AI vulnerability scanning has outpaced human patching cycles
AI vulnerability scanning is the use of machine learning and large-scale code analysis to find exploitable software flaws faster than human security teams can patch them, compressing the time between discovery, weaponization, and active exploitation from weeks or months into only days or hours. Frontier models can now analyze entire codebases and dependencies in one sweep, turning what used to be a slow hunt for isolated bugs into a constant stream of detailed findings. That speed has flipped the security bottleneck: the hard part is no longer identifying vulnerabilities, but fixing them quickly enough to matter. As AI-assisted exploit development matures, attackers can automate both discovery and weaponization, while defenders remain tied to manual change windows, regression testing, and legacy patch approval workflows. The result is a widening gap between exposure discovery and remediation, where every delay becomes an open invitation to zero-day exploit speed.
From weeks to three days: patch management urgency hits policy
Security policy is starting to reflect AI’s acceleration. Authorities now expect critical vulnerabilities in key systems to be fixed in as little as three days, a dramatic break from legacy patch windows that stretched into weeks or even months. The logic is direct: when AI tools and autonomous agents can mass-scan, identify, and weaponize flaws at machine speed, any extended remediation delay invites exploitation. This shift also exposes the limits of traditional Continuous Threat Exposure Management. Sorting massive vulnerability backlogs by CVSS score, asset criticality, and threat intelligence helps teams decide what to patch first, but it does not keep the queue from growing faster than humans can clear it. Even with tighter mandates, organizations struggle to coordinate across operations, development, and compliance teams, revealing that process optimization alone cannot close the gap between discovery and safe deployment of patches.
Spring Framework security: AI turns a workhorse into a hotspot
The Spring Framework shows how zero-day exploit speed now collides with legacy infrastructure. Broadcom, which stewards Spring, reported that monthly security advisories from the community jumped more than 1,700% from March to April 2026, a spike driven in part by foundation models that can inspect Java code at scale. According to Azul’s 2026 State of Java Survey, 56% of Java professionals now handle Java-related CVEs on a daily or weekly basis, and 30% say their teams waste more than half their time on false positives. Spring’s scale—running in more than half of Fortune 500 companies and increasingly underpinning AI production workloads—means every newly discovered flaw can quickly become a target. Broadcom’s response includes frontier model-based scanning across dependencies and SLSA Level 3 clean-room builds, paired with day-zero CVE-only patches for Tanzu Spring customers, to help enterprises remediate without waiting for full open source releases.
From backlog triage to attack path elimination
The surge in AI-driven findings has exposed a structural flaw: patching single CVEs is reactive, and exposure returns as soon as the next bug appears along the same route. Subtractive security reframes the problem by focusing on attack path elimination rather than ticket-by-ticket backlog reduction. Instead of comparing whether to patch Path A or Path B first, teams measure which engineering change erases the most attack terrain at once, also described as the Path Erasure Rate. For example, constraining browsers or office applications so they cannot spawn child processes or open arbitrary outbound connections removes entire classes of lateral movement paths, regardless of the specific zero-day in play. This approach aims to deny adversaries reliable pathways rather than chase every AI-discovered flaw, shifting scarce engineering effort toward durable architectural controls that permanently reduce the number of ways an exploit can succeed.
Broadcom’s Spring strategy shows what AI-era patching looks like
Broadcom’s Spring roadmap hints at how large ecosystems may adapt to AI vulnerability scanning. For the open source community, the company is expanding its use of frontier model-based scanning and validation to identify and fix vulnerabilities across Spring’s dependency graph, calling it the largest security update program in the framework’s 23-year history. For Tanzu Spring customers, Broadcom now offers SLSA Level 3-validated, clean-room-built Java dependencies and day-zero access to CVE-only patches via the Spring Enterprise Repository. Isolating the security fix from any other change is meant to shorten testing and deployment, trimming the dangerous window between disclosure and remediation. As analyst Holger Mueller notes, AI is “phenomenal to identify vulnerabilities in existing code,” but the long game will be about combining faster fixes with architectural changes that raise the Path Erasure Rate and keep the backlog from overwhelming human teams.
