Microsoft’s regular monthly round of vulnerability fixes dropped as scheduled on Tuesday, 14 April, containing a handful of zero-days and critical updates for security teams to pore over. So far, so normal.

But this month’s Patch Tuesday was far more notable than many other recent updates because it was, by some margin, the second-largest update in history by volume, comprising over 160 distinct flaws – October 2025 having seen 175 – and rising to nearly 250 once third-party and Chromium updates were taken into account.

Almost immediately, commentators rushed to invoke the unavoidable spectre of artificial intelligence (AI). Vulnerability expert and regular Patch Tuesday commentator Dustin Childs, of Trend Micro’s Zero Day Initiative, was among them. In his regular write-up, he described the update as “monstrous” in size, and went on to suggest that growth in the use of AI tools to uncover software vulnerabilities at scale may be behind the sudden jump.

This may well be a big part of what is going on, agrees Chris Goettl, vice-president of product management for software products at Ivanti, which has just made significant enhancements to its Neurons patch management platform. Setting the scene, Goettl explained that the lead up to Patch Tuesday had been interesting, with a Google Chrome zero-day patched on 1 April, an Adobe Acrobat Reader zero-day, and several older CVEs added to the CISA KEV list, all amidst industry buzz about Anthropic’s Mythos and Project Glasswing.

The rise of AI-driven vulnerability discovery

Launched amid much fanfare earlier in April, Project Glasswing is a new Anthropic initiative built around an in-development frontier AI model, Claude Mythos Preview, which its progenitors say can both discover zero-day flaws and develop exploits for them. Such is Mythos’s power – Anthropic claims to have discovered “thousands” of critical vulnerabilities, some of which have been hiding in plain sight for years – that Project Glasswing has been created to limit access to the potentially dangerous model to a select group of tech companies, or at least to give them a head start on fixing the flaws before Mythos becomes more widely available.

These companies include Amazon Web Services (AWS), Apple, Broadcom, Cisco, CrowdStrike, Google, Microsoft, Nvidia, and Palo Alto Networks. Mythos and Project Glasswing were only made public earlier this month – far too recently to have had much impact on the April Patch Tuesday update. And according to analysis of recently disclosed vulnerabilities conducted by VulnCheck, only 75 mention Anthropic and only one is directly attributable to Glasswing. Therefore, it’s reasonable and accurate to say the correlation between its release and the spike in Patch Tuesday disclosures is a hypothetical one for now.

Exponential acceleration of vulnerabilities

However, things are moving fast. The timeline is advancing at pace, and the conversation needs to happen now. In an open letter published on 15 April, UK business secretary Liz Kendall urged business leaders to “plan accordingly” as frontier models become more adept. “The scenarios that Mythos enables aren’t routine,” says Doc McConnell, head of policy at Finite State and a former CISA branch chief and White House advisor. “AI is a ratchet wrench for cyber security – it only goes in one direction: faster. It enables security teams to respond to incidents more quickly, but it also increases the volume and severity of those incidents.”

McConnell adds: “Sure, the basics still apply – building security into the product lifecycle, accelerating the patch cycle, making sure that cyber security is central to your company’s risk management and long-term strategy. What’s changed is that the traditional advice to ‘do the basics, but faster’ is no longer sufficient. Regardless of how skilled your technical team, humans simply can’t go fast enough to keep up with AI.” While McConnell applauds Anthropic and its Project Glasswing squad for their approach, he says it would be wise to assume that if Anthropic is being noisy and responsible about this, someone else is being quiet, and irresponsible.

Implications for patch management

Goettl at Ivanti speculates on where Mythos will be used. He notes that finding exploitable flaws in code can be a powerful tool for good when used by the vendor writing the code before it is released. However, it will also be used by researchers and threat actors to find flaws in code already released. The knock-on effects are significant. In the immediate future, large tech firms will use it to release more secure code. But at the same time, both legitimate security researchers and threat actors will adopt more robust AI models to identify exploitable flaws. This will result in more coordinated disclosures, more zero-day exploits, and more n-day exploits.

All of this will lead to more frequent and urgent software updates. Many organisations currently struggle to keep up with priority updates resolving exploited vulnerabilities that occur outside their normal monthly maintenance. For example, Goettl suspects most organisations were not aware of the Adobe Acrobat zero-day exploit until the CISA KEV update, meaning threat actors had another two to three days of free rein to exploit it before most organisations became aware. Given browser security updates are now weekly occurrences, and many business applications release updates on a continuous cadence, it’s easy to see that exploits will soon make a mockery of organisations’ maintenance schedules – and do so frequently. While it’s not possible to say if this will be a doubling, trebling, or quadrupling of vulnerabilities, the increase will likely be noticeable and exacerbate existing patch management challenges.

Strategic responses for security leaders

What’s the solution? Goettl believes security leaders need to make a step change in mindset and maturity, defining their risk appetite and risk posture. This, if done effectively, can make remediation activities more clear-cut. This should go alongside a technical evolution in which traditional vulnerability assessment and intelligence services become better integrated into a broader ecosystem where they marry up with asset visibility or systems of record. This hybrid approach can refine the process of determining if issues need to be addressed urgently or can wait for regular maintenance. This stack should be integrated with an autonomous endpoint management (AEM) platform to speed remediation.

Meanwhile, McConnell lays out three steps the industry itself should consider. Security must move to the very beginning of the product lifecycle. If you’re waiting until a CVE drops to find out whether your product is affected, you’re already behind. Binary analysis and software composition analysis need to happen continuously from the first stages of design and development – not as a final check when features are done and release is scheduled. Second, security needs to keep pace with product development, even as companies accelerate development with AI. That means a real-time software bill of materials (SBOM) with automated reachability analysis for new vulnerabilities, so that organisations can confidently prioritise the fixes that matter most. Finally, companies need to understand that even in a capable security environment, incidents will still happen. When they do, defenders must match attacker speed. That requires an automated vulnerability and incident response capability that can triage, communicate, and coordinate remediation across a product portfolio without relying on manual investigation at each step. McConnell urges companies to act on this immediately: make it the top topic at your next board meeting, and if you don’t have this capability today, partner with a company that does.

Potential for good in cybersecurity

Could frontier models like Mythos ultimately prove beneficial for cybersecurity? Richard Horne, CEO of the UK’s National Cyber Security Centre (NCSC), thinks so. In an article first published as a letter to the Financial Times, Horne says there is a path towards using AI appropriately to find and fix flaws, but the road ahead is paved with risks. In the immediate term, AI will increasingly expose organisations that have not taken appropriate steps to safeguard their cybersecurity. AI will make it easier, faster, and cheaper to discover and exploit weaknesses that previously required more time, skill, or resources for attackers to identify. The pressure on organisations to patch systems quickly will only grow more acute.

For Horne, it is more essential than ever that organisations follow established good practices set out by the NCSC to raise their security baseline. This includes reducing unnecessary exposure to attacks, rapid application of updates, and monitoring for and responding to malicious activity. These technical actions must be championed by all leaders and board-level executives to have a positive impact. Cyber risk is business risk. As society navigates these fast-evolving capabilities, the NCSC will stay focused on its mission to protect the UK from cyber threats, working alongside industry and wider government. By getting the fundamentals right and carefully adopting frontier AI models for good, network defenders can retain an advantage and help keep the UK safe online.

Historical context and future outlook

Patch Tuesday has long been a cornerstone of Microsoft’s security update strategy, with a predictable monthly cadence that allows IT teams to plan maintenance windows. However, the volume of patches has steadily increased over the years as software complexity grows and more vulnerabilities are discovered. The record of 175 flaws set in October 2025 was seen as an outlier; now April 2026 has nearly matched it. Analysts point to the proliferation of automated fuzzing tools and, more recently, AI-based vulnerability research as key drivers. The trend shows no signs of slowing down, especially as frontier AI models become more accessible to researchers and threat actors alike.

Project Glasswing represents a paradigm shift: not only discovering vulnerabilities but also generating proof-of-concept exploits. This capability blurs the line between defensive and offensive applications. Anthropic’s decision to gate access behind a consortium of major tech firms is a novel attempt to mitigate immediate risk, but it remains to be seen how long this exclusivity can be maintained. The cybersecurity community is watching closely, as similar models could emerge from less responsible actors.

In parallel, the industry is grappling with the broader implications of AI-assisted vulnerability discovery. The traditional vulnerability lifecycle – from discovery to disclosure to patching – is being compressed. Organisations that have not invested in automated patch management and continuous vulnerability monitoring will fall behind. The shift left philosophy is gaining urgency, with secure coding practices and static analysis becoming non-negotiable from the earliest stages of software development.

Ultimately, the arrival of AI models like Mythos forces a reassessment of patch management strategies. Security teams must adopt a proactive, risk-based approach, leveraging real-time threat intelligence and autonomous remediation tools. The era of relying on monthly patches alone is ending; the next phase requires continuous vigilance and automation to keep pace with the tsunami of flaws that AI can now uncover.

Source: ComputerWeekly.com News