Did AI kill vulnerability management—or just expose its flaws?

COMMENTARY: The scan-prioritize-patch cycle that defined vulnerability management for two decades has broken.

The system was already under strain before Mythos arrived on the scene. But regardless of whether Claude Mythos lives up to the hype, our customers are deeply worried about their ability to address the inevitable tsunami of AI-discovered vulnerabilities heading their way.

And for good reason.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

There’s no shortage of evidence that vulnerability management has failed at scale, and those failures began long before AI models became proficient at finding vulnerabilities. CVE submissions to the National Vulnerability Database (NVD) rose 263% between 2020 and 2025, and the first three months of 2026 are running nearly one-third higher than the same period last year. NIST enriched nearly 42,000 CVEs in 2025—45% more than any prior year—but even that wasn't enough.

That's why NIST shifted to a risk-based model in which only the highest-priority CVEs receive full enrichment. More than 29,000 backlogged CVEs with publication dates before March 1, 2026, were moved to a "Not Scheduled" category, allowing NIST to clear its backlog through reclassification.

Teams that have relied on NVD severity scores and metadata to drive prioritization now face a growing blind spot. The official record has become increasingly incomplete, and that problem will only worsen as AI-driven vulnerability discovery accelerates the volume of findings. Forecasts predict that more than 50,000 CVEs could be reported in 2026 alone—and those projections do not yet fully account for tools like Claude Mythos and GPT-5.4-Cyber, which promise to find vulnerabilities at machine speed.

If that isn't evidence that the traditional vulnerability management model has reached its limits, it's hard to imagine what it would look like.

Meanwhile, the exploitation window has collapsed. Research indicates that 61% of exploited vulnerabilities are weaponized within 48 hours of disclosure. By the time a vulnerability reaches "analyzed" status in the NVD and works its way through a traditional prioritization workflow, the breach may have already happened.

That’s why the industry's movement toward continuous threat exposure management (CTEM) matters so much. It's not a trend: it's the path forward. And understanding why requires unpacking what the "EM" in CTEM means.

Exposure Management functions as a deliberate expansion of digital risk beyond software flaws and CVEs to encompass any exposure that places data, identities, or infrastructure at risk. That includes credential leaks, lookalike domains, misconfigurations, infected devices, and countless other weaknesses.

That breadth matters enormously when AI can chain together CVE and non-CVE exposures into viable attack paths faster than defenders can identify and block them. But understanding this shift and operationalizing it are two different things.

The urgency to transition is real, yet many teams fall into the trap of believing they need to future-proof their processes before they can move forward. They don't. In fact, futureproofing is the wrong frame entirely.

Adaptability matters in today’s world of rapid AI evolution. Operationally, that means backward compatibility. Organizations need CTEM programs that can absorb new tools, intelligence sources, and automation layers without requiring a complete rebuild every time the threat landscape changes.

Given the interconnected nature of modern business environments, organizations need to respond quickly to changing conditions. Teams that assume the window between "known" and "weaponized" will remain wide enough to support traditional remediation timelines are making an increasingly risky bet.

Long term, it's possible that software vendors armed with increasingly powerful AI tools will produce dramatically safer code, reducing the number of exploitable vulnerabilities and zero-day discoveries. But that future isn't here yet.

Right now, vulnerability discovery has accelerated faster than traditional remediation models can handle. Security teams need programs that are continuous, agile, and flexible enough to function in a constantly changing threat environment. But getting there will require a significant cultural shift, which are rarely clean or linear.

Organizations will need to restructure their teams and workflows toward more horizontally aligned, cross-domain operations that can respond at AI speeds. It also means teams will need to become more comfortable with autonomous remediation, something they have resisted something many have resisted since the IDS/IPS era.

That said, we don’t see more autonomous remediation eliminating security jobs, although it will require closer collaboration across teams, with humans rooted in the loop for critical decisioning and oversight. Most organizations recognize where the industry is headed and understand they’ll need to adapt quickly.

AI isn't breaking vulnerability management; it's exposing the fact that it was already broken. CTEM offers a path forward, but the clock has been ticking. Humans will never move at machine speed, but thankfully we can build systems that do.

Because AI isn't waiting for us to get our act together.

Ryan Blanchard, director, product strategy and market research, XM Cyber

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.