14 Days Is No Longer Enough — AI Just Changed the Rules

The Patching Window Just Closed: What Mythos and AI-Powered Vulnerability Discovery Mean for Cyber Essentials

Last year, this blog asked whether 14 days was fast enough. The answer then was: barely. Today, the answer is no.

The arrival of Anthropic’s Claude Mythos Preview, and the broader wave of AI tools now capable of finding and chaining vulnerabilities at machine speed, has fundamentally shifted the threat calculation. If your patching process is built around a 14-day window, you’re already behind.

What Mythos Actually Does

This isn’t another vulnerability scanner. Mythos operates differently:

• Finds what humans miss: it interacts with software dynamically, running functions, testing edge cases, and learning from each result, uncovering deeply buried weaknesses traditional methods often miss.
• Scale that’s hard to overstate: it identified 271 zero-day vulnerabilities in Mozilla Firefox, representing the most significant single batch of security fixes in the browser’s history.
• Speed that redefines the problem: AI is compressing vulnerability discovery timelines from months or years into hours.
• It doesn’t just find, it acts: Mythos can launch debuggers, interact directly with systems, form hypotheses, test them, launch containers, and execute code autonomously. It does not just suggest, it acts.

Mythos is currently restricted to trusted partners under Project Glasswing and is positioned primarily as a defensive tool. But the capability exists. And what defenders have, adversaries will seek to replicate.

The Wider AI Threat Picture

Mythos is the headline, but it’s not alone. Frontier models are accelerating attack lifecycles and enabling attackers to identify and exploit vulnerabilities at scale, speed, and through novel methods that previously were the domain of advanced nation-state entities.

Expect the same pattern to repeat over the next several month/years: incremental progress, then a jump. Models will get more capable and cheaper with each cycle, and each jump will put more pressure on security teams still operating at human speed.

The old model, someone finds a vuln, writes it up, a PoC appears days later, exploitation follows, assumed human speed throughout. That assumption is gone.

So Where Does Cyber Essentials Stand?

Cyber Essentials still matters. In fact, it matters more. But the 14-day patching requirement needs to be understood for what it is: a floor, not a target.

Here’s the reality:

• 14 days was already tight — with nearly 30% of known exploited vulnerabilities being weaponised within 24 hours of disclosure (VulnCheck Q1 2025), the window between “published” and “exploited” has always been shorter than 14 days for the nastiest CVEs.
• AI compresses it further — when tools can autonomously discover, chain, and exploit vulnerabilities in hours, a 14-day patch cycle is a liability, not a policy.
• Critical vulnerabilities should now be treated as 24–72 hour problems, not 14-day ones. The Cyber Essentials 14-day rule is the compliance minimum. Your operational target should be significantly shorter.

What the Cyber Essentials Controls Still Get Right

The five controls remain solid, foundational hygiene, and AI doesn’t make them irrelevant, it makes them more urgent:

• Patching: Treat the 14-day rule as a hard ceiling for everything, and a 24–72 hour target for anything rated critical with a known exploit path.
• Secure Configuration: AI tools are particularly effective at finding misconfigurations, locked-down, minimal attack surfaces reduce the available foothold.
• Firewalls and Gateways: Network edge devices remain a top target. Reduce internet-facing exposure wherever possible.
• Access Control: Lateral movement is something Mythos-class tools are explicitly designed to automate. Least privilege limits the blast radius.
• Malware Protection: Basic, yes, but still relevant when AI-generated payloads start appearing at scale.

The Real Operational Challenge

The real problem is not discovery, it’s prioritisation and action. Security teams struggle because the operational cost of deciding what matters, what is exploitable, what can wait, and what can be fixed safely is enormous.

That hasn’t changed. What’s changed is the volume of findings and the speed at which the threat side moves. Your patching process needs to keep pace, triage faster, act faster, automate where you can.

Bottom Line

14 days is the rule. Hours is the reality.

Cyber Essentials gives the framework. AI has raised the bar on what “good enough” looks like. If you’re still treating patching as a fortnightly admin task, you’re running a risk your certification doesn’t cover.

Patch early. Patch often. And if you’re not sure whether your current process is fit for the AI era, get in touch.