Contents

Over the past week, a series of incidents has made one thing clear: we’ve entered a new phase of vulnerability risk, and organisations aren’t ready for it.

From the rapid exploitation of cPanel, to tightening regulatory expectations from Cyber Essentials, to explicit warnings from the UK’s NCSC leadership, the signal is consistent. Exposure is increasing, response windows are shrinking, and AI is accelerating both.

Together, they tell a very different story. What used to take weeks now happens in hours. Exposure, exploitation, and impact are no longer spread out; they’re compressed into a dangerously small window.
And underpinning all of this is a bigger reality. Years of accumulated technical debt are being brought to the surface faster than most organisations can realistically deal with. AI is accelerating discovery, but it’s also accelerating pressure.

What Mythos Changes

Behind the NCSC’s warning is a bigger shift in how vulnerabilities are being uncovered.

New AI models such as Mythos aren’t just helping security teams work faster; they’re accelerating discovery itself. Weaknesses that have sat unnoticed for years, even decades, are now being surfaced in days. And not just identified, but understood and exploited at speed.

These findings are already feeding into real-world disclosures and attacks. What used to take specialist expertise and significant time can now be replicated far more quickly and cheaply.

The key point: this is happening across the same everyday software stacks organisations rely on. And critically, this capability hasn’t been explicitly engineered; it’s emerging naturally as AI gets more sophisticated. Which means it won’t stay isolated for long.

This is why leaders are framing it as a “when, not if” moment. The pace of exposure is accelerating, and it’s about to reshape what “normal” looks like for vulnerability risk and how teams prepare for the wave.

The Patching Maths Doesn’t Work

Most organisations are already struggling to keep up with patching. Now, with Cyber Essentials v3.3 enforcing a strict 14-day window for all critical and high-severity vulnerabilities, with no exceptions, the margin for delay has effectively disappeared.

At the same time, vulnerabilities are being discovered faster, in greater numbers, and across multiple systems at once. What used to be manageable as a steady flow is rapidly becoming a surge. The result is a growing mismatch. IT teams are built around planned cycles and limited change windows, but the threat landscape is moving in real time.

And this goes beyond patching. In many cases, the risk runs deeper, exposing legacy systems and long-standing technical debt that can’t be fixed with a simple update.

For mid-market organisations and MSPs, the pressure multiplies across every environment they manage. The bottom line? Vulnerabilities won’t wait 14 days anymore, but many organisations still need them to. That’s where the model starts to break.

What This Means in Practice

If you are an IT leader: Your current patching cadence was designed for a world where critical vulnerabilities arrived at a manageable rate. That world is ending. It’s no longer if demand outpaces your team; it’s when. Start by understanding your actual patch-to-deployment time across the full estate. Audit your internet-facing attack surface. Identify any end-of-life or unsupported systems that cannot be patched at all.

If you are an MSP or MSSP: Your clients are about to need help they don’t know they need. The ones in regulated sectors, legal, financial services, and healthcare, will face hard-hitting supply-chain questions from insurers, auditors, and partners. The ones pursuing Cyber Essentials certification will discover that their patching process cannot absorb the incoming volume.

If you sit on the board: The NCSC’s CTO has publicly stated that a major patch wave is coming, and expectations have tightened. The 14-day window is now a hard requirement, while AI is shrinking response time from months to hours. What we’re seeing now isn’t an anomaly; it’s the new baseline.

The Window to Prepare Is Now

The advice hasn’t changed, but the urgency has. Attack timelines are shrinking fast, turning what used to be weeks into hours. That means the gap between knowing about a vulnerability and being hit by it is closing just as quickly.

The 14-day patching window was already a stretch. Now, it’s becoming a real pressure point.

The organisations that act now, reducing exposure, improving automation, and planning for scale, will be the ones that keep up. Those who don’t risk being caught out when everything hits at once. Acora’s Cyber Incident Baseline is a key tool to help businesses stay ahead and be prepared for these types of pressures.

A Note from our Group CISO, Darren Humphries

“The NCSC is right to sound the alarm, but let’s be honest, the cyber security industry sold detection and response for a decade while the foundations went unpatched. We built castles of EDR, XDR, and SOAR on top of twenty-year-old vulnerabilities that nobody bothered to fix.

Now AI is auditing that technical debt at machine speed, and the maths simply don’t work. This isn’t an AI problem. It’s a patching problem that AI just made impossible to ignore. The organisations that invested in the boring stuff, high availability, automated patching, and attack surface reduction, are already prepared. Everyone else is about to find out what technical debt costs when the interest rate goes vertical.”

Insights by Darren Humphries