AI Is Finding Software Flaws Faster Than Companies Can Fix Them. Something Has to Change.

Security experts are calling time on the old 'scan once a month, patch when you can' model. Artificial intelligence now finds vulnerabilities faster than human teams can close them.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial overhead view of a developer workstation with a glowing terminal window and an open code editor, abstract cloud-shaped server racks in
Share

Key points

  • AI tools can now find, confirm, and exploit software flaws without waiting for a human researcher to report them first.
  • Verizon's 2024 Data Breach Investigations Report recorded a median patch time of 43 days across enterprises, a figure security experts call dangerously slow.
  • Virtual patching, a technique that blocks attacks at a security layer rather than fixing the broken code underneath, buys time but does not remove the underlying risk.
  • Experts say companies need continuous, real-time intelligence about which of their systems are exposed, not a scheduled monthly scan.

For decades, fixing software flaws worked roughly like this. A human researcher found a problem. They reported it. The software maker issued a fix, called a patch. Companies tested the patch and rolled it out. The whole cycle could take a month or more, and that was considered acceptable.

AI has broken that model.

Tools built on large language models, the same technology behind chatbots, can now scan software at enormous scale, find weaknesses, confirm they are exploitable, and hand that intelligence to criminals, all without a person in the loop. Rik Ferguson, vice president of security intelligence at security firm Forescout, put it bluntly in comments first reported by CSO Online: "An AI system doesn't wait for a proof-of-concept to circulate on GitHub or a CVSS score to land in a dashboard. It finds the flaw, confirms exploitability, and moves."

How big is the gap between finding a flaw and fixing it?

Big, and growing. Verizon recorded that 43-day median patch time across enterprises in its 2024 Data Breach Investigations Report. Against a human attacker working at human speed, that window was uncomfortable. Against an AI system that can work through thousands of targets overnight, it is a problem of a different order entirely.

The UK's National Cyber Security Centre has warned that AI-accelerated discovery will likely drive a surge in newly reported flaws. Andrew Woodford, chief technology officer at network security firm Titania, told CSO Online: "Most organizations already struggle to fix known issues quickly, so a spike in AI-driven discovery could easily overwhelm teams."

Some companies turn to virtual patching as a short-term answer. A virtual patch does not fix the broken code. Instead, it sits in front of the vulnerable system and blocks known attack methods from reaching it. Think of it as a bouncer who stops trouble at the door while the building's faulty wiring stays untouched inside.

The risk is that temporary becomes permanent. Ferguson warns that a virtual patch can create "a false sense of closure that delays proper patching indefinitely."

Ferguson advocates an approach he calls "Assume Autonomy": plan for the possibility that criminals are already using AI to probe your systems without your knowledge, and ask what controls limit the damage they can do once inside.

Practically, that means four things. Know every device on your network. Map which systems face the internet directly. Track which flaws criminals are actively exploiting right now, not just which ones have been reported. And have an emergency process for pushing a fix outside the normal monthly schedule when a critical flaw surfaces.

What should your organisation do now?

If you run IT for a business, pressure-test your asset inventory. You cannot protect a device you do not know exists. If you are a customer or employee, there is nothing to do today, but this is why you see software-update prompts and should not dismiss them.

© 2026 Threat Vectr