Artificial intelligence driven vulnerability discovery is rapidly changing how organizations approach cybersecurity, with industry experts warning that traditional patch focused security strategies may no longer be sufficient to manage growing risk. According to Joseph M. Saunders, Founder and Chief Executive Officer of RunSafe Security, recent advances in artificial intelligence powered vulnerability research have significantly increased the speed and scale at which exploitable flaws can be identified. Saunders pointed to Claude Mythos, an artificial intelligence system reportedly capable of identifying thousands of software vulnerabilities, generating working exploits, and uncovering flaws that had remained hidden for years despite extensive human review. While much attention has focused on artificial intelligence improving vulnerability discovery, Saunders argued that the larger challenge lies in what happens after flaws are identified.
According to Saunders, security teams were already facing significant remediation challenges long before artificial intelligence accelerated vulnerability discovery. Organizations have historically struggled to manage growing backlogs generated by vulnerability scanners, static analysis tools, and fuzzing technologies that consistently identify more security issues than teams can realistically resolve. The primary challenge, he said, has never been identifying vulnerabilities but rather triaging, prioritizing, testing, deploying fixes, and managing operational risk at scale. Artificial intelligence, in this context, has intensified an already existing imbalance by dramatically increasing the number of vulnerabilities that can be discovered in shorter periods of time. Saunders argued that when artificial intelligence systems can uncover hundreds of exploitable issues faster than security teams can investigate a small subset, the gap between discovery and remediation becomes increasingly difficult to manage. He added that organizations cannot realistically hire enough cybersecurity staff or deploy patches quickly enough to match machine scale vulnerability identification.
At the same time, regulatory pressure is increasing around how organizations handle known vulnerabilities and cyber risk. Saunders highlighted the European Union Cyber Resilience Act as an example of stricter expectations, noting that manufacturers will be required to report actively exploited vulnerabilities within 24 hours beginning in September, with wider compliance obligations becoming enforceable in December 2027. According to Saunders, regulators are placing increasing emphasis not only on whether vulnerabilities exist but also on how organizations reduce risk once weaknesses are identified. This creates challenges for companies whose cybersecurity posture depends heavily on patch management because vulnerability backlogs themselves may become measurable compliance risks. He noted that regulators are likely to expect organizations to demonstrate active efforts to reduce exploitability and limit exposure even when immediate patches are unavailable.
Saunders also emphasized that many vulnerabilities discovered by artificial intelligence involve long standing software weaknesses that have persisted for decades, particularly memory safety flaws such as buffer overflows and use after free errors. He noted that Claude Mythos reportedly identified a 27 year old bug in OpenBSD, a 17 year old flaw in FreeBSD, and a 16 year old vulnerability affecting FFmpeg, illustrating how persistent these issues remain. While prioritization and remediation workflows remain important, Saunders argued that organizations should also focus on mitigation strategies that reduce exploitability at the binary level. He highlighted runtime protections such as Load time Function Randomization as an example of technologies that can disrupt memory exploitation techniques without requiring source code modifications or waiting for patches. According to Saunders, shifting focus toward reducing exploitability rather than relying solely on remediation may help organizations strengthen resilience against increasingly automated vulnerability discovery methods.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
