Patch Prioritization in the AI Era: A Framework for Security Teams Facing AI-Discovered Zero-Days

When AI finds 10,000 vulnerabilities, CVSS scores alone can no longer tell you what to fix first

10,000+
High/critical findings across Glasswing partners
9
Confirmed CVEs from Project Glasswing
1,596
CVD disclosures coordinated by Glasswing
CVSS 9.1
wolfSSL cert forgery severity (CVE-2026-5194)

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

On July 5, 2026, Anthropic published the 90-day report for Project Glasswing, the coordinated vulnerability disclosure program powered by Claude Mythos. The numbers are staggering: 10,000+ high- or critical-severity findings, 9 confirmed CVEs, and 1,596 coordinated disclosures across 200+ organizations spanning power, water, healthcare, and critical infrastructure. No vulnerability management program in existence was designed to absorb that rate of discovery. The traditional triage model, where a security analyst reads a CVE description, checks the CVSS score, and drops it into a ticket queue, simply does not scale to what AI-powered discovery produces. This guide lays out a practical, five-factor prioritization framework that helps vulnerability management teams work through AI-discovered findings systematically, set realistic patch SLAs, apply compensating controls intelligently, and integrate AI-era threat intelligence into the tooling they already use.

Why CVSS Alone Fails as a Triage Signal

The Common Vulnerability Scoring System was designed to give organizations a baseline severity estimate when independent measurement was impossible. It was never intended to be the sole input into a remediation schedule. The fundamental problem is that CVSS measures the theoretical severity of a vulnerability in isolation, not the actual risk it poses to a specific organization. A CVSS 9.8 unauthenticated RCE vulnerability in a library that your organization does not use is less urgent than a CVSS 6.5 authenticated SQL injection in your customer portal. Yet naive CVSS-driven programs would send the former to emergency patching and schedule the latter for next month. Three specific failure modes appear at scale. First, CVSS score inflation over time: organizations that have adopted risk-based patching consistently find that 20-30% of their CVSS 9+ findings are on assets with no internet exposure, no sensitive data, and no active exploitation. Second, the exploit gap: CVSS is assigned at disclosure time, before exploitation patterns are known. A CVSS 7.2 vulnerability with a Metasploit module is operationally more dangerous than a CVSS 9.5 finding for which no exploit exists. Third, asset blindness: CVSS has no concept of your asset inventory, your network topology, or which systems are business-critical. For AI-discovered vulnerabilities, these failure modes are compounded. Claude Mythos generated findings at a rate and depth that no human-paced CVD process has produced. The findings come pre-triaged by the AI in terms of technical severity, but the organization still has to apply its own operational context.

The Five Factors That Actually Drive Patch Priority

A defensible patch prioritization model combines five factors. Each factor is scored independently, and the composite score determines which tier the finding falls into. Factor 1: Base Severity (CVSS or equivalent). Use CVSS 3.1 Base Score as the starting point. Weight: 25% of composite. Factor 2: Exploit Availability. Does a functional proof-of-concept or weaponized exploit exist? For Glasswing findings, Claude Mythos often developed working exploit code during the assessment, so this factor is elevated at disclosure time rather than weeks later. Scoring: no known exploit (0), proof-of-concept only (1), weaponized/public exploit (2), active exploitation observed (3). Weight: 30% of composite. Factor 3: Internet Exposure. Is the vulnerable component reachable from the public internet? Direct internet-facing exposure is categorically different from an internal-only service. Weight: 20% of composite. Factor 4: Asset Criticality. What is the business function of the affected asset? Crown jewel systems (payment processing, identity infrastructure, industrial control systems) carry much higher weight than development workstations. Weight: 15% of composite. Factor 5: Confirmed Active Exploitation. Is this vulnerability being actively exploited in the wild, either by threat actors broadly or against your industry specifically? CISA KEV catalog membership is a strong signal. Weight: 10% of composite. The composite score maps to one of four response tiers with defined SLAs.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The Four-Tier Response Model with SLAs

Tiered response models work because they translate composite risk scores into operational calendar commitments that asset owners and leadership can plan around. The four tiers below represent a practical baseline. Organizations should calibrate SLAs to their own risk tolerance and capacity. Tier 1, Emergency (Composite Score 8-10): 24-48 hours to patch or apply compensating controls, with immediate escalation to CISO and asset owner. This tier applies to findings with high CVSS, active exploitation, and internet exposure. The FreeBSD NFS RCE (CVE-2026-4747) discovered by Glasswing would qualify for Tier 1 on any internet-facing FreeBSD system, given the 17-year existence of the bug and the fact that working exploit code was developed. Tier 2, Urgent (Composite Score 5-7): 7 days to patch, with daily status checks to the vulnerability management team. Tier 3, Standard (Composite Score 3-4): 30-day patch window with weekly status reporting. Tier 4, Scheduled (Composite Score 0-2): Next scheduled maintenance window, minimum quarterly. Each tier carries an escalation trigger: if the SLA is missed without documented compensating controls, the finding automatically promotes to the next tier.

Compensating Controls: Buying Time Without Accepting Unlimited Risk

Compensating controls are temporary risk reduction measures applied when immediate patching is not feasible. They are not permanent solutions and should never be treated as equivalent to patching. A compensating control is an explicit, time-bounded acceptance of residual risk. Effective compensating controls for AI-discovered vulnerabilities, ordered by effectiveness, include the following. Network segmentation reduces the attack surface by limiting which systems can reach the vulnerable component. If the vulnerable service does not need to be internet-facing, pull it behind a firewall or VPN immediately. This converts a Tier 1 emergency to a Tier 2 urgent in many cases. WAF and IPS rule tuning adds detection and blocking rules for known exploit patterns. For Glasswing CVEs where Mythos developed working exploit code, the exploit signatures can be converted directly into defensive signatures. Feature or service disablement applies when the vulnerable component is non-essential. If you are running an NFS service that is not required for operations, disabling it eliminates the risk entirely without patching. Enhanced monitoring increases the signal-to-noise ratio on the affected asset, making it more likely that an exploitation attempt is detected quickly if it occurs. Each compensating control must be documented with a named owner, an expiration date, and a hard trigger date after which leadership escalation is mandatory if the patch has not been applied.

Integrating AI-Era Threat Intel into Existing Vuln Management Workflows

Most vulnerability management programs run on platforms like Qualys VMDR, Tenable Vulnerability Management, or Rapid7 InsightVM. These platforms already support risk-based prioritization features: Qualys QDS, Tenable VPR (Vulnerability Priority Rating), and Rapid7 Real Risk Score all incorporate some version of exploit availability and threat intelligence. Integrating AI-discovered findings requires a few deliberate steps. First, ensure your CMDB and asset inventory are accurate enough to support the five-factor model. Asset criticality scores cannot be applied without knowing what each system does. Second, configure your vulnerability management platform to ingest external threat feeds so that active exploitation signals update automatically. CISA KEV integration is now a standard feature in all major platforms. Third, create a custom tag or label for AI-discovered findings from Glasswing or similar programs. These findings have different characteristics than scanner-discovered CVEs: they are often novel, come with working exploit code, and may not have a vendor patch available at disclosure time. Fourth, review your existing SLA policies and compare them to the four-tier model. Many organizations have SLA policies but no automated enforcement. If a Tier 1 finding sits in a queue for 72 hours without action, an automated escalation email should fire. The composite scoring model described above can be implemented as a custom field calculation in any of the major platforms.

The Glasswing CVE Triage Exercise

Applying the five-factor framework to the 9 confirmed Glasswing CVEs illustrates how different findings sort into different tiers even when all are technically 'critical.' FreeBSD NFS RCE (CVE-2026-4747): High CVSS, working exploit developed by Mythos, internet-facing NFS servers exist in many enterprises, high asset criticality if the NFS server hosts production data. Composite score likely 8-9 for any organization running internet-reachable FreeBSD NFS. Tier 1 emergency. wolfSSL Cert Forgery (CVE-2026-5194, CVSS 9.1): High CVSS, exploit code exists, but wolfSSL is an embedded TLS library most commonly found in IoT and embedded systems, not traditional enterprise servers. For an organization running wolfSSL in production IoT devices, this is Tier 1 or 2. For an enterprise with no wolfSSL deployments, it is not applicable. V8 Arbitrary Code Execution: Browser-based, requires user interaction in most exploitation scenarios. CVSS may be high, but internet exposure of V8 itself is indirect (through the browser, not a network service). For an organization with a managed browser fleet with automatic updates enabled, this may be Tier 3 or 4. VMM Escape: Highly relevant to cloud providers and organizations running dense virtualization. A VMM escape in a production hypervisor used to isolate customer workloads is Tier 1. On a development workstation running VirtualBox, it is Tier 3. The exercise demonstrates that two organizations looking at the same CVE list will produce different tier assignments based on their specific asset inventory and exposure profile.

A vulnerability without an attacker path is theoretical. A vulnerability with a working exploit on an internet-facing crown jewel is an active incident waiting to happen.

Vulnerability management principle illustrated by Glasswing findings

Building Institutional Muscle for Rapid Response

A framework on paper does not help when a zero-day drops at 11pm on a Friday and the asset owner is unreachable. Institutional muscle for rapid response requires three elements. First, a published escalation matrix: every Tier 1 finding has a named primary and backup contact for every asset class. This matrix is reviewed quarterly and tested annually with a simulated zero-day exercise. Second, pre-approved compensating controls: a library of standard compensating controls (segmentation templates, WAF rule sets, service disablement procedures) that can be applied immediately without an emergency change advisory board (CAB) approval. The CAB approval happens afterward, not before. Third, patch testing fast lanes: a dedicated pre-production environment for emergency patches that compresses the standard testing window from weeks to 24-48 hours. This requires investment in automation, but the return on investment is clear when a Tier 1 finding requires a 48-hour response and your standard patch testing cycle is 3 weeks. Organizations that participated in Project Glasswing had the advantage of advance notice and coordinated disclosure windows. Organizations that encounter AI-discovered zero-days through threat actor exploitation will not have that luxury.

The Glasswing Prioritization Worksheet and Scoring Rubric

The complete five-factor scoring rubric, the four-tier SLA table with escalation triggers, and the Glasswing CVE triage worksheet with pre-scored entries for all 9 known CVEs are available in the Mythos Brief. The Brief also includes a compensating control library mapped to each CVE class, integration checklists for Qualys, Tenable, and Rapid7, and a template escalation matrix you can adapt for your organization.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

AI-powered vulnerability discovery has permanently altered the math of vulnerability management. When a single program surfaces 10,000+ high- and critical-severity findings in 90 days, organizations that rely on CVSS alone will either patch the wrong things first or be paralyzed by volume. A five-factor composite model that weighs exploit availability, internet exposure, asset criticality, and active exploitation alongside CVSS gives teams an operationally defensible triage signal. The four-tier response model converts that signal into calendar commitments. Compensating controls provide a bridge when patching timelines cannot be compressed. The full scoring rubric, tier SLA table, Glasswing CVE worksheet, and platform integration checklists are in the Mythos Brief. Get it free at decryptiondigest.com/mythos-brief.

Frequently asked questions

Is CVSS still useful for prioritization?

CVSS remains a useful baseline signal but should never be the sole triage criterion. A CVSS 9.8 vulnerability on an air-gapped, non-internet-facing asset with no public exploit available is operationally less urgent than a CVSS 7.5 vulnerability with a weaponized public exploit on a customer-facing web server. Use CVSS as one input in a five-factor model that also weighs exploit availability, internet exposure, asset criticality, and confirmed active exploitation.

What does 'exploit available' mean for AI-found bugs?

For AI-discovered vulnerabilities, 'exploit available' means a functional proof-of-concept or weaponized exploit exists either publicly (GitHub, Exploit-DB, Metasploit modules) or, as demonstrated by Claude Mythos, was generated autonomously during the discovery process. Mythos produced working exploit code for many of its Glasswing findings, meaning the exploit availability factor is already elevated at time of disclosure, not weeks later as with traditional CVD timelines.

How do we handle a critical CVE we cannot patch immediately?

When immediate patching is not possible, apply compensating controls in order of effectiveness: network segmentation to limit reachability, WAF or IPS rules tuned to block known exploit patterns, disabling the vulnerable feature or service if non-essential, enhanced monitoring and alerting on the affected asset, and accelerated patch testing to compress the standard testing window. Document the compensating control formally and assign a hard patch deadline that triggers escalation if missed.

What is a reasonable patch SLA for CVSS 9.1?

A CVSS 9.1 finding with a public exploit and internet-facing exposure warrants a 24- to 48-hour emergency patch window. Without a public exploit and on an internal asset only, 7 days is a reasonable urgent-tier SLA. The wolfSSL cert forgery vulnerability (CVE-2026-5194, CVSS 9.1) discovered by Glasswing would qualify for the 48-hour emergency tier given its severity and the fact that exploit code was developed during the Glasswing assessment.

How do we communicate patch urgency to asset owners?

Effective patch urgency communication maps technical severity to business language. Instead of leading with CVSS scores, frame the communication around: what an attacker can do if they exploit this (e.g., 'gain root access to the payment processing server'), which tier the finding falls into and what the SLA means in calendar days, what happens if the SLA is missed (escalation path), and what compensating controls are in place during the patching window. Asset owners respond to business impact, not numerical scores.

How do you operationalize a five-factor model in a vulnerability management platform?

Most enterprise platforms including Qualys VMDR, Tenable Vulnerability Management, and Rapid7 InsightVM support custom scoring fields that can encode a five-factor composite. The practical approach is to calculate the composite outside the platform using a spreadsheet or lightweight script, then write the composite score back as a custom severity tag or asset attribute so the platform's existing workflow and ticketing integrations can consume it. For AI-discovered findings from Glasswing where working exploit code was developed at disclosure time, set the exploit availability factor to its maximum value immediately rather than waiting for a Metasploit module to appear in public repositories. Automate KEV catalog polling to update the active exploitation factor in real time. Tie each tier boundary to an automated ticket priority and SLA enforcement rule so that composite score changes trigger workflow actions without manual intervention.

Sources & references

  1. Anthropic Project Glasswing 90-Day Report
  2. CISA Known Exploited Vulnerabilities Catalog
  3. NIST National Vulnerability Database
  4. FIRST CVSS v3.1 Specification
  5. Rapid7 Vulnerability Priority Rating
  6. Tenable Predictive Prioritization

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.