{"slug": "flaw-surge-fuels-need-for-cisos-to-rethink-vulnerability-management", "title": "Flaw surge fuels need for CISOs to rethink vulnerability management", "summary": "Security experts urge enterprises to adopt 'just in time' patching and risk-based vulnerability management as AI accelerates vulnerability discovery and exploitation, overwhelming traditional patch cycles. Attackers using AI tools like Claude Mythos can surface flaws at scale, widening the gap between discovery and remediation, prompting calls for mitigation-first approaches that remove entire exploit classes.", "body_md": "Security experts are calling on enterprises to revise their vulnerability management strategies and move towards “just in time” patching in response the increased pace of vulnerability exploitation.\n\nAttackers are [turning to AI](https://www.csoonline.com/article/4181924/ai-worm-prototype-shows-attackers-dont-need-mythos-to-take-over-your-network.html) to increase the [rate of vulnerability exploitation](https://www.csoonline.com/article/3632268/gen-ai-is-transforming-the-cyber-threat-landscape-by-democratizing-vulnerability-hunting.html) and supply chain compromise so that traditional forms of vulnerability management are no longer keeping pace.\n\nMuhammad Yahya Patel, vCISO and cybersecurity advisor for EMEA at managed security services vendor Huntress, recently [told CSO](https://www.csoonline.com/article/4176086/vulnerabilities-have-become-cyber-attackers-no-1-door-to-the-enterprise.html) that “organizations need to shift their vulnerability management program to a risk-based, continuous [approach], tied to real-time exploitation intelligence — not scheduled patch cycles that leave exploitation windows wide open for days and weeks.”\n\nFrontier AI tools such as Claude Mythos have [signaled a structural shift for cybersecurity](https://www.csoonline.com/article/4158117/anthropics-mythos-signals-a-structural-cybersecurity-shift.html), readily surfacing vulnerabilities at a huge scale — a development that, as government security assurance organizations such as the UK’s National Cyber Security Centre point out, is likely to lead to a surge in patches.\n\n“Most organizations already struggle to fix known issues quickly, so a spike in AI-driven discovery could easily overwhelm teams and widen the gap between finding problems and fixing them,” Andrew Woodford, CTO at network security vendor Titania, tells CSO. “In many ways, this just exposes a problem that’s already there.”\n\nShane Fry, CTO at cybersecurity vendor RunSafe Security, argues that [patching as a security strategy](https://www.csoonline.com/article/3520881/patch-management-a-dull-it-pain-that-wont-go-away.html) has been in crisis for years, and AI-accelerated vulnerability discovery has simply pushed it over the edge.\n\nSome experts contend that virtual patching — a technique that involves blocking exploit attempts at a security layer rather than fixing vulnerable code — represents a sound mitigation strategy, but Fry has reservations about the approach.\n\n“While virtual patching will play a role going forward, its effectiveness is limited and leaves security teams chasing a gap they will never be able to close,” Fry says.\n\nInstead, security teams need to shift toward mitigation-first approaches that make it impossible for attackers to exploit bugs in software.\n\n“Removing entire classes of exploits upfront takes the heat out of the patch gap, and allows patching to become strategic rather than reactive,” Fry argues.\n\nThe conventional patch management model was designed around a world where vulnerability discovery happened at human speed: A human researcher finds a flaw, reports it, a CVE gets assigned, vendors ship a fix, enterprises test and deploy it — a process that can take weeks.\n\nAI-powered vulnerability discovery blows this model out of the water.\n\n“If offensive AI can identify, validate, and exploit vulnerabilities without human authorization, a 43-day median patch time, as noted in Verizon’s DBIR, is the least of your problems,” argues Rik Ferguson, vice president of security intelligence at Forescout. “An AI system doesn’t wait for a proof-of-concept to circulate on GitHub or a CVSS score to land in a dashboard. It finds the flaw, confirms exploitability, and moves.”\n\nFerguson advocates a change of approach toward what he describes as “Assume Autonomy.”\n\n“The question is what compensating controls you put in place between discovery and remediation, and how you constrain what an attacker can do with access they’ve already acquired,” Ferguson explains.\n\nJust-in-time patching fits in with this philosophy and is a desirable goal but may be difficult to achieve in practice especially for the many enterprises that struggle with asset management.\n\n“Just-in-time patching is sound in principle: prioritize and deploy fixes as exploitation intelligence emerges rather than waiting for the scheduled window,” Ferguson says. “But achieving it has some real-world requirements: continuous asset visibility, knowing precisely what you have, where it is, and what its current exposure status is.”\n\nFor example, Ferguson adds, “you can’t patch just-in-time against a vulnerability in a device you didn’t know was on your network.”\n\nGunter Ollmann, CTO at pen testing as a service firm Cobalt, notes that just-in-time patching makes sense if and when a patch is available — but that’s not always possible.\n\n“The major problem lies in the discovery of new vulnerabilities in code or systems that the business has no rights or capabilities to fix themselves, and they have a dependence upon third parties to develop the fix or patch — and are therefore subject to external SLA [service level agreement] turnarounds,” Ollmann explains.\n\nIn such cases, enterprises will need to deploy virtual patches capable of blocking or deflecting the exploitation vectors of the vulnerable system.\n\n“Businesses are in desperate need of quickly deciphering a new vulnerability and dynamically creating an appropriate blocking rule — or rules — for their layered defenses,” Ollmann says.\n\nVirtual patching may mitigate security threats particularly in operational technology (OT) and IoT environments where applying a vendor patch to a running production system risks unplanned downtime or safety system interruption but only serves as a stop gap, Ferguson tells CSO.\n\n“A network-layer control that blocks exploitation of a known flaw, while you work through the testing and deployment cycle for the actual fix, is a compensating control,” notes Ferguson, who warns that virtual patches come with multiple drawbacks.\n\n“Virtual patches require accurate detection signatures, they don’t remediate the underlying vulnerability, and they can create a false sense of closure that delays proper patching indefinitely,” Ferguson argues. “The risk is that temporary becomes permanent. The underlying vulnerability stays open, and the virtual patch becomes the reason nobody revisits it.”\n\nDouglas McKee, director of vulnerability intelligence at Rapid7, advocates what he describes as just-in-time risk reduction rather than just-in-time patching because of the practical difficulties with the latter.\n\n“In the real world, especially in OT, medical devices, and business-critical systems, you can’t always patch the second a CVE drops,” McKee argues. “You still need testing, maintenance windows, rollback plans, and someone who actually owns the asset. However, the old monthly scan, report, and remediation cycle will not survive this pace.”\n\nThe enterprise attack surface has expanded significantly of late, and patch management models haven’t kept up. In response, security leaders’ vulnerability management strategies have to become more of a continuous monitoring function, not a triage and remediation process.\n\nModernizing enterprise approaches to vulnerability management involves “real-time exploitation intelligence integrated into prioritization, compensating controls deployed at discovery rather than at patch release, and visibility across the full asset estate that conventional patch management tools were never designed to cover,” Ferguson says.\n\nRapid7’s McKee stresses that security teams need to separate “known vulnerable” from “actually reachable and exploitable in my environment.”\n\nThis process can be achieved through a combination of asset inventory, internet exposure mapping, KEV tracking, vulnerability intelligence, ownership, and emergency change paths.\n\n“Prioritization based on risk factors like public exposure, known exploitation, automation potential, and technical impact is key,” McKee concludes.", "url": "https://wpnews.pro/news/flaw-surge-fuels-need-for-cisos-to-rethink-vulnerability-management", "canonical_source": "https://www.csoonline.com/article/4196435/flaw-surge-fuels-need-for-cisos-to-rethink-vulnerability-management.html", "published_at": "2026-07-16 07:00:00+00:00", "updated_at": "2026-07-16 07:33:18.461604+00:00", "lang": "en", "topics": ["artificial-intelligence", "ai-safety", "ai-policy", "ai-tools"], "entities": ["Huntress", "Muhammad Yahya Patel", "Claude Mythos", "UK National Cyber Security Centre", "Titania", "Andrew Woodford", "RunSafe Security", "Shane Fry"], "alternates": {"html": "https://wpnews.pro/news/flaw-surge-fuels-need-for-cisos-to-rethink-vulnerability-management", "markdown": "https://wpnews.pro/news/flaw-surge-fuels-need-for-cisos-to-rethink-vulnerability-management.md", "text": "https://wpnews.pro/news/flaw-surge-fuels-need-for-cisos-to-rethink-vulnerability-management.txt", "jsonld": "https://wpnews.pro/news/flaw-surge-fuels-need-for-cisos-to-rethink-vulnerability-management.jsonld"}}