Microsoft's regular monthly round of vulnerability fixes dropped as scheduled on Tuesday 14 April, containing a handful of zero-days and critical updates for security teams to pore over. So far, so normal. But this month's Patch Tuesday was rather more notable than many other recent updates because it was, by some margin, the second-largest update in history by volume, comprising over 160 distinct flaws – October 2025 saw 175 – and rising to nearly 250 once third-party and Chromium updates were taken into account.

Almost immediately, commentators invoked the unavoidable spectre of artificial intelligence. Vulnerability expert Dustin Childs of TrendAI's Zero Day Initiative described the update as “monstrous” in size and suggested that growth in the use of AI tools to uncover software vulnerabilities at scale may be behind the sudden jump. This observation aligns with the broader narrative that AI is fundamentally altering the vulnerability landscape, both for defenders and attackers.

Critical vulnerabilities and the Mythos factor

April's Patch Tuesday also coincided with the launch of Anthropic's Project Glasswing, an initiative built around the new frontier AI model Claude Mythos Preview. Anthropic claims Mythos can discover zero-day flaws and develop exploits for them. The company says it has already identified “thousands” of critical vulnerabilities, some of which have been hiding in plain sight for years. To manage the risk, Project Glasswing limits access to the model to a select group of tech companies including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, Microsoft, Nvidia, and Palo Alto Networks.

Chris Goettl, vice-president of product management at Ivanti, notes that the lead-up to this Patch Tuesday included a Google Chrome zero-day (CVE-2026-5281), an Adobe Acrobat Reader zero-day (CVE-2026-34621), and several older CVEs added to the CISA KEV list. All of this amidst significant industry buzz about Mythos and Project Glasswing.

AI as a double-edged sword

While Mythos is too new to have directly caused the spike in Patch Tuesday disclosures – VulnCheck analysis shows only 75 recently disclosed CVEs mention Anthropic and only one is directly attributable to Glasswing – the hypothetical correlation is already driving urgent conversations. Business secretary Liz Kendall urged UK business leaders to “plan accordingly” as frontier models become more adept.

Doc McConnell, head of policy at Finite State and a former CISA branch chief, describes AI as “a ratchet wrench for cyber security – it only goes in one direction: faster.” He warns that the traditional advice to “do the basics, but faster” is no longer sufficient because humans simply cannot keep up with AI-driven attack speeds. McConnell applauds Anthropic for its responsible approach but cautions that others may be quiet and irresponsible.

Impact on patch management

Goettl invites consideration of the knock-on effects. Large tech firms will use AI to release more secure code, but both legitimate researchers and threat actors will use robust AI models to identify exploitable flaws. This will result in more coordinated disclosures (good), more zero-day exploits (bad), and more n-day exploits (bad). All of this will lead to more frequent and more urgent software updates.

Many organizations already struggle to keep up with priority updates that resolve exploited vulnerabilities outside normal monthly maintenance. Goettl points out that most organizations were not aware of the Adobe Acrobat zero-day exploit until the CISA KEV update, giving threat actors an extra two to three days of free reign. With browser security updates now weekly and many business applications releasing updates on a continuous cadence, the number of exploits making a mockery of maintenance schedules will likely double, triple, or quadruple.

Next steps for security leaders

Goettl believes security leaders need to make a step change in mindset and maturity, defining their risk appetite and risk posture. This should go alongside a technical evolution where traditional vulnerability assessment and intelligence services become better integrated into a broader ecosystem with asset visibility and systems of record. This hybrid approach can be integrated with an autonomous endpoint management platform to speed remediation.

McConnell lays out three steps for the industry. First, security must move to the very beginning of the product lifecycle – binary analysis and software composition analysis need to happen continuously from the first stages of design. Second, security needs to keep pace with product development through real-time SBOMs with automated reachability analysis for new vulnerabilities. Third, companies need to understand that incidents will still happen and must have automated vulnerability and incident response capabilities that can triage, communicate, and coordinate remediation without manual investigation.

Could frontier models be good for cyber?

Richard Horne, CEO of the UK's National Cyber Security Centre (NCSC), believes there is a path toward using AI appropriately to find and fix flaws, but the road ahead is paved with risks. He warns that AI will make it easier, faster, and cheaper to discover and exploit weaknesses that previously required more time, skill, or resource. The pressure on organizations to patch systems quickly will only grow more acute.

Horne emphasizes that organizations must ensure they are following established good practices set out by the NCSC: reducing unnecessary exposure to attacks, rapid application of updates, and monitoring for and responding to malicious activity. These technical actions must be championed by all leaders and board-level executives. Cyber risk is business risk, and as society navigates these fast-evolving capabilities, the NCSC will continue advising on risks and opportunities.

By getting the fundamentals right and carefully adopting frontier AI models for good, network defenders can retain an advantage and help keep the UK safe online. The conversation about AI and vulnerability management is no longer hypothetical — it is happening now, and organizations must act immediately. As McConnell puts it, “Make it the top topic at your next board meeting. If you don't have this capability today, partner with a company that does.”

Anthropic's Mythos represents a leap forward in bug-hunting capabilities, and while the immediate impact on Patch Tuesday may be limited, the trajectory is clear: AI will continue to accelerate the discovery and disclosure of vulnerabilities. Security teams must evolve from reactive patching to proactive, AI-augmented defense. The tools are available, but the mindset shift is essential. Whether frontier models ultimately prove beneficial or disastrous for cyber security depends on how quickly organizations adapt to this new reality.

Source: ComputerWeekly.com News