AI Vulnerability Discovery Shifts the Security Bottleneck From Patching to Triage

For most of the past decade, the bottleneck in enterprise vulnerability management was deployment. Teams had a two-hour change window, a finite number of patches they could push, and the constraint was throughput: how many can we fit in before the window closes? AI-powered vulnerability discovery has changed that math. Tools like Anthropic's Mythos, GPT-5.5, and commodity open-weight models are now generating vulnerability findings at volumes that outpace what teams and maintainers can process. The constraint has moved. Most security programs have not moved with it.

Jason Murray is a Senior Security Consultant at Arancia, a Canadian cybersecurity advisory firm serving organizations across banking, insurance, healthcare, government, and retail. With 27 years in information security, Murray has led vulnerability management, compliance, and risk programs at MNP, PwC, and Computacenter, and holds certifications including CISSP, CRISC, and OpenFAIR Risk Analyst. He applies the theory of constraints, a framework borrowed from manufacturing and software development, to diagnose where security processes actually break down.

"What does that imply for vulnerability management programs, which by and large aren't run very well to begin with?" Murray says. "I borrowed a concept from software development: what would a minimum viable program look like?"

The constraint has moved

Murray frames vulnerability management as a process with discrete steps, from discovery through triage, approval, deployment, and validation. Before AI-accelerated discovery, the constraint was deployment: fitting patches into the change window and getting approvals through. That problem was solvable with preparation, pre-staging patches, pre-prioritizing approvals, and maximizing the available window.

The volume shift changes which step breaks first. Project Glasswing's initial update reported that AI-discovered findings were arriving faster than some maintainers could absorb them. The curl maintainer closed public bug submissions entirely. "Even if you filter out the AI slop, the 10% that is legitimate is still overwhelming the maintainers," Murray says. "They just can't keep pace."

For enterprise teams, the implication is the same. A customer's SentinelOne dashboard shows 3,000 open vulnerabilities. If roughly 4% of vulnerabilities in any given environment are the ones that matter, that is about 150. Which 150? That question is now the constraint.

CVSS alone breaks down

Murray argues that most organizations still prioritize using CVSS severity scores, a system that made sense as a rule of thumb a decade ago but no longer matches reality. "A CVSS of 10, which everyone usually runs around with their hair on fire about, some of them end up having exploits in the wild," Murray says. "Many of them don't."

He points to the Exploit Prediction Scoring System, now at version five, as one tool that evaluates the likelihood of a vulnerability becoming an exploitable threat. Combined with CISA's Stakeholder-Specific Vulnerability Categorization and asset context, including whether a vulnerability sits in an endpoint, a Kubernetes cluster, or a container pulled from an external source, teams can build a multi-factor triage process that focuses on business-critical exposure rather than raw severity.

"You have two people running your vulnerability management program, and right now they've been running ragged just trying to get people to patch at all," Murray says. "The change in the game is: which patches do you need them to focus on to really push?"

Vulnerability management is not the whole game

Murray cautions against treating the AI-driven vulnerability flood as a collapse scenario. Vulnerability discovery and exploitation sit at the early stages of the kill chain. Detection, lateral movement monitoring, response, recovery, and SOC operations still offer meaningful defensive value downstream. "Maybe we can use AI to our advantage in those cases," he says. "Detection, lateral movement, response and recovery."

The organizations most likely to adapt are not necessarily the largest or most regulated. Murray sees big banks with sophisticated tooling but bureaucratic inertia that keeps them locked into CVSS-driven compliance obligations. Smaller credit unions and mid-market firms, operating with tighter teams and more pressure, may have more room to change how they triage.

"It's a very significant change for people to pivot the way they think," Murray says. "The way you've been running your vulnerability management program has to change because the circumstances have changed."