UK cyber security agency warns of AI-driven 'patch wave'

The chief technology officer of the United Kingdom's National Cyber Security Centre (NCSC) has told organisations to deal with their technical debt, or skilled individuals will be able to exploit it at scale and pace with AI.

Due to AI, NCSC CTO Ollie Whitehouse said the government security agency expects there will be a forced correction to address a backlog of technical issues that are expensive and time-consuming, as a result of prioritising short-term gains over building resilient products.

Whitehouse called it a "patch wave", or a rush of software updates that have to be applied to organisations' technology stacks, to address the disclosure of new vulnerabilities. 

Organisations should be prepared to patch quickly, more often and at scale, with NCSC arguing that technologies on organisations' perimeter should be prioritised, with work then moving inwards towards cloud and on-premises environments.

The UK cybersecurity agency suggests organisations should enable automatic patching for all devices, and hot patching (no service interruption such as restarts required) as well.

Whitehouse said vendors and technology producers should ensure that systemic technical security debt is minimised through memory safety and containment technologies, as patching alone won't address all problems.

NCSC's advice follows the Australian Signals Directorate (ASD) last month publishing information on the security implications on what it says are increasingly capable frontier AI models.

ASD referred to Anthropic's Claude Mythos model which is in preview with select partners such as Microsoft, Apple, Amazon and the United States government currently.

Competitor OpenAI's GPT-5.5 is also on the list of capable models, with ASD saying such models can chain large series of tasks together into an end-to-end autonomous intrusion.

ASD added that researchers have shown that many of the vulnerability discoveries demonstrated by Claude Mythos can be reproduced by cheap, open-weight models.

"With the cost of operating capable models falling rapidly, the assumption hostile actors will lag frontier capabilities by many months is no longer safe," ASD said.

ASD's suggestion is that organisations should consider how to use AI to identify, harden and protect their systems, using the technology for defensive purposes. 

Strengthening cyber security fundamentals by regularly reviewing and validating core controls is also recommended for organisations, and ASD echoed NCSC's advice to patch systems promptly, and to minimise attack surfaces.