AI models speed exploit discovery, NCSC urges faster patching

Benchmark runs by the UK AI Security Institute found OpenAI’s GPT-5.5 completed a 32-step simulated corporate attack chain end-to-end in two of 10 runs, while Anthropic’s Claude Mythos Preview completed the same chain in three of 10. Ollie Whitehouse, chief technology officer at the UK National Cyber Security Centre, warned organisations to prepare for a likely surge in software updates as advanced AI uncovers vulnerabilities more quickly. A recent industry report shows vulnerability exploitation has overtaken stolen credentials as the leading initial access route in breaches.

Rik Ferguson, vice president of threat intelligence at Forescout, said defenders can no longer assume they have time to assess and patch before large-scale exploitation and described the new AI capabilities as “supercharged.” He added that existing patch cycles and approval processes may be too slow to match automated discovery and exploit development.

Tools designed for deep, white-box code analysis can surface issues that signature-based scanners miss. Daniel Bechenea, security manager at Pentest-Tools, said vendors running such AI continuously are likely to produce “more patches, shipped faster.” He noted many organisations do not have the operational capacity to deploy fixes at that pace.

More than 48,000 vulnerabilities were recorded in 2025, and experts expect discovery rates to rise as advanced models are applied more broadly. Ivan Milenkovic, vice president of risk technology EMEA at Qualys, warned the standard cycle of “CVE release-patch before exploit” will come under “significant pressure” and recommended “hyper-prioritisation” of fixes.

The NCSC recommends strengthening baseline controls such as Cyber Essentials and, for providers of essential services, applying the Cyber Assessment Framework to improve resilience. Security practitioners list operational measures that help absorb a faster cadence of fixes: accurate asset inventories, dependency mapping, evidence-based triage, test automation and clear ownership of systems.

When immediate patching is not possible, teams should reduce potential impact through network segmentation, temporary compensating controls and pre-agreed decision processes for urgent updates. Bechenea said AI can assist by matching patches to affected assets, surfacing high-priority items and flagging vulnerable components.

Ferguson added that, within governed boundaries, AI can speed vulnerability triage, code review, dependency analysis, test generation and patch validation. The arrival of more advanced models is expected to accelerate both discovery and exploit development, increasing pressure on organisations to shorten the time between identifying a flaw and applying a fix.