Your Patch Cycle Just Became Obsolete

Six months ago, Daniel Stenberg was ready to quit.

The maintainer behind curl — the software that quietly powers every API call, cloud sync, and connected device you touched today — was drowning in AI-generated security reports. Hallucinated vulnerabilities. Phantom bugs. Garbage dressed up as responsible disclosure, flooding his inbox at a pace no human could sustain.

Then something shifted.

The garbage stopped. The good reports didn't. In fact, they accelerated. AI-assisted security researchers went from useless to overwhelming in under a year. Real bugs. Real frequency. Real enough that Stenberg just publicly confirmed what open source maintainers across the ecosystem are whispering: the discovery bottleneck is gone.

If you run anything resembling a vulnerability management program, this should terrify you more than any ransomware headline. Because the system you built — the one with monthly patch cycles, quarterly pen tests, and a backlog you're already three sprints behind on — was designed for a world where humans find bugs at human speed.

That world ended sometime in the last six months. You just haven't felt it yet.

We've Seen This Movie Before

Nessus launched in the late 1990s. By 2005, automated vulnerability scanners had gotten good enough to actually find real problems at scale. Overnight, security teams went from "we don't know what's broken" to "we have 47,000 findings and three people."

The fix wasn't better scanners. It was building triage programs that could operate at machine speed — risk scoring, automated remediation workflows, SLA frameworks that assumed you'd never patch everything. We stopped trying to fix all the problems and started building systems to decide which problems to ignore.

That worked. For twenty years, it worked. Discovery stayed predictable. A researcher finds a bug, files a report, maybe two per quarter. Your patch Tuesday cadence could keep pace. The backlog grew, sure, but manageably. You could staff for it.

I spent a decade building vulnerability management programs anchored to that rhythm. Monthly cycles. Quarterly reviews. Annual pen tests that felt like pop quizzes you could study for.

That cadence is dead.

AI Researchers Don't Take Weekends

Here's what changed: AI-assisted security research doesn't get bored. It doesn't take Christmas off. It doesn't need coffee breaks between findings. And — this is the part that should keep you up at night — it apparently stopped hallucinating.

Six months ago, Stenberg was rejecting AI-generated reports as fast as they arrived. Today, he's confirming they're legitimate. That's not incremental improvement. That's a phase change.

Your vulnerability disclosure inbox is about to look like Stenberg's. If it doesn't already, it will. And the reports won't come from boutique security firms billing $300/hour. They'll come from researchers running AI models that can analyze your entire codebase in the time it takes you to finish this paragraph.

Your patch cycle was designed for human-speed discovery. Welcome to machine speed.

What happens when valid bug reports 10x but headcount doesn't? What happens when your two-week SLA to triage critical findings meets an inbox that refills faster than you can empty it?

The Questions Nobody's Asking Yet

I was on a call last month with a client — mid-market financial services firm, the kind with legacy systems held together by talented people and prayer. Their CISO asked me about AI security tools. Defensive AI. Could it help them detect threats faster?

I asked him a different question: "What's your plan when AI starts finding threats faster than your team can remediate them?"

Silence.

We're still thinking about AI as a tool that makes our jobs easier. We're not thinking about it as the thing that changes the tempo of the game.

Here's what I'm watching for — and what you should be asking your security team Monday morning:

• What's our current backlog-to-capacity ratio? If you're already underwater at human-speed discovery, machine-speed discovery doesn't make you faster. It makes you irrelevant.

• Do we have automated triage that actually works? Not the risk scoring system you inherited. The one that can handle 10x volume without adding headcount.

• What's our criteria for not patching? Because you're about to have far more valid findings than you have remediation capacity. The question isn't what you'll fix. It's what you'll risk ignoring.

• Who owns the relationship with security researchers? Because they're about to file reports at a pace that makes your current disclosure process look like a suggestion box.

These aren't theoretical questions. Stenberg is living them right now. So are the maintainers of OpenSSL, Linux, and every other piece of open source infrastructure your business depends on.

The Railroads Are Coming

Nobody got fired the day the railroad arrived in town. The disruption was slower than that. First, the warehouse district started looking a little empty. Then the best workers left for opportunities two states over. Then, quietly, the town just wasn't the center of anything anymore.

AI-assisted security research is the railroad. It's not replacing your security team today. But it's changing the economics of vulnerability discovery so fundamentally that the programs built for the old world won't survive in the new one.

The firms that figure this out early won't be the ones with bigger teams. They'll be the ones who rebuilt their workflows to assume infinite discovery and finite remediation. They'll be the ones who automated triage not as a nice-to-have but as the only way to keep the lights on.

The firms that don't? They'll keep hiring. They'll keep falling behind. And one day they'll look up and realize the best people left for companies that weren't drowning.

What This Means for Your Monday Morning

If you're a CISO, you need to pressure-test your vulnerability management program against 10x inbound volume. Not someday. Now. The AI researchers are already running.

If you're a finance leader or auditor, you need to ask harder questions about your organization's security posture. "We patch critical vulnerabilities within 30 days" might sound reassuring until you learn they're sitting on 4,000 unpatched medium-severity findings because the team is underwater.

If you're advising clients, you need to help them see the railroad coming. The risk isn't the bugs AI will find. The risk is the systemic failure that happens when discovery outpaces remediation and nobody redesigned the process in between.

I don't have a perfect playbook for this. I've built a lot of vulnerability programs, and exactly none of them were designed for what Stenberg is describing. But I know what the pattern looks like when the tempo changes and organizations don't adapt.

It looks like Blockbuster insisting that streaming was a niche market. It looks like newspapers convinced that Craigslist wouldn't kill classifieds. It looks like confidence right up until it looks like irrelevance.

What's your team's plan when the reports 10x but the headcount doesn't? Has your vulnerability management program had this conversation yet?

Because curl just did. And if you're using software — which you are, constantly, whether you realize it or not — what happens to curl happens to you.

Here's your specific action: This week, ask your security team for three numbers: current vulnerability backlog, average time-to-remediation, and monthly inbound report volume. If they can't answer immediately, that's your answer. If they can, ask them what those numbers look like at 10x inbound volume. Then ask what changes this quarter to handle it.

The machine-speed era started six months ago. Your patch cycle didn't get the memo.

But what do I know — I've only watched discovery tools outpace remediation capacity three times in my career. Maybe the fourth time will be different.