Frontier AI models capable of discovering and exploiting software vulnerabilities are moving faster than many enterprise security processes were designed to handle, and customer-facing systems could be among the first to feel the pressure.
That is the warning from Vincent Danen, Vice President of Product Security at Red Hat, who told CX Today in an interview that the issue is not simply whether models like Anthropic’s Claude Mythos can find more vulnerabilities. The bigger concern is whether enterprises can assess, prioritize, patch and mitigate risks fast enough once those vulnerabilities start being exploited on a large scale.
Danen expects the industry to face a painful adjustment period.
“We are going to have a very painful year or two. I buckled myself in, because we’re going to see a lot of vulnerabilities disclosed, a lot of patches that have to be created.”
Danen added that discovery may accelerate faster than remediation. “I think it’s going to be very painful very soon. Short-lived from a discovery perspective. Unfortunately, longer-lived from a remediation perspective.”
That should concern customer experience leaders, because modern CX now depends on sprawling software ecosystems comprising contact center platforms, CRM systems, digital identity tools, payment systems, AI assistants, customer portals, analytics platforms and open-source components buried deep inside enterprise infrastructure.
If those systems become harder to secure, or if patching them becomes more urgent and disruptive, the consequences will not stay confined to IT.
Frontier AI Is Accelerating Enterprise Security Vulnerability Discovery at Record Speed
The volume of software exploits, known as Common Vulnerabilities and Exposures (CVEs) has already changed beyond recognition, Danen said.
“In 2000, there were probably under 1,000 CVEs throughout the year, and last year there were 48,000 in total, and I expect this year it’ll probably double, with Al being so good at finding vulnerabilities.”
The acceleration in discovery is creating a new problem for enterprise security teams. AI may be able to find flaws faster, but teams cannot fix everything at once. Nor should they try. Danen’s message is that businesses need to stop treating every vulnerability as equal.
“One of the challenges, particularly today, [is that] Al comes out and finds 10,000 vulnerabilities. If people are going, all security vulnerabilities are equal, and all of a sudden 10,000 show up. Well, that mindset says you have to fix all 10,000 right now, and there’s this old saying, if everything is important, nothing is.”
Instead, enterprises need to assess the likelihood of exploitation and the potential impact on the systems affected. CX teams, in particular, need to be able to identify which vulnerabilities threaten customer-facing services, customer data, account access, transactions and availability. After all, a low-risk bug buried in a non-critical internal tool does not carry the same urgency as a flaw affecting a customer portal, authentication system or payment flow.
So the real operational challenge is prioritization, Danen said.
“I can’t fix 10,000 vulnerabilities today, but I can probably fix 10, so which are the 10 that I have to focus on today, and then the 10 I have to focus on tomorrow. But even as you’re applying patches or figuring out ‘where are my soft spots in the enterprise’? I have to be looking at risk in this whole picture.”
Exploitation Is Now Happening Before Disclosure
Enterprises often had weeks or months between disclosure and widespread exploitation, allowing them to rely on fixed patch cycles, whether monthly windows, quarterly updates or scheduled outage periods. Danen warned that the patching cycle is coming under strain as exploitation timelines have compressed dramatically.
“People are going to have to start looking at how to consume these patches faster, because exploitation is now faster.”
“A couple of years ago, exploitation was measured in 30 days, 60 days. Last year, it was four days average time from public to first signs of exploitation. Now they’re saying minus seven days, so these things are being exploited before they’re publicly disclosed, because of the proliferation of these models.”
Enterprises need to adapt with a new sense of urgency. If exploitation is happening before public disclosure, then waiting for the next planned maintenance window may no longer be viable.
Danen puts the challenge bluntly. Enterprises “have to learn to be nimble, because you may have to patch tomorrow and the day after, in addition to your regular patch, and how do you do that?”
That question has clear consequences for customer experience. Faster vulnerability discovery creates a trade-off between customer continuity and customer protection.
Defense in Depth Buys Enterprises Time
Emergency patching can mean service downtime, degraded performance, delayed product releases, broken integrations or rushed changes to digital channels. But failing to patch could mean data exposure, account compromise, fraud or customer-impacting outages.
Danen said this is why enterprises cannot rely on patching alone. They need “defense in depth,” layered security controls that buy time when vulnerabilities are discovered, or exploited, before a fix is ready. In the same way that enterprises avoid connecting devices directly to the internet, instead using firewalls, access control and other systems that would have to be breached, broader systems need multi-layered defense.
“If exploitation happens seven days before it’s public, that patch almost doesn’t matter, it’s everything else,” Danen said, that can slow down attackers or prevent attacks completely. “When that patch shows up seven days, 14 days, 30 days later, now I can apply it. I don’t have to worry about it, but I’ve already blocked those attacks.”
“If I have a really good defense system, I don’t have to patch everything the moment I find out about it. Because I can trust my system, and if I have a good understanding of that, I’ll know where my squishy spots are, so I’ll know which things I need to prioritize first, and that buys you time to be able to manage the deluge.”
That “deluge” could have a particular impact on systems based on open-source software, not necessarily because open source is inherently less secure, but because its vulnerabilities are more visible.
Red Hat and its parent company IBM recently announced plans to invest $5BN in Project Lightwell, which is aimed at securing open-source software as they look to help enterprises confront the new generation of cyber threats Mythos-class frontier models, like Anthropic’s newly-released Fable, could surface.
Danen argued that proprietary software may contain just as many vulnerabilities but enterprises simply may not see them, creating a perception problem for enterprises evaluating CX technology vendors.
“The same number of vulnerabilities you find in open source, they’re going to find in proprietary software. The only real difference is proprietary software is under no obligation to tell you about it, and with open source we can’t hide it.”
Danen described the difference as visibility, not necessarily safety: “blackout curtains versus no curtains, and that’s a mental model that has to change.”
Vendor Security Questions Must Change
To make that change, buyer conversations with vendors need to adapt to the new reality. How quickly does the vendor disclose critical issues, how does it prioritize fixes, how fast can patches be applied and how are customer-facing systems protected while remediation is underway?
AI can help with that process to an extent, if it is given enough context about the organization’s environment and controls.
“Al could be useful from a risk aid perspective, and I think that we’ll probably see more companies start leveraging Al for that, some of these security-focused products, because that would be a very clever use of Al,” Danen said.
But AI cannot remove the need for human judgment, testing and quality assurance, especially when patches affect live enterprise systems, Danen added.
“Nobody wants to be like, ‘Hey, Al, go create a patch for this critical vulnerability, build it, and then release it to all my customers.”
Human involvement is key for customer-facing environments, where a bad patch can be almost as damaging as the vulnerability it is meant to fix. A rushed update could break payment processing, disable a login journey, disrupt agent desktops or bring down a self-service portal.
If AI is accelerating vulnerability discovery and exploitation, customer experience teams need to know whether their organizations can respond without breaking the services customers rely on. CX leaders need to be able to ask sharper questions about resilience, patch agility, vendor transparency and customer-impact planning.
As Danen put it, the time to prepare has already arrived.
“The time to shore up our defenses is now. Or yesterday, really. And the only way to do that is defense in depth.”
