned this can leave downstream customers with the hard work of patching, prioritizing and compensating for insecure defaults.
Lukashenkov agreed, observing that US practice tends to combine market pressure, liability considerations and voluntary standards rather than a single, prescriptive cadence.
“In the US you get a patchwork of expectations: buyers demand fixes, insurers price risk and vendors respond, but there’s no one size fits all,” he said.
Price argued there’s no simple right answer: regulation can raise the baseline of security but also introduce costs.
“I’d like to see more regulation in the US as there’s simply too much insecurity, but you have to strike a balance so you don’t kill innovation,” he said.
Taken together, Lukashenkov argued these divergent approaches create both opportunity and friction: India’s speed‑first posture forces urgency, the EU’s producer obligations clarify legal accountability, and the US ecosystem model drives market‑based incentives.
However, he emphasized that, regardless of their approach, policymakers should be deliberate about which part of the system they seek to influence (vulnerability discovery, disclosure, production of vulnerability data or operation of patches) and recognize that meaningful risk reduction will require aligning producer obligations with defender capabilities rather than simply imposing impossible timelines.
“The question isn’t just who pays,” he concluded, “It’s how we rewire incentives so producers, customers and regulators all pull toward fewer windows of exploitability.”
Price outlined a clear shift he believes organizations must make. “The old model, where I first scan, then I find vulnerabilities, then I create tickets and finally somebody resolves the tickets is no longer adequate,” he said.
Price advised shifting the emphasis on real-world risk, with security teams recommended to ask themselves which vulnerabilities are being exploited, not merely which ones exist.
“You need to move to an exploit intelligence-driven, operations-focused model,” he said.
“Typically, a small number of vulnerabilities are exploited in under 24 hours from publication. Any organization that wants to remain secure has to know which vulnerabilities are actually going to be exploited, and they need to be able to respond to them in less than 24 hours.”
Price also flagged scaling problems in disclosure and vendor response, where he argued that manual triage is breaking under volume.
“Manual triage of every report clearly is at risk,” he said, calling for automation and new vendor-side tooling to handle the influx of AI-generated reports.
He warned that relying on a single catalog like NIST’s feeds will no longer be sufficient and that organizations need multiple, intelligence-rich sources to make timely decisions.
While acknowledging producer accountability is gaining traction, Lukashekov urged defenders not to rely on faster patching as a silver bullet.
He argued organizations must assume undisclosed vulnerabilities exist and change their defensive posture accordingly.
“Treat your perimeter like it’s already compromised,” he advised. “Don’t just build walls, deploy anti‑drone nets.”
In practice, that means stronger hardening, segmentation, runtime protections and improved detection and containment alongside patching.
Lukashekov urged nuance in patch strategy: commodity endpoints and vendor‑managed software should use automation and auto‑updates where safe, while CI/CD systems and bespoke applications require careful, case‑by‑case handling.
“Different parts of cybersecurity move at different speeds. You can’t treat CI/CD the same way you treat laptop updates.,” he stated.
Practical takeaways Lukashekov offered for organizations confronting the discovery boom include:
On supply-chain risk, Price emphasized concrete mitigations that organizations can adopt now: lock down developer environments, avoid local storage of secrets, route dependencies through vetted package registries, enforce cooldown periods and use version pinning and package signing.
He said these are practical steps that, if widely implemented, would materially reduce the risk from malicious or compromised open-source packages.
Lukashekov also highlighted an emerging market response, reporting that industry sentiment shifted in April – after Anthropic released Mythos as part of the Glasswing project – as boards unlocked budget and investors favored cybersecurity firms.
However, he cautioned that money alone won’t resolve the responsibility debate. “Regulation, market pressure and customer demands all matter, but they won’t replace good architecture and resilient operations,” he said.
Lukashekov concluded that the industry is at an inflection point, where accountability and operational practice must be renegotiated. “Patching isn’t dead,” he said, “But it can’t be the only answer. Who pays to fix it is still very much up for grabs.”
Leave a Reply