The UK's NCSC warns of a coming patch wave as AI accelerates vulnerability discovery. CISA considers slashing fix deadlines to three days. And both Anthropic and OpenAI just launched specialized AI models for defenders. Here is what the new tempo of cybersecurity means for your business.
Everything Is Accelerating
On May 4, the UK's National Cyber Security Centre issued an urgent advisory: artificial intelligence is now discovering software vulnerabilities so rapidly that organizations should prepare for a "patch wave" — a flood of security disclosures arriving faster than traditional patching processes can handle. The same day, Reuters reported that the U.S. Cybersecurity and Infrastructure Security Agency is considering cutting vulnerability-fix deadlines from two to three weeks down to just three days.
These are not incremental adjustments. They represent a fundamental shift in how quickly businesses must respond to security threats. The era of monthly patch cycles and quarterly security reviews is ending. The new normal is measured in hours and days, not weeks and months.
Why the Timeline Is Compressing
The acceleration has a specific cause: AI models are now capable of analyzing software code and identifying security flaws at a speed and scale that human researchers cannot match. CISA officials specifically cited Anthropic's Mythos model and OpenAI's GPT-5.4-Cyber as examples of AI systems that could enable attackers to move from vulnerability discovery to weaponized exploit in hours rather than weeks.
The NCSC warned that this capability cuts both ways. AI helps defenders find and fix vulnerabilities faster, but it also helps attackers find and exploit them faster. The net effect is that the entire lifecycle of a vulnerability — from discovery to disclosure to patch to exploit — is compressing dramatically. Organizations that cannot keep pace will be increasingly exposed.
Defenders Are Getting AI Weapons Too
The same week brought significant news on the defensive side. On May 1, Anthropic launched Claude Security in public beta, using its Opus 4.7 model to scan enterprise codebases for vulnerabilities and automatically generate proposed fixes. The tool integrates with CrowdStrike, Microsoft Security, and Palo Alto Networks — meaning small businesses using those platforms may already have access to AI-enhanced defense through their existing security providers.
Days earlier, on April 30, OpenAI released GPT-5.5-Cyber to federal government and critical infrastructure defenders, alongside a Cybersecurity Action Plan focused on democratizing AI-powered defense. Both companies are racing to put AI tools in the hands of defenders — a recognition that the only way to counter AI-speed attacks is with AI-speed defenses.
What This Means for Your Small Business
You do not need to understand the technical details of these AI models to benefit from them. What matters is that the security tools you already use — endpoint protection, email filtering, vulnerability scanners — are being upgraded with AI capabilities that dramatically improve their speed and accuracy. If your current security provider has not communicated an AI roadmap, it is worth asking the question.
On the operational side, the shift toward three-day patch deadlines — even if not yet mandatory — signals where the industry is heading. Start moving toward faster patching now, before it becomes a compliance requirement. Enable automatic updates wherever possible. Prioritize critical and internet-facing systems. If you rely on a managed IT provider, confirm they have a process for applying critical patches within 72 hours of release. The attackers are moving at AI speed. Your defenses need to keep up.
A Practical Action Plan for May
This month, take three concrete steps. First, audit your patching process. How long does it currently take from the release of a critical security update to its deployment across your systems? If the answer is more than a week, you have work to do. Second, ask your security vendors and managed service provider what AI capabilities they have deployed or are planning to deploy. The defenders with AI tools will have an increasingly significant advantage over those without them.
Third, do not let the pace of change create paralysis. The fundamental principles of good security — multi-factor authentication, least-privilege access, tested backups, employee awareness — are more important than ever. AI changes the speed at which threats emerge, but it does not change the controls that stop them. Master the basics, then layer on speed.