Modern Software Security Relies on a Dangerous Fiction

Cybersecurity for software is built on a simple premise: find vulnerabilities and fix them quickly enough to stay ahead of attackers.

Last month, that premise was turned upside down when Anthropic introduced Claude Mythos. Mythos is an AI model that can find software bugs at scale and then chain them into working exploits. Everyone’s immediate question was: What happens when attackers can now outpace defenders?

In dozens of conversations across the industry, this theme consistently came up. AI can identify vulnerabilities and write exploits faster than we can patch. Software flaws that would have taken a team of skilled researchers weeks or months to discover AI can now identify and exploit within hours. It’s making the work of attackers automated and relentless and straining a system that was already coming apart at the seams.

The same week that the industry was absorbing Mythos, NIST announced that it would stop enriching much of the vulnerability data submitted to the National Vulnerability Database (NVD). The NVD tracks tens of thousands of new disclosures annually, and the backlog became too great. Meanwhile, AI-assisted vulnerability discovery is only going to add to the volume of vulnerabilities disclosed. Without this data that security teams rely on to understand when vulnerabilities are found in software, they will be even more on the back foot.

Teams were already struggling to patch vulnerabilities on a reasonable timeline. While patching is slow, it must be by necessity. In critical infrastructure and government systems especially, software updates require extensive testing, coordination across complex operational environments, and careful management of downtime risk. There are real operational constraints to deploying a software patch in a water treatment plant or a device on the energy grid, for example. A patch that destabilizes a water treatment system or interrupts an energy grid is a major risk to operations. So, while AI is new, the patching problem isn’t, and it’s only getting worse.

What has been missing, and what the industry has been slow to prioritize, is a third layer of defense between detection, or identifying vulnerabilities, and remediation, or patching them. That layer is mitigation, which prevents vulnerabilities from being exploited even when they remain unpatched. Mitigation solutions exist today and are already being applied in environments where patching is operationally impractical. However, it’s yet to become a widespread focus.

We’re seeing shifts at the policy level, as Congress has begun to take a closer look at its relevance. Recent direction from policymakers urges the Cybersecurity and Infrastructure Security Agency (CISA) to explore hardening systems against memory safety risks without requiring code rewrites. Such direction reflects a growing policy recognition that rewriting or patching all software across the federal government’s technology stack is not a realistic plan.

Because the universe of vulnerabilities is now effectively unlimited, eliminating individual vulnerabilities one at a time is not a viable strategy. Security must be redefined around resilience, or the ability of systems to withstand compromise. That means shifting investment toward approaches that reduce the value of vulnerabilities to attackers regardless of whether those vulnerabilities have been patched. It means treating exploitability, not just discoverability, as the variable we have the most leverage to change.

When I founded RunSafe Security nearly a decade ago, the motivating problem was that organizations were drowning in vulnerabilities and couldn’t fix them fast enough. Even then, before AI-assisted discovery, the math was broken and patching was a fiction we were collectively agreeing to maintain. AI has put that structural problem in the spotlight, and organizations and policymakers are going to have to address it.

In the past weeks, the conversation about AI and cybersecurity has focused heavily on the threat side, on what attackers gain from access to AI-assisted discovery and exploitation tools. That’s the right instinct. But the response cannot simply be to accelerate within the existing model, looking for faster scanning, more automated patching pipelines, and increased detection speed.

In short, AI has achieved breakaway exploit speed, and teams expect an exponential increase in vulnerabilities. We cannot patch our way out of this problem. Now, we need to stop focusing on how quickly we can patch and instead build systems where unpatched vulnerabilities cause less damage. This is the only viable path forward.