clauding.de
DE
2 min read AI-generated

UK Cyber Agency Warns: AI Is Triggering a Patch Tsunami

Copy article as Markdown

The NCSC warns of a flood of security updates coming. AI models like Mythos and GPT-5.5-Cyber are finding decades-old vulnerabilities faster than they can be fixed.

Cybersecurity NCSC Mythos GPT-5.5 Security Patch
Featured image for "UK Cyber Agency Warns: AI Is Triggering a Patch Tsunami"

The UK’s National Cyber Security Centre has published a warning that deserves a spot on every CISO’s desk: AI models are digging up decades-old security vulnerabilities - faster than the software industry can fix them.

Technical Debt Is Coming Due

‘All organisations have technical debt,’ the NCSC writes in its May 1 blog post. A backlog of problems that were kicked down the road for years because short-term results mattered more than building resilient products. Now AI is finding exactly those weaknesses - systematically and at a pace human security teams can’t match.

The agency expects a ‘forced correction’ across all types of software: open source, commercial, proprietary, and SaaS. Updates across all severity levels, many of them critical.

Mythos and GPT-5.5-Cyber as Catalysts

What this looks like in practice is visible in the models going into production right now. Anthropic’s Mythos has reportedly found thousands of zero-day vulnerabilities across all major operating systems and browsers - many of them one to two decades old. OpenAI’s GPT-5.5-Cyber achieves similar capabilities according to the independent AISI evaluation.

The promise: defenders find the holes first. The reality: the same tools are available to the other side. Both companies try to solve this through restricted access - Anthropic with Project Glasswing, OpenAI with the Trusted Access for Cyber program. But AISI has already shown that a universal jailbreak can be found with six hours of expert red-teaming.

What the NCSC Recommends

The NCSC’s recommendations are pragmatic: enable automatic security hot patching, activate automatic updates for all devices including embedded systems, and establish an update-by-default policy. Sounds basic, but it’s not standard in many organizations.

Why This Affects Everyone

The point isn’t that AI finds vulnerabilities - that was predictable. The point is the speed. When frontier models find in weeks what human auditors missed for decades, patching speed becomes the bottleneck. Not discovering vulnerabilities, but fixing them.

Oracle already issued a security advisory in April reacting directly to the new AI models. The message: patching timelines need to accelerate. The old rule of ‘critical patches within 30 days’ is no longer sufficient.

We’re moving into a world where the attack surface grows faster than the defense. That’s no longer a theoretical problem.

Sources: NCSC: Preparing for a vulnerability patch wave, AISI: Evaluation of GPT-5.5 cyber capabilities, SiliconAngle: Oracle front-runs AI model threat