AI-Powered Bug Hunting Triggers 'Vulnpocalypse' as Vendors Flood Admins with Patches

The cybersecurity industry is entering what experts are calling the "vulnpocalypse," as major vendors deploy advanced AI models like Anthropic's Mythos and Microsoft's MDASH to scan their codebases for vulnerabilities, uncovering flaws at a rate never seen before. Palo Alto Networks, which typically finds five vulnerabilities per month, announced on Wednesday that it discovered 75 security holes across 130 products, covered in 26 CVEs. This follows Microsoft's disclosure that its new agentic bug-hunting system, MDASH, found 17 vulnerabilities across its products during a record-setting Patch Tuesday that included 30 critical CVEs. Meanwhile, Mozilla fixed 423 Firefox bugs in April, a fivefold increase from March and nearly 20 times its monthly average last year.

The surge is driven by the maturation of frontier AI models that can analyze code at scale. Palo Alto Networks is using Anthropic's Mythos, Claude Opus 4.7, and OpenAI's GPT-5.5-Cyber, while Microsoft orchestrates over 100 specialized AI agents across multiple models. "Unlike single-model approaches, the harness orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models to discover, debate, and prove exploitable bugs end-to-end," said Taesoo Kim, Microsoft VP of agentic security. The companies aim to fix vulnerabilities before AI-driven exploits become widespread, with Palo Alto Networks expecting a "narrow three-to-five-month window" before such exploits become the norm.

The immediate consequence for organizations is a dramatic increase in patch volume. Zero Day Initiative's chief vulnerability finder Dustin Childs told The Register that while more patches mean more work for admins, the goal is to eventually reduce the number of flaws over time. However, he warned that the situation could become "really painful" if AI-generated patches break systems. "Many customers don't customers don't trust patches as it is, so if AI-related patches break things, they are less likely to apply as time goes on," Childs said. "This will be true even if AI only finds the bugs and doesn't make the patches."

Industry veterans emphasize that the bottleneck is not in finding bugs but in fixing them. "Finding bugs has always been the cheap end of the pipeline," said Katie Moussouris, CEO of Luta and a pioneer in bug bounty programs. "Triage, disclosure, building patches that do not break production, and getting customers to deploy them is the expensive end, and nobody has funded it for this volume." She noted that Palo Alto Networks' jump in CVEs this month could be multiplied across every vendor, creating a massive burden for vulnerability management teams.

Despite the challenges, security experts agree that vendors should continue to advocate for the use of AI in vulnerability discovery. "All vendors should use what tools they have to find and remediate bugs before they are exploited in the wild," Childs said. Both Microsoft and Palo Alto Networks are part of Anthropic's Project Glasswing, which grants access to Mythos for security testing. Palo Alto Networks began testing Mythos on April 7 and has since continued using multiple frontier models. The company has already fixed all bugs in its SaaS-delivered products and coded patches for customer-operated products, with no evidence of exploitation in the wild.

The trend is expected to accelerate as more vendors adopt AI-powered bug hunting. Microsoft's Tom Gallagher, VP of engineering at the Microsoft Security Response Center, acknowledged that "this month's release sits on the larger side of a hotpatch month" and predicted that AI-assisted bug hunting will increase Patch Tuesday releases. As Moussouris noted, "Both PAN and Microsoft landed on the same answer: no single model catches everything," underscoring the need for diverse AI approaches to secure software development.