Heimdal
article featured image

Contents:

Claude Mythos, an AI model from Anthropic, has found 23,019 software vulnerabilities in the past month. Fewer than 1% of them have been patched.

That gap is the story. Finding a vulnerability used to be the hard part, the thing that limited how fast software got fixed. AI just closed that gap to almost nothing. What’s left is the part AI can’t do. It can’t verify a finding, decide what to fix first, or actually ship the patch.

That’s what people mean when they say “the patch wave” is coming. It isn’t really about patches. It’s about whether anyone can act on what’s already been found.

To understand why that gap opened so fast, and what it means for your own exposure, it helps to know how we got here.

The National Cyber Security Centre wants organisations to prepare for a wave of patches

A recent blog post published by the National Cyber Security Centre (NCSC) has caused quite a stir in the cybersecurity community. Written by NCSC’s Chief Technology Officer, Ollie Whitehouse, it warned that organisations must act now to prepare for a wave of patches.

The basic framing here will be familiar to anybody who works in IT or cybersecurity. Tech vendors, Whitehouse argues, often prioritise short-term gains over building resilient products in the long term. Since software testing is expensive and time-consuming, this means software vulnerabilities are all but inevitable.

Over time, this means software accumulates ‘technical debt’, a backlog of technical issues that accrue over time.

But as Whitehouse explains, the setup is about to change substantially, for several key reasons.

  • AI models are becoming increasingly effective at identifying software vulnerabilities at scale.
  • As a result, it’s highly likely that there will be a ‘forced correction’ on the horizon, with software vendors releasing large quantities of new patches to address this technical debt.
  • Therefore, organisations should prepare to ‘patch quickly, more often, and at scale’.

If you’re looking for a straightforward overview of the patch wave, this is pretty much what you need to know. But in truth, the implications for security teams run a lot deeper than this. To understand what’s happening here in more detail, we have to turn to a story you might have already heard about.

Anthropic, Claude Mythos, and Project Glasswing

Over the last few weeks, Anthropic and Claude Mythos have gained a fair amount of attention in the media. To understand its implications for your patching strategy, it’s helpful to start from the beginning.

Project Glasswing is a small network of 50 tech vendors that have been allowed access to Anthropic’s new AI model, Claude Mythos. This is the reportedly ‘highly capable’ AI model that Anthropic hasn’t released to the public, due to fears about its capabilities.

A version of the same underlying model, with extra safety measures built in, was later released publicly as ‘Claude Fable 5’.

Here’s why this is all relevant to our conversation.

Claude Mythos is highly capable at detecting security vulnerabilities. And while the general public doesn’t have access to it, those companies participating in Project Glasswing do. What they’ve found is genuinely staggering.

In total, the 50 organisations involved in the project found around 10,000 vulnerabilities between them. According to Anthropic, one of these companies (Cloudflare) found a total of 2,000 bugs, of which about 400 are high or critical severity.

Similarly, Mozilla was also included on the project and has discussed its own findings in detail. This is particularly interesting because the company has been using different AI models to identify vulnerabilities since early 2026.

Here, we can clearly see when Mozilla started using AI to detect vulnerabilities, and when it started to use Claude Mythos.

Across 2025, 15 to 30 vulnerabilities a month were detected. In February this year, that number shot up to 61 and then 76 in March. In April, it skyrocketed to 423. Of those 423, 271 were down to Claude Mythos. Crucially, around 180 of that group were high-severity vulnerabilities, and some were as much as 15 to 20 years old.

Bar chart of Firefox security bug fixes per month, Jan 2025–Apr 2026, spiking to 423 fixes in April 2026.

[Source, Mozilla, Behind the Scenes Hardening Firefox with Claude Mythos Preview]

That huge spike in April is essentially Mozilla identifying decades’ worth of technical debt in one fell swoop. This is the patch wave that the NCSC described.

Now, software vendors like Mozilla have been racing to release patches for these vulnerabilities faster than hackers can exploit them.

At the moment, there are only 50 companies involved in the project, but it’s soon going to expand to 200. And in the medium term, we can expect this technology to filter down to the rest of the industry in some way, even if it’s restricted at the moment.

In short, the patch wave is coming, one way or another.

While defenders wait on patches, attackers aren’t standing still either. In its own year-long study of banned accounts, Anthropic found the share of attackers using AI in ways serious enough to count as medium or high risk nearly doubled, from 33% to 56%, in under twelve months.

The gap between finding a fix and shipping it isn’t a paperwork problem. It’s a race.

What the patch wave means for security teams

All these various findings are fascinating, but what does it actually mean for your security strategy? There are two main consequences worth being aware of.

  • The number of patches released by software vendors will significantly increase, for the reasons we’ve already described.
  • When they’re released, hackers will be able to easily reverse engineer the original vulnerabilities. They can then use these as the basis for fast, effective, and autonomous attacks at scale, using the techniques we described in the last section.

In short, AI has made finding vulnerabilities a trivial exercise. Once, the number of patches was limited by how fast human researchers could find the bugs. Now, the bottleneck has moved to the part AI can’t do for you. You still have to download, prioritise, and install the patches.

At its heart, this is an operational problem, not a technology problem.

Preparing for the patch wave

It’s easy for the patch wave story to come across as another sensationalist, fearmongering headline which, let’s be honest, is not exactly uncommon in the cybersecurity scene. But that doesn’t mean we should ignore it.

Luckily, a lot of what you need to handle the patch wave already exists.

In the NCSC’s original article, Whitehouse outlines several suggestions for organisations looking to prepare. In principle, the argument is simple. You should install patches instantly and automatically, wherever possible. Otherwise, you need clear processes in place to classify the relative risk of vulnerabilities, so you can prioritise the most critical.

Of course, putting it into practice is easier said than done. I discuss that in more detail in my follow-up article, [XYZ]. There, I go into more detail about the tools and processes you need to manage the patch wave, and how Heimdal can help.

In the meantime, if you want to find out more about Heimdal, check out our Patch & Asset Management module here.

Author Profile

Head of Content at Heimdal. A journalist by trade who cares about helping MSPs and security teams make better decisions, enjoy their work, and see real results.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE