As two prominent AI research laboratories, OpenAI and Anthropic, broaden their access to cutting-edge large language models (LLMs)—specifically, Claude Mythos and GPT-5.5—they are revolutionizing the methodologies organizations use to address cybersecurity vulnerabilities. With emerging evidence demonstrating these models’ capacity to autonomously identify and remediate these flaws at scale, the paradigm of how organizations approach patching vulnerabilities is undergoing substantial transformation.
The patching lifecycle is expected to accelerate across numerous companies. On this trend, Kevin Jones, the Chief Information Security Officer (CISO) for Bayer, remarked at Infosecurity Europe that discussions with various IT vendors, including major cloud hyperscalers, revealed a concerning shift. The mean time it takes for threat actors to exploit vulnerabilities has dramatically decreased from days to mere hours. Historically, organizations would allocate a window of seven to ten days from the release of a patch—when no public exploit was known—to scale it adequately, deploy it on isolated systems for testing, and eventually apply it to internet-facing systems. This duration allowed potential attackers the necessary time to reverse-engineer the fix, discover the vulnerabilities, and craft their own exploitations.
However, recent conversations with vendors have revealed that this response window has shrunk significantly. It now takes only six hours and 40 minutes for a patch—released without any known exploit in the wild—to be actively exploited by cybercriminals. This alarming trend has compelled organizations to rethink their strategies for vulnerability management and patch deployment.
### India’s Expedient Response: New 12-Hour Patch Deadlines
In light of these evolving threats, India’s Computer Emergency Response Team (CERT-In) has set ambitious new standards. The team now mandates the patching of actively exploited internet-facing vulnerabilities within 12 hours, the exposure of critical flaws within a single day, and the addressing of high-severity bugs within five days. This decisive move aims to raise accountability and responsiveness within the rapidly changing landscape of cyber threats.
Andrey Lukashekov, head of revenue at Vulners, spoke about these deadlines and characterized them as “decisive.” However, he expressed concerns about the practical implications for large, global organizations. He emphasized that the stringent timelines collide with various operational challenges, including time zone differences, bureaucratic approval processes, and established change control mechanisms. Such constraints could transform what intends to be an efficient policy into a “logistical nightmare,” potentially delaying safe remediation efforts.
Lukashekov argues that while imposing rapid patching deadlines emphasizes the responsibilities of producers and the urgency of patch delivery, it risks encouraging rushed fixes. This, in turn, may lead to significant failures in the update and change processes, especially when coordination challenges arise.
### Diverging Approaches: The EU vs. the US
Contrasting with India’s swift mandates, the European Union’s Cyber Resilience Act (CRA) has adopted a different posture that is more explicitly vendor-centric. Lukashekov noted that this approach places a significant onus on software vendors, mandating obligations related to secure development practices, disclosure practices, and user notifications. This, according to him, is a logical step in aligning legal responsibility with the creators of software.
With this framework, businesses are compelled to prioritize product security. However, Lukashekov cautioned that compliance with regulatory measures does not inherently result in reduced exploitation windows. “Regulation can hold parties accountable,” he noted, “but it does not replace sound architecture and resilient operational strategies.”
Speaking further to these differing approaches, Michael Price, the VP of product engineering at VulnCheck, articulated the distinctions between the EU’s strict regulatory posture and the more market-driven, user-centric model observed in the United States. He remarked that Europe seeks to instill responsibility upstream, compelling vendors to produce more secure offerings. While this orientation could encourage systemic improvements in security, it also risks slowing down innovation due to increased burdens on software producers.
Conversely, Price explained that the U.S. model tends to place the onus on users and operators to defend their systems, stemming from a reluctance among businesses to embrace stringent regulations that may stifle growth. “In the U.S., there exists an emphasis on avoiding regulation,” he elaborated, “and this can lead businesses to prioritize speed to market over security.”
As a result, this approach can leave customers responsible for implementing their own patching strategies and compensatory measures to address insecurities present in the systems they utilize.
### The Shift Towards Exploit Intelligence-Driven Patching Programs
In response to these evolving demands and challenges, Price underscored the necessity for organizations to pivot towards exploit intelligence-driven patching programs. He asserted that existing models, which primarily rely on scanning for vulnerabilities and generating tickets for resolution, are no longer adequate in an age where responsiveness is critical.
Price urged security teams to shift their focus toward understanding which vulnerabilities are actively being exploited in the wild. He stated, “Organizations must be prepared to act against those threats in under 24 hours of publication.” This shift underscores the need for a proactive approach to vulnerability management, moving away from a reactive stance based solely on scanning and reporting.
Price further highlighted systemic challenges within the current model of vulnerability disclosure, emphasizing that the manual triage of growing volumes of vulnerability reports is increasingly untenable. He called for automation and enhanced vendor-side tools to effectively manage the influx of reports emerging from rapidly evolving AI technologies.
### Holistic Security: Beyond Just Patching
Lukashekov cautioned that while enhancing producer accountability is certainly gaining traction, stakeholders should not fall into the trap of viewing faster patching as a comprehensive solution to cybersecurity. He advocated for a robust approach that takes into account the likelihood of undisclosed vulnerabilities lingering within systems. His advice was to “assume your perimeter is already compromised” and to bolster defenses accordingly, advocating for additional measures such as advanced segmentation, runtime protections, and effective detection and containment protocols.
His insights underscore the necessity for organizations to diversify their patching strategies based on the nature of their systems. For instance, while automated updates could be utilized for commodity endpoints, bespoke applications and CI/CD systems require a more meticulous and case-specific approach.
Taking a comprehensive view, Lukashekov has outlined practical takeaways for organizations grappling with the increasing volume of disclosures, emphasizing the importance of resilience, adaptability, and well-reasoned strategic planning in the face of evolving cybersecurity threats.