Microsoft’s regular monthly round of vulnerability fixes, known as Patch Tuesday, arrived on 14 April 2026 with an unusually heavy payload. The update contained more than 160 distinct flaws, making it the second-largest in history by volume, trailing only October 2025, which saw 175 vulnerabilities. When counting third-party and Chromium updates, the total exceeded 250.
The record-breaking count immediately sparked debate within the cybersecurity community. Many commentators pointed to the accelerating role of artificial intelligence in vulnerability discovery. Dustin Childs, a vulnerability expert at TrendAI’s Zero Day Initiative, described the update as “monstrous” in his regular analysis, suggesting that the increased use of AI tools to uncover software flaws at scale may be a driving factor behind the surge.
Chris Goettl, vice-president of product management for software products at Ivanti, echoed this view. He noted that the lead-up to Patch Tuesday was already eventful, with a Google Chrome zero-day patched on 1 April, an Adobe Acrobat Reader zero-day discovered on 10 April, and several older CVEs added to the CISA Known Exploited Vulnerabilities catalog. All this unfolded against the backdrop of industry buzz around Anthropic’s new frontier AI model, Claude Mythos, and its associated Project Glasswing.
Critical Vulnerabilities and the Mythos Factor
Project Glasswing, launched in early April, is built around Claude Mythos Preview, a frontier AI model that Anthropic claims can both discover zero-day vulnerabilities and develop exploits for them. The company says Mythos has already uncovered “thousands” of critical vulnerabilities, some of which have remained hidden in plain sight for years. To manage the risk, Anthropic created Project Glasswing to limit access to the model, granting early access to a select group of major tech firms, including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, Microsoft, Nvidia, and Palo Alto Networks. These companies were given a head start to fix flaws before Mythos becomes more widely available.
Despite the timing, Mythos likely had only a minor impact on the latest Patch Tuesday. Analysis by vulnerability intelligence firm VulnCheck found that only 75 recent CVEs mention Anthropic, and just one is directly attributable to Project Glasswing. However, the correlation between the model’s release and the spike in disclosures is a topic of growing concern. As business secretary Liz Kendall stated in an open letter on 15 April, UK business leaders must plan for a future where frontier AI models become even more adept at finding flaws.
Fast-Moving Timeline and the Ratchet Effect
The speed of change is unprecedented. Doc McConnell, head of policy at Finite State and a former Cybersecurity and Infrastructure Security Agency (CISA) branch chief, warned that AI acts as a “ratchet wrench” for cybersecurity. “It only goes in one direction: faster. It enables security teams to respond more quickly, but it also increases the volume and severity of incidents,” McConnell said. He stressed that while basic practices like building security into the product lifecycle and accelerating patch cycles remain essential, the traditional advice to “do the basics, but faster” is no longer sufficient. “Humans simply can’t go fast enough to keep up with AI,” he added.
McConnell praised Anthropic’s responsible approach but cautioned that if one player is working openly, others are likely working quietly and irresponsibly. The implication is clear: the same AI capabilities that help vendors secure their code can also be weaponized by threat actors.
How Will Mythos Be Used?
Ivanti’s Chris Goettl explored the dual-use nature of frontier AI models. On one hand, large tech firms can use them to release more secure code. On the other hand, both legitimate security researchers and malicious actors will adopt AI to find exploitable flaws. This will likely lead to more coordinated disclosures (positive), but also more zero-day exploits (negative) and n-day exploits (negative). “All of this will result in more frequent, and more importantly, urgent software updates,” Goettl said.
Organizations already struggle to keep up with priority updates outside of normal monthly maintenance cycles. Goettl pointed to the Adobe Acrobat zero-day as an example. Most organizations were unaware of the exploit until it was added to the CISA KEV list two to three days after discovery, giving threat actors a window of opportunity. With browser security updates now occurring weekly and many business applications releasing patches continuously, the traditional monthly patch cycle is becoming obsolete. The number of exploits is likely to double, triple, or quadruple, exacerbating existing patch management challenges.
Next Steps for Security Leaders
Goettl believes security leaders must undergo a step change in mindset and maturity. Defining risk appetite and posture can make remediation activities clearer. He recommends integrating vulnerability assessment and intelligence services into a broader ecosystem that includes asset visibility and systems of record. This hybrid approach helps determine whether a flaw requires immediate attention or can wait for regular maintenance. An autonomous endpoint management (AEM) platform can further speed remediation.
Finite State’s McConnell outlined three concrete steps for the industry. First, security must move to the very beginning of the product lifecycle, with continuous binary analysis and software composition analysis from the design phase, not as a final check. Second, security needs to keep pace with accelerated development, which means real-time software bills of materials (SBOMs) with automated reachability analysis to prioritize fixes. Third, companies must accept that incidents will still happen and need automated vulnerability and incident response capabilities that can triage, communicate, and coordinate remediation without manual intervention. McConnell urged companies to make this a top boardroom topic immediately.
Could Frontier Models Be Good for Cyber?
Despite the risks, some leaders see promise. Richard Horne, CEO of the UK’s National Cyber Security Centre (NCSC), believes that AI, if used appropriately, can be beneficial. In an article published in the Financial Times, Horne argued that AI will increasingly expose organizations that have not taken proper security steps. “AI will make it easier, faster, and cheaper to discover and exploit weaknesses that previously required more time, skill, or resource for attackers to identify,” he wrote. The pressure to patch quickly will only grow. Horne emphasized that following established good practices—such as reducing unnecessary exposure, rapid application of updates, and monitoring for malicious activity—is more essential than ever. These technical actions, championed by board-level executives, can help maintain an advantage. “By getting the fundamentals right and carefully adopting frontier AI models for good, network defenders can retain an advantage and help keep the UK safe online,” he concluded.
Source: ComputerWeekly.com News