Patch window is officially dead as AI finds bugs faster than humans can squash them | Tech Radar

Overview

News, deals, reviews, guides and more on the newest computing gadgets

Start exploring exclusive deals, expert advice and more

Details

Unlock and manage exclusive Techradar member rewards.

Unlock instant access to exclusive member features.

Get full access to premium articles, exclusive features and a growing list of member rewards.

Patch window is officially dead as AI finds bugs faster than humans can squash them

AI-driven vulnerability discovery outpaces traditional patching defenses

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Anthropic's Project Glasswing has changed the math on vulnerability discovery, and software teams need to sit with the implications.

Project Glasswing is an industry coalition, including Amazon, Apple, Google, Microsoft, Cisco, and others, built around Anthropic's most capable AI model, Claude Mythos Preview, with the explicit goal of finding and patching critical software vulnerabilities before attackers can exploit them.

In Anthropic's own testing, Mythos scanned major operating systems and browsers and found vulnerabilities at a scale and depth that manual auditing and fuzzing have missed.

AI tools have made vulnerability exploitation faster and easier

Claude Mythos turns years of security research into 20-hour AI exploits

AI is having its "Ford T" moment as Zero Day assembly lines appear

One bug in Open BSD had been in production code for 27 years. Open BSD is not an obscure, unexamined codebase. It has been audited and fuzzed by world-class researchers countless times across more than two decades. Mythos found an exploitable bug anyway. If that is possible there, it is possible anywhere.

The unsettling number for security teams is that Anthropic says more than 99% of what Mythos found has not yet been patched.

The traditional security model assumes defenders have time to find a vulnerability, build a patch, and deploy it before an attacker can exploit it. AI-assisted vulnerability discovery is collapsing that assumption, as AI is finding vulnerabilities faster than defenders can patch them.

What Mythos surfaced in a single research effort would require thousands of labor years to fix and validate across every affected organization.

The pressure on defenders is coming from both directions. The same AI capabilities that surface vulnerabilities at scale are also generating working exploits against those same vulnerabilities.

Attackers who gain access to comparable models will know where the holes are, and they will have tools to quickly develop exploits. That compresses the window further and raises the stakes on every vulnerability that remains unpatched.

As AI accelerates vulnerability discovery, teams will spend more time on remediation, disrupting product roadmaps and delivery schedules. Security teams that were already stretched thin are now facing a queue that will not clear in the near term. And Anthropic has said plainly that this capability will only continue to advance.

Why software defects are now the biggest security threat

Mozilla’s Mythos AI test could change cybersecurity forever

The Human Risk Reckoning: Why security must evolve for an AI-augmented workforce

Why memory safety bugs are the sharpest edge of this problem

Memory safety vulnerabilities are a particularly dangerous part of this picture. They are prevalent across legacy codebases and reliably exploitable, and AI has now demonstrated its ability to find these bugs and chain them into a working exploit.

Buffer overflows, use-after-free errors, and out-of-bounds writes are found across compiled code in the energy grid, defense systems, transportation, and more.

Notably, among the bugs cited in the Mythos announcement, many were memory-safety-related. For example, Mythos Preview identified and then exploited a 17-year-old remote code execution vulnerability in Free BSD. Mythos also identified memory safety flaws in the Linux kernel and prominent web apps.

The volume of what AI tools can now surface changes the math on patching as a primary defense. No security team can outrun a continuous flow of zero-days across critical software.

The organizations best positioned to weather this are the ones that have already shifted their thinking from eliminating all bugs to building resilience into software itself.

By building software in ways that reduce exploitability, even when bugs remain, organizations can reduce the patching burden. One example is runtime protections, which prevent the exploitation of certain bugs even before a patch is available.

A vulnerability only matters to an attacker if they can reach it and create a working exploit. Hardening software at the binary level shrinks that possibility, not by fixing the bug, but by pulling away the footholds needed to turn it into a breach. The bug stays.

The path to exploiting it narrows significantly. When remediation backlogs run into years, that gap between "bug exists" and "bug is usable" is where organizations can buy time.

The practical response starts with accepting that the backlog is real and that patching alone will not clear it on any useful timeline. Audit legacy codebases for memory-unsafe components and prioritize those that are network-exposed or process untrusted data.

Deploy binary hardening and runtime protections for software that cannot be rewritten or replaced quickly. Build remediation workflows that triage by exploitability, not just severity score.

The deeper shift is in how organizations think about risk. A system that has not been patched is not necessarily one that will be breached, provided it has been hardened at the binary level and protected against what an attacker can do with a vulnerability. That posture fits the current environment.

Resilience and remediation work together, and organizations that treat them that way will be better positioned as AI-assisted discovery continues to scale. Project Glasswing is giving defenders a head start. The organizations that move now to harden what they cannot yet patch will be in a stronger position when that access expands.

This article was produced as part of Tech Radar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of Tech Radar Pro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

You must confirm your public display name before commenting

1 Alexa+ can now create AI podcasts about the news in case you wanted that for some reason — so it’s perfect timing that Spotify is actually verifying podcasts that are definitely from humans

2 Huawei's new 'premium budget' smartwatch could be the fitness tracker to buy this year — even over the upcoming Fitbit Air

3 Gigabyte’s latest OLED gaming monitor looks like a dream, but living with it was more complicated

45 prompts that show how the new Gemini 3.5 Flash is its best AI model yet

5 You've heard of Touch ID and Face ID, but is Ear ID next? Researchers have detailed a new tech would let you use Air Pods or similar buds to prove who you are and unlock your gadgets — and it's actually your heartrate that they detect

Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.

Key Takeaways

• News, deals, reviews, guides and more on the newest computing gadgets
• Start exploring exclusive deals, expert advice and more
• Unlock and manage exclusive Techradar member rewards
• Unlock instant access to exclusive member features
• Get full access to premium articles, exclusive features and a growing list of member rewards