AI is finding software flaws faster, but hackers are racing to use them

“Ok, tell me what actually happened”

A recent Wall Street Journal report highlighted a new reality in cybersecurity: AI is now finding software vulnerabilities at a speed that could change how patching works for everyone. According to the article, Anthropic’s restricted Mythos model has already identified thousands of high severity flaws in major software, and security experts say tools like it can sometimes exploit weaknesses faster than human researchers can.  

That matters because the old model of vulnerability management was already under strain. Security teams were already sorting through long patch queues, aging systems, change windows, and limited staff. Now imagine that same environment, except defenders, hackers, and scammers all have access to better tools for finding weak points faster.

This month gave us a clear example of what that pressure looks like in the real world.

Microsoft’s April 2026 Patch Tuesday was one of the largest the company has ever released. Microsoft’s official release notes list 165 Microsoft CVEs for the month, while multiple industry reports counted 167 flaws patched that day. Either way, the message is the same: the volume is enormous. The release also included zero-day issues and a SharePoint flaw that CISA added to its Known Exploited Vulnerabilities catalog, meaning active exploitation was serious enough to require prioritized remediation by federal agencies.  

“So is AI helping defenders or helping hackers?”

Both - and that’s not great.

AI can absolutely help software vendors, researchers, and internal cybersecurity teams find vulnerabilities faster. In theory, that should make us safer. Problems get found sooner. Patches get developed sooner. Organizations get more visibility into where they are exposed.  

But hackers do not need perfect tools for this to be dangerous. They just need tools that are good enough to shrink the gap between discovery and exploitation. If AI helps a bad actor find a vulnerability in hours instead of weeks, defenders lose precious time. If it helps them test phishing lures, write exploit code, or chain together bugs more quickly, patch delays become even more expensive.  

That is why this trend is not just about “more vulnerabilities” but about speed.

For years, organizations could sometimes get away with slow patching because the average time between a flaw being disclosed and being exploited gave them some breathing room. AI threatens to compress that timeline. The faster flaws are found, the faster they can be weaponized.

“Why should I care if I’m not Microsoft?”

Because most organizations do not have Microsoft’s scale, staffing, or engineering resources. If a company with Microsoft’s talent and budget is facing this kind of patch volume, smaller organizations should take the signal seriously. This does not mean every organization needs to panic and patch everything immediately. It does mean patching can no longer be treated like a background IT task that happens when someone gets to it. Patching is now a business process protection function.

If you depend on electronic devices, cloud platforms, email, collaboration tools, browsers, VPNs, or line-of-business applications to make your organization go, then delayed patching is not just a technical issue. It is a risk to uptime, trust, and revenue.

“Got it. So what should I actually do?”

Start with the basics, but take them more seriously than before:

1. Prioritize the systems that matter most to your business processes. Internet-facing systems, identity tools, collaboration platforms, email, browsers, and anything handling sensitive data should move to the front of the line.

2. Tighten your patching rhythm. Monthly patch cycles are still useful, but they are no longer enough on their own. You need a way to pull critical fixes forward when active exploitation is happening.

3. Reduce the number of unsupported or end-of-life systems in your environment. The WSJ article makes this point clearly: software that no longer gets updates becomes far riskier in a world where AI can help uncover flaws faster.  

4. Remember that patching is only one layer. Strong passwords, a password manager, multifactor authentication, and phishing-resistant login methods like passkeys still matter because scammers are using AI too.  

“What’s the big takeaway here?”

AI is not creating the patching problem by itself but it is absolutely accelerating a problem that already existed.

We are moving into a world where vulnerabilities can be discovered faster, triaged faster, and exploited faster. That can make software safer over time, but only for organizations that are ready to keep up. If your patching process is slow, informal, or constantly deferred, AI will not make that problem easier. It will make the cost of delay more visible. The organizations that do best in this next phase will not be the ones that chase every headline. They will be the ones that know which systems matter most, which updates cannot wait, and how to move when the risk is real.

Follow us - stay ahead.