Though it is not yet a matter of official policy, inside sources indicate CISA is weighing a three-day deadline for fixing critical vulnerabilities in federal government systems that have been observed being exploited elsewhere. This would be a drastic reduction in the expected timeline, which currently is measured in weeks rather than days. The move has reportedly been prompted by reports of advanced AI models such as Claude Mythos making exploitation of known vulnerabilities trivial in the near future.
Inside sources say CISA is discussing a timeframe reduction for civilian agencies
Frontier models such as Mythos and OpenAI’s GPT‑5.4‑Cyber have been making headlines in recent weeks due to their expected capability in both assisting experienced attackers and making barriers to entry much more trivial for the less technically sophisticated. Researchers believe these models will quickly and capably identify documented critical vulnerabilities in the wild and provide the user with creative means to exploit them, to include chaining attack components for them at machine speed. The new capability could potentially reduce processes that now take weeks to months to a matter of hours, and allow a smaller number of less experienced attackers to be just as effective.
Anonymous insiders with knowledge of CISA operations told media sources that acting CISA chief Nick Andersen and U.S. national cyber director Sean Cairncross have been actively discussing the new requirement, though a decision has not yet been reached. CISA has typically given civilian agencies with access to federal government systems up to three weeks to address vulnerabilities after being listed as “known-and-exploited vulnerabilities” (KEVs) that have been confirmed to be in active use by cyber criminals and threat actors. That requirement was recently dropped to about two weeks in most cases deemed to be critical vulnerabilities according to CVSS score, but slashing it again to three days would nevertheless be a very significant reduction.
While the new requirement would only apply to federal government systems, it is very possible that it would be taken up at the state and local levels as well. While there is good reason to believe that frontier models will soon be enabling broad-scale exploitation of critical vulnerabilities within as little as hours of them becoming common knowledge, CISA is also likely weighing this new requirement against the practical realities of deep budget and job cuts initiated during the current Trump administration.
Matthew Hartman, Chief Strategy Officer at Merlin Group, notes that a remediation window of just several days (or less) may simply be an unachievable goal for many organizations at least in the near term: “A move from two weeks to three days reflects a fundamental shift in the threat landscape, driven by AI’s ability to accelerate vulnerability discovery and exploitation. What once took skilled actors weeks can now happen in hours, collapsing the defender’s response window. Having spent the last decade working with federal CIOs and CISOs on this challenge – albeit before the release of Mythos and GPT-5.4-Cyber – most organizations are not yet equipped to safely validate, prioritize, and remediate critical or actively exploited vulnerabilities at that pace without risking service disruption or incomplete fixes. Closing that gap will require sharper prioritization, along with significant investment in automation and real-time asset visibility.”
AI exploitation of critical vulnerabilities weighed against patching and operations realities
Having staff on hand to identify and apply patches and remediations to critical vulnerabilities is one issue in play. Another is testing; with many systems, particularly legacy systems, this is a process that generally takes more than a few days to ensure that other critical components of the integrated systems will not break. And before any of these things can happen, organizations must have their systems properly catalogued so that they can find all of the instances that require patching.
Some security researchers believe the threat is somewhat overblown. While the frontier AI models like Mythos will almost certainly aid threat actors in identifying critical vulnerabilities in the wild much faster, they do not believe it will be all that great of a help in creating a complete and automated attack chain. Others point out that while these new models may not be at that level of capability just yet, they will inevitably march toward the point at which they can exploit newly identified critical vulnerabilities within minutes; thus it is best to immediately begin tackling the idea of a patching and testing process that is this tight and demanding.
Morey Haber, Chief Security Advisor at BeyondTrust, expands on what this will actually look like for most organizations: “Unfortunately, most enterprises do not have continuous visibility into their attack surface, let alone the ability to prioritize and remediate vulnerabilities in near real time. Vulnerability scanning still occurs once a month or at best, once a week and in some cases, still once a quarter. Technical debt, legacy systems, and fragmented ownership models create friction that no mandate can eliminate overnight, and government agencies are already resource constrained with recent staff layoffs and lack of funding and expertise. This raises an important question: Who absorbs the operational burden when timelines shrink but capacity does not? This is where the policy collides with real world execution.”
“This acceleration is possible”, Haber adds, “but only for organizations that have already invested in extensive patch automation, real time vulnerability management, cloud security posture management, identity-centric controls, and risk-based prioritization. For everyone else, you cannot compress remediation timelines if you have not first compressed your reporting and exposure of risk first.”
The developments in AI have been pushing some industries harder than others, due to the type and quantity of sensitive information they handle and their likelihood as targets. For example, the capabilities of Claude Mythos have recently prompted a series of emergency meetings between central bankers and finance ministers regarding protection of the world’s financial systems from what may be relentless probing for bugs and vulnerabilities by automated AI in the near future. The BBC reports top bankers will be given advanced access to the model for testing, some initial exploration by researchers such as the UK’s AI Security Institute indicate that these near-term models are “powerful” but “not dramatically better” than models already available to the public.
And while these models have safeguards meant to prevent abuse and misuse of this sort, the threat of hackers breaching even the most prominent AI firms has to be considered after reports last month of a group that managed to URL-guess their way into non-public areas of the Mythos system.
Noelle Murata, Chief Operating Officer at Xcape, views all this as another strong prompt for the implementation of automated defenses: “The implications for leadership are clear: hitting a 3-day target is humanly impossible without Autonomic Security. Organizations must transition away from manual patch cycles and toward automated, AI-driven CI/CD pipelines that can test and deploy updates at machine speed. While the 72-hour mandate may currently focus on federal systems, it will rapidly become the de facto benchmark for any entity managing critical data. In the 2026 threat landscape, defense is no longer measured in weeks of policy, but in hours of automation.”
