AI is finding vulnerabilities faster, whether the industry is ready for it or not. Mitigation is the only way for defenders to regain control.
The cybersecurity industry is betting heavily on artificial intelligence. The idea is that if we can use AI to find vulnerabilities faster, software will be more secure, and organizations can stay ahead of bad actors.
However, in most organizations, vulnerability discovery is not what’s holding security teams back. Remediation is. Teams are already drowning in more common vulnerabilities and exposures (CVEs) than they can prioritize and address. According to Verizon’s 2026 Data Breach Investigations Report, one of the most common breach vectors is the exploitation of known vulnerabilities. Vulnerabilities exist, but because patching is difficult and requires significant resources, organizations often fall behind in fixing them in a timely manner.
Now, we’re seeing AI models dramatically accelerate the discovery of vulnerabilities, putting unrelenting strain on already overwhelmed cybersecurity teams.
In April, Anthropic announced Claude Mythos Preview, an AI model that discovered thousands of bugs in major operating systems and browsers, many of which had gone undetected for decades.
Following the announcement, the U.S. administration warned that what’s coming next is an “avalanche” of vulnerabilities. Those new vulnerabilities will just pile up on top of the existing ones.
The backlog will continue to grow as the window between discovery and remediation stretches wider. The pool of exploitable vulnerabilities available to attackers will get larger.
This is the dynamic missing from most of the current AI-in-security conversation. The industry is investing heavily in finding problems faster without any proportional investment in the capacity to fix them. That asymmetry has consequences.
A growing body of known-but-unpatched vulnerabilities is an opportunity for adversaries to exploit defenders stuck in permanent triage. More visibility, under those conditions, doesn’t translate to more security. It translates to more pressure on teams that are already stretched.
The industry’s answer so far has focused on faster scanning, better detection and smarter prioritization. All of these are important steps, but the reality is that remediation doesn’t scale at the same rate as discovery. Addressing that gap is the actual problem, and the best way to keep cyber defenses from becoming overwhelmed.
This leaves us with one path that hasn’t gotten nearly enough attention: reducing the impact of vulnerabilities that can’t be fixed immediately. It’s not a substitute for patching, but a complement to it. By limiting the exploitability of entire vulnerability classes, organizations can contain risk even when remediation is weeks or months away.
This model already exists in industrial systems and embedded platforms, environments where patching is difficult or impossible. For example, Microsoft’s Security Response Center, which triages every reported Microsoft security vulnerability, found that approximately 70% of the vulnerabilities assigned a CVE each year were memory safety issues. Additionally, the Google Security Blog regularly publishes articles on their progress toward memory safety, with memory safety vulnerabilities in Android once accounting for 76%.
AI is finding vulnerabilities faster, whether the industry is ready for it or not. Mitigation is the only way for defenders to regain control.
Doug Britton is executive vice president and chief strategy officer of RunSafe Security.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
