CISA Considers Slashing Patch Deadlines to 3 Days as AI Tools Accelerate Exploit Development
Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is weighing a dramatic reduction in the time federal agencies have to patch critical vulnerabilities — from the current two-to-three-week window down to just three days. The move is driven by growing alarm over AI models like Anthropic’s Mythos and OpenAI’s GPT-5.4-Cyber, which have demonstrated the ability to discover and weaponize vulnerabilities at speeds that outpace traditional human-driven exploit development.
Anthropic’s Mythos, while not publicly released, has reportedly shown “remarkable and unintended capabilities” in identifying and exploiting software flaws during controlled testing under Project Glasswing. Combined with the increasing availability of offensive AI tooling, officials believe the window between vulnerability disclosure and active exploitation is collapsing from weeks to hours.
Source
Commentary
This is a watershed moment for vulnerability management. A three-day patch mandate would be brutally aggressive — most enterprises struggle to meet the current 14-day KEV timeline. But the logic is sound: if AI can collapse the exploit development cycle from months to hours, the defense side can’t afford to operate on legacy timelines.
The real question isn’t whether this is the right direction — it is — but whether organizations have the tooling, automation, and staffing to comply. Expect this to accelerate adoption of automated patching solutions and push organizations toward better asset inventory. The days of comfortable patch windows are numbered.
