Security experts have urged UK organizations to get ready for an expected surge in new software updates precipitated by vendors using powerful new AI tools to find and fix vulnerabilities.
The National Cyber Security Centre's (NCSC) CTO, Ollie Whitehouse, wrote that he expects a “forced correction” to address the technical debt that has accrued over the years across proprietary and open source software.
to date, AI tools like Anthropic’s Mythos Preview and OpenAI’s GPT-5.4 have been kept out of the hands of the public (and threat actors) while vendors access their powerful bug-finding capabilities to fix their products.
“This is why we are encouraging all organizations to prepare now for when a ‘patch wave’ arrives; a rush of software updates that will need to be applied across the technology stack to address the disclosure of new vulnerabilities,” said Whitehouse.
Whitehouse urged security teams to prioritize external attack surfaces. That means patching vulnerabilities in perimeter devices, before working “inwards” to cover cloud and on-premises kit.
Other NCSC recommendations included:
- Consulting the NCSC’s Vulnerability Management guidance for best practice advice
- Enabling automatic “hot patching,” as long as fixes don’t cause service disruption
- Switching on automatic updates, including for embedded devices
- Taking a risk-prioritized approach if neither of the above options are available, such as the Stakeholder Specific Vulnerability Categorisation (SSVC) system
Beyond Patching
“It is also important for organizations to realise that patching alone will not always suffice; some technical debt may be present in ‘end of life’ or legacy technology that is out of support, and so can’t receive updates,” Whitehouse added.
“In such instances, organizations will need to replace technologies, or bring them back within support, especially where it presents an external attack surface.”
For critical infrastructure providers, Cyber Essentials and the NCSC’s Cyber Assessment Framework (CAF) will also be vital in managing the risk of systemic problems that go beyond traditional vulnerabilities, he said.
The patch burden may be particularly large in the US if new rules reportedly being mooted by the Cybersecurity and Infrastructure Security Agency (CISA) come into force.
According to a Reuters report, CISA officials are considering cutting the deadline for federal agencies to apply patches from an average of three weeks to just three days.
The plans apparently stem from the same anxieties expressed by the NCSC: that in the wrong hands, the most powerful AI tools could enable threat actors to rapidly find and exploit vulnerabilities across virtually any computing system.
BeyondTrust chief security advisor, Morey Haber, argued that only organizations that have invested in patch automation, real time vulnerability management, cloud security posture management, identity-centric controls and risk-based prioritization will be able to achieve such ambitious deadlines.
“Unfortunately, most enterprises do not have continuous visibility into their attack surface, let alone the ability to prioritize and remediate vulnerabilities in near real time. Vulnerability scanning still occurs once a month or at best, once a week and some cases, still once a quarter,” he added.
“Technical debt, legacy systems, and fragmented ownership models create friction that no mandate can eliminate overnight, and government agencies are already resource constrained with recent staff layoffs and lack of funding and expertise … This is where the policy collides with real world execution.”