There are discussions in US cybersecurity circles to radically shorten the time given to government agencies to fix software vulnerabilities currently being exploited, especially amid concerns about the growing use of artificial intelligence-based attacks.
According to a report by Reuters, there are talks of reducing the time frame from the current two or three weeks down to just three days, dramatically raising the pace of defensive operations across government systems.
These conversations, initiated by CISA and the Office of the National Cyber Director, have been spurred by an increasing sense of unease regarding more advanced AI models like Anthropic Mythos and GPT-5.4-Cyber.
These models are expected to significantly reduce the window during which any vulnerabilities can be detected and exploited, reducing attack times from weeks or days down to hours.
It is acknowledged, however, that such ambitious timelines will be challenging to meet. Patching vulnerabilities entails numerous steps in its process, especially within sensitive contexts.
It takes more than shorter deadlines to improve security
Doc McConnell, Head of Policy and Compliance, at Finite State: “It makes sense that CISA wants to promote a greater sense of urgency in the patching process. Organizations with open vulnerabilities that have been exploited in the wild are carrying real risk, and they should patch with urgency. But it takes more than shorter deadlines to improve security, especially for OT and IoT devices.”
He says companies need real-time visibility into whether vulnerabilities are present in their products through continuous monitoring and detailed, verified software bills of materials. “They also need tested, trustworthy, automated processes for applying security updates as soon as they’re available and keeping their customers up-to-date.
“A three-day deadline is going to be too fast for many organizations that are still relying on manual, ad hoc processes, and it’s going to be plenty of time for attackers that are relying on modern, automated tooling to scale their attacks.”
A pivot to hyper-accelerated defense
Noelle Murata, Chief Operating Officer at Xcape Inc, adds: “The proposal to slash federal patch deadlines from weeks to just 72 hours represents a pivot to ‘Hyper-Accelerated Defense.’ This policy shift, being weighed by CISA and the Office of the National Cyber Director, is a direct admission that the traditional 14-day remediation window has been rendered obsolete by the arrival of “Cyber-Permissive” AI models like OpenAI’s GPT-5.4-Cyber and Anthropic’s Mythos.
Murata says these advanced models have fundamentally compressed the “N-day” window, or the gap between a patch release and its mass exploitation. “Where human researchers once took days to reverse-engineer a patch and develop an exploit, these AI systems can now identify exploit primitives and generate proof-of-concept code in a matter of hours. For federal agencies and critical infrastructure, this means “Cyber Hygiene” is no longer a periodic administrative task; it is now a real-time race against automated adversaries.
“The implications for leadership are clear: hitting a three-day target is humanly impossible without Autonomic Security. Organizations must transition away from manual patch cycles and toward automated, AI-driven CI/CD pipelines that can test and deploy updates at machine speed. While the 72-hour mandate may currently focus on federal systems, it will rapidly become the de facto benchmark for any entity managing critical data. In the 2026 threat landscape, defense is no longer measured in weeks of policy, but in hours of automation.”
Murata offers key takeaways for the 72-hour window:
- AI-Driven Exploitation: Models like Mythos can autonomously perform binary analysis, shortening the time-to-exploit from days to hours.
- Infrastructure Stress Test: Agencies must move from “manual review” to “automated testing” to meet a 3-day deadline without breaking legacy environments.
- New Compliance Baseline: Expect the CISA Known Exploited Vulnerabilities (KEV) catalog to be the primary driver for these high-speed mandates.
“Patching in three days sounds impossible until you realize that GPT-5.4 doesn’t take weekends, doesn’t need coffee, and already has a working exploit for the bug you just heard about ten minutes ago.”
The right move, not a second too late
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, at Suzu Labs, says cutting the default KEV remediation window from two weeks to three days is the right move and not a second too late. “The two week window was built for a threat landscape where exploitation required time and large amounts of resources. That landscape no longer exists.
“LiteLLM’s CVE-2026-42208 was exploited within 36 hours of advisory publication earlier this year. When the advisory itself becomes the exploit development kit and AI models can parse vulnerable code paths and generate working exploitation faster than most organizations can schedule a change window, three days is generous. Attackers are routinely inside systems before patches exist.”
Krell says that while three days is ambitious, defenders are not operating with the same constraints they had even 12 months ago. “The same AI capabilities compressing the offensive timeline are available to the defensive side. Documentation review, compatibility testing, compliance validation, and change management workflows that used to justify longer remediation windows can all be accelerated by the same technology driving the threat. Organizations that invest in AI assisted patching and deployment pipelines will find three days achievable. The remediation toolbox is expanding at the same rate as the threat.”
Moving from weeks to three days is aspirational
Sunil Gottumukkala, CEO of Averlon, says the intent is absolutely right. “AI is compressing the time between vulnerability disclosure and exploitation, and defenders cannot operate on old remediation timelines forever. But moving from weeks to three days is aspirational unless agencies also get the operational maturity, automation, asset visibility, and change-management capacity needed to execute that quickly. Many agencies already struggle to meet today’s deadlines, so simply shortening the clock does not automatically reduce risk.”
Gottumukkala believes that the more practical path is to combine urgency with exploitability-based prioritization. “CISA should push agencies to determine whether a KEV vulnerability is actually reachable and credibly exploitable in their specific environment, and then require the fastest action on those systems. FedRAMP’s recent vulnerability management direction is a good model: it explicitly considers reachability, exploitability, criticality, potential impact, and mitigation when determining urgency. That is the kind of context defenders need.
“The threat is real, and AI will make exploitation faster. But guidance has to be achievable. Otherwise, agencies will end up chasing deadlines on paper while the most exploitable paths in their environments remain exposed.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.