Warning of incoming ‘patch wave’ for enterprise tech teams

The exploit cycle is going to get a lot shorter and organisations must be ready

The NCSC has warned UK organisations to prepare for a surge in software updates driven by new AI tools that rapidly identify and address security vulnerabilities, urging a proactive, risk-based approach to update management.

The NCSC has warned UK organisations to brace themselves for an onslaught of software updates, created by vendors using new AI tools to find and fix vulnerabilities in their products.

The National Cyber Security Centre's (NCSC) CTO, Ollie Whitehouse, wrote that he expects a “forced correction” to address the technical debt that has accrued over the years across proprietary and open-source software as a consequence of prioritising short-term gains over building resilient products.

So far, tools like Anthropic’s Mythos Preview and OpenAI’s GPT-5.4 haven’t been made widely available. Vendors and selected (mainly financial) enterprises have been given limited access in order that they can get a head start in identifying vulnerabilities in their products.

However, last month, a small group of users claimed to have been able to access Mythos Preview on the same day Project Glasswing was announced.

This is going to the cause of a “patch wave” – a glut of software updates covering the whole technology stack – and organisations need to be ready to act when it hits.

What to do

Whitehouse urged security teams to prioritise, beginning with perimeter devices and then moving to cloud and on-premise systems and applications.

He also urged organisations to consider the technical debt lurking in legacy systems that may have fallen out of support. If a system can no longer receive updates, Whitehouse advises replacement or at least bringing the outdated system back within the scope of support.

Organisations are advised to prepare for the incoming wave of updates by implementing a system where updates and patches are applied by default and automatically as soon as they are available.

The NCSC acknowledges that this can’t always apply to every part of every organisation, but recommends a risk-prioritised approach such as the Stakeholder Specific Vulnerability Categorisation (SSVC) system which helps organisations prioritise updates

CISA

The incoming patch wave may swell further if new rules reportedly being seriously considered by the Cybersecurity and Infrastructure Security Agency (CISA) in the US are rolled out.

According to Reuters, the agency is said to be concerned about the possibility of threat actors using the new AI tools to shorten the vulnerability exploitation window by reverse engineering vulnerabilities in hours.

In response, CISA is considering moving the deadline for responding to actively exploited vulnerabilities from an average of two or three weeks to three days, people familiar with the matter have said.