Microsoft's regular monthly round of vulnerability fixes dropped as scheduled on Tuesday 14 April 2026, containing a handful of zero-days and critical updates for security teams to pore over. So far, so normal. But this month's Patch Tuesday was rather more notable than many other recent updates because it was, by some margin, the second-largest update in history by volume, comprising over 160 distinct flaws – October 2025 saw 175 – and rising to nearly 250 once third-party and Chromium updates were taken into account.
Almost immediately, commentators rushed to invoke the unavoidable spectre of artificial intelligence (AI). Vulnerability expert and regular Patch Tuesday commentator Dustin Childs, of TrendAI's Zero Day Initiative, was among them. In his regular write-up, he described the update as “monstrous” in size, and went on to suggest that growth in the use of AI tools to uncover software vulnerabilities at scale may be behind the sudden jump. This theory gained traction across the industry, as many began to connect the dots between the rapid expansion of AI-driven vulnerability research and the record-breaking patch volumes.
The lead-up to this Patch Tuesday was unusually eventful. A Google Chrome zero-day, CVE-2026-5281, was patched on 1 April, followed by an Adobe Acrobat Reader zero-day, CVE-2026-34621, late on Friday 10 April. Several older CVEs were also added to the CISA Known Exploited Vulnerabilities (KEV) catalog the day before the patch release. All of this unfolded amid significant industry buzz about Anthropic Mythos and Project Glasswing – an initiative that promises to fundamentally change how vulnerabilities are discovered and exploited.
Critical vulnerabilities and the AI factor
Project Glasswing, launched in early April 2026, is built around Anthropic's frontier model Claude Mythos Preview. According to its creators, Mythos can both discover zero-day flaws and develop functional exploits for them. Anthropic claims the model has already identified “thousands” of critical vulnerabilities, including some that have remained hidden in plain sight for years. To manage the potential risk, Project Glasswing was designed to limit access to the model to a select group of technology companies – including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, Microsoft, Nvidia, and Palo Alto Networks – giving them a head start on patching before the model becomes more widely available.
While the release of Mythos is too recent to have directly caused the April Patch Tuesday spike – according to VulnCheck analysis, only 75 recently disclosed vulnerabilities mention Anthropic, and only one is directly attributable to Glasswing – the correlation is already being discussed as a harbinger of things to come. The conversation must happen now, because the timeline is accelerating rapidly.
Fast-moving timeline and accelerating threats
In an open letter published on 15 April, UK Business Secretary Liz Kendall urged business leaders to “plan accordingly” as frontier AI models become more adept. Doc McConnell, head of policy at Finite State and a former CISA branch chief and White House advisor, offered a sobering perspective: “The scenarios that Mythos enables aren’t routine. AI is a ratchet wrench for cyber security – it only goes in one direction: faster. It enables security teams to respond to incidents more quickly, but it also increases the volume and severity of those incidents. The traditional advice to ‘do the basics, but faster’ is no longer sufficient. Regardless of how skilled your technical team, humans simply can’t go fast enough to keep up with AI.” McConnell applauded Anthropic for its responsible approach with Project Glasswing, but cautioned that if a responsible actor is being noisy, an irresponsible one is likely working quietly in the shadows.
Chris Goettl, vice president of product management for software products at Ivanti, added that most discussions around Mythos have focused on where it will be used and the ramifications. Finding exploitable flaws in code can be a powerful tool for good when used by the vendor before release. However, it will also be used by researchers and threat actors to find flaws in already-released code. Goettl invited the industry to consider the knock-on effects: large tech firms will use frontier models to release more secure code, but both legitimate researchers and malicious actors will adopt robust AI models to identify exploitable flaws. The inevitable result is more coordinated disclosures (good), and more zero-day and n-day exploits (bad).
Impact on patch management cycles
This new reality will lead to more frequent and, more importantly, urgent software updates. Many organisations already struggle to keep up with priority updates that resolve exploited vulnerabilities outside their normal monthly maintenance. For instance, most organisations were not aware of the Adobe Acrobat zero-day exploit until the CISA KEV update, meaning threat actors had an additional two to three days of free reign to exploit CVE-2026-34621 before most became aware. With browser security updates now occurring weekly, and many business applications releasing updates on a continuous cadence rather than a fixed monthly date, the maintenance schedules of many organisations will be severely challenged. While it is impossible to predict whether the number of vulnerabilities will double, triple, or quadruple, it is certain that the increase will be noticeable and will exacerbate patch management difficulties.
Goettl believes security leaders must make a step change in mindset and maturity. Defining risk appetite and risk posture – when done effectively – can simplify remediation activities. Alongside this, a technical evolution is required: traditional vulnerability assessment and intelligence services must become better integrated into a broader ecosystem that includes asset visibility and systems of record. This hybrid approach helps determine whether issues need immediate attention or can wait for regular maintenance. The stack should be integrated with an autonomous endpoint management (AEM) platform to speed remediation.
Three steps for the industry
Doc McConnell outlined three steps the industry should consider. First, security must shift to the very beginning of the product lifecycle. Waiting until a CVE drops to determine if a product is affected is already too late. Binary analysis and software composition analysis need to run continuously from the earliest stages of design and development, not as a final check before release. Second, security must keep pace with product development, especially as companies accelerate development with AI. This means maintaining a real-time software bill of materials (SBOM) with automated reachability analysis for new vulnerabilities, so organisations can confidently prioritise the fixes that matter most. Third, companies must accept that even in a capable security environment, incidents will still happen. When they do, defenders need to match attacker speed. An automated vulnerability and incident response capability that can triage, communicate, and coordinate remediation across a product portfolio without relying on manual investigation at each step is essential. McConnell urged companies to act immediately: make it the top topic at the next board meeting, and partner with a firm that already has these capabilities if needed.
The implications extend beyond individual organisations. Regulators have already called in banks as the latest AI model identifies thousands of software vulnerabilities. The Cloud Security Alliance has warned of an AI vulnerability storm triggered by Anthropic's Claude Mythos, emphasising that letting probabilistic AI models autonomously operate inside production networks creates real safety and auditability issues. Core security validation still requires deterministic guardrails, and Anthropic's launch has raised the stakes considerably.
Could frontier models be good for cyber?
Despite the concerns, some leaders see a positive path forward. Richard Horne, CEO of the UK's National Cyber Security Centre (NCSC), believes AI can be used appropriately to find and fix flaws, but the road ahead is paved with risks. In an article published in the Financial Times, Horne wrote that in the immediate term, AI will increasingly expose organisations that have not taken appropriate steps to safeguard their cyber security. AI will make it easier, faster, and cheaper for attackers to discover and exploit weaknesses that previously required more time, skill, or resources. The pressure on organisations to patch quickly will only grow more acute. This makes it more essential than ever that organisations follow established good practices set out by the NCSC to raise their security baseline. These practices include reducing unnecessary exposure to attack, rapidly applying updates, and monitoring for and responding to malicious activity. Such technical actions must be championed by leaders and board-level executives to have a positive impact, because cyber risk is business risk.
Horne concluded that as society navigates these fast-evolving capabilities, the NCSC will stay focused on its mission to protect the UK from cyber threats, working alongside industry and wider government. By getting the fundamentals right and carefully adopting frontier AI models for good, network defenders can retain an advantage and help keep the UK safe online. The message is clear: this is not a future problem – it is happening now, and the window to prepare is closing rapidly.
Source: ComputerWeekly.com News