Overview
- In May 2026 Anthropic said it and partners used Claude Mythos to flag more than 10,000 high‑ or critical‑severity flaws in a month, showing AI can scale vulnerability finding far beyond human teams.
- Security leaders report that the time from disclosure to in‑the‑wild exploitation has fallen from days to hours, a compression that leaves little time for conventional testing and staged patch rollouts.
- Measured remediation is not keeping up: Verizon’s 2026 DBIR shows median time to patch critical flaws rose from 32 days to 43 days, creating large windows attackers can exploit.
- A Cloud Security Alliance survey of 902 professionals found 80% of organizations had incidents tied to already‑known vulnerabilities and that most lack real‑time runtime logs or proof that a bug is exploitable in production.
- Responses are diverging — India’s CERT‑In set 12‑hour expectations for some fixes while the EU’s Cyber Resilience Act shifts obligations to producers and the US favors market solutions — driving interest in virtual patching, autonomous mitigation, and new exploit‑intelligence tools.