From Five Bugs a Month to Seventy-Five: The New Reality of AI Vulnerability Detection
The scale and speed of AI vulnerability detection are starting to rewrite the rules of enterprise security. Palo Alto Networks, which historically identified around five flaws per month, recently scanned its entire codebase with frontier large language models, including Anthropic’s Mythos, Claude Opus, and OpenAI’s GPT-5.5-Cyber. The result: 75 security issues bundled into 26 CVEs across more than 130 products and platforms, all uncovered in roughly a month. Mozilla has seen similar surges, fixing 423 Firefox bugs in April after earlier runs with Mythos surfaced hundreds of issues in a single browser version. Vendors are racing to use AI to discover and remediate weaknesses before attackers do, especially as offensive use of AI becomes more accessible. The upside is clear: dramatically improved security threat discovery. The downside is equally clear: a looming overload of patches and operational work for enterprise teams.
Inside Microsoft’s MDASH: Over 100 AI Agents Hunting Windows Vulnerabilities
Microsoft’s MDASH system shows how far AI-driven security has come, moving from research experiment to production-grade defense. MDASH orchestrates more than 100 specialized AI agents, each tuned to detect particular classes of bugs, and runs them across a panel of frontier and smaller models. The agents not only scan code, they also debate and cross-audit findings; when one agent flags a potential issue and others fail to disprove it, the likelihood of a true vulnerability rises. Using this multi-model, agentic harness, Microsoft recently uncovered 16 new Windows vulnerabilities, including four critical remote code execution flaws in core components such as the kernel TCP/IP stack and IKEv2 service. MDASH has outperformed standalone models like Mythos and GPT 5.5 on the CyberGym benchmark, and is already being used by Microsoft’s internal security engineering teams and a small set of enterprise customers in private preview, signaling a broader shift to AI-led security operations.
Welcome to the ‘Vulnpocalypse’: When Patches Multiply Faster Than Teams Can Respond
As vendors adopt AI at scale, the industry is entering what some researchers call a “vulnpocalypse”: vulnerabilities and patches multiplying faster than traditional processes can handle. Finding bugs has historically been the cheap part of the security pipeline. The expensive, slow stages are triage, coordinated disclosure, building high-quality patches that do not break production, and then getting customers to actually deploy them. AI drastically accelerates the first stage without automatically solving the rest. Experts warn that if AI-driven patching introduces instability, already skeptical customers may delay or avoid updates, even as attack surfaces grow. Palo Alto Networks’ leadership expects only a narrow three-to-five-month window for defenders to stay ahead before AI-driven exploits become normal for adversaries. Meanwhile, Microsoft anticipates that Patch Tuesday volumes will continue to rise as both internal teams and external researchers lean on agentic AI to expand security threat discovery.
Rethinking Enterprise Vulnerability Management for AI-Speed Patching
For enterprise security teams, the immediate challenge is not AI vulnerability detection itself, but absorbing the downstream impact on workflows. Traditional vulnerability management assumed relatively stable patch volumes and manual triage cycles. Those assumptions are breaking. Organizations now need scalable intake processes that can prioritize AI-discovered flaws based on exploitability and business impact, not just raw counts. Change-management pipelines must be retooled for more frequent, sometimes continuous, updates, with stronger pre-deployment testing and rollback plans to offset the risk of faulty patches. Coordinated communication between security, IT operations, and development becomes critical when patches for dozens of issues arrive at once. Over time, enterprises will likely adopt more automated patch deployment for lower-risk fixes, reserving human scrutiny for complex or mission-critical systems. The strategic question is no longer whether to use AI, but how quickly governance, tooling, and culture can adapt to AI-speed enterprise vulnerability management.