The UK's National Cyber Security Centre has a blunt message for security teams: get ready for a flood of patches you can't outrun. CTO Ollie Whitehouse warned in a blog post Friday that AI-powered bug hunting tools are about to expose years of buried vulnerabilities all at once. Models like Anthropic's Claude Mythos and OpenAI's GPT-5.5-Cyber can now find flaws faster than most teams can fix them. The result is what Whitehouse calls a "forced correction" of technical debt that's been piling up for decades.
Organizations have long chosen speed over security, shipping code with known weaknesses because fixing them was expensive and slow. AI breaks that trade-off. When a model can scan an entire codebase and surface cross-file vulnerabilities that traditional static analysis would miss, the old strategy of ignoring problems until someone reports them falls apart.
Someone will find it. Probably soon.
The NCSC is telling teams to shrink their exposed attack surfaces now, starting with internet-facing systems and working inward. Whitehouse notes that patching won't be enough for everything. End-of-life systems will need full replacement. His advice: "Prepare to patch quickly, more often, and at scale." That's not a suggestion.
The same AI that helps defenders also helps attackers. Vendors promise their tools will find bugs before bad actors do, but that capability cuts both ways. The barrier to discovering zero-days just dropped for everyone. Security teams are about to get very busy, ready or not.