The announcement of Claude Mythos triggered a familiar reaction across the industry: a mix of excitement, concern, and a quiet question underneath it all. What does this mean for vulnerability management?
The direction of travel is clear. AI is accelerating security testing at a pace we haven’t seen before. Tools can now orchestrate complex workflows, generate test cases, and operate at a speed and scale previously only achievable with highly skilled human effort. This is real progress.
At Edgescan, we are seeing it ourselves. We have been using AI to enhance Weasel, our proprietary scanner, both in generating new checks and in analysing results at speed. Recently, that led to the discovery of a previously undetected XSS vector, something our existing approach had not surfaced. AI is already changing how vulnerabilities are found.
But this is where the narrative risks becoming overly simplistic. Finding vulnerabilities has never been the hardest part of the problem.
The gap between discovery and outcome
As detection accelerates, the volume of findings will increase, dramatically. More coverage, more tests, more results. On the surface, this looks like progress. In reality, it shifts the pressure elsewhere.
The real challenge in vulnerability management has always been what comes next.
Which findings are real? Which matter in the context of your environment? Which require immediate action, and which can wait? And critically, how do you ensure they are actually resolved?
This is not a tooling problem. It is a decision-making problem. AI can increase signal, but it also increases volume. And volume, without context, is where organisations begin to struggle.
Data from the 2026 Edgescan Vulnerability Statistics Report makes this concrete. For vulnerabilities with an EPSS score above 0.1, meaning there is already a measurable probability of exploitation, the average time to remediation is 210 days. That is not a detection gap. That is an execution gap. The finding is known. The clock is running. And the response is slow.
Speed without confidence is just faster risk
There is a growing narrative that the answer is automation: faster prioritisation, faster validation, even autonomous remediation. There is truth in that direction. But it misses a key point. Speed only matters if it is paired with confidence.
Confidence that a vulnerability is real, that it is exploitable in your environment, and that fixing it will not introduce greater risk. Without that, automation does not reduce risk. It simply moves it faster.
48,185 CVEs were published in 2025, a new record. The volume alone is not the problem. Knowing which ones matter is. And that judgement still requires context that automated tools cannot consistently apply.
In the 2026 report, for the first time, LLM Prompt Injection appears in the top 10 critical web vulnerability findings. Not as a prediction. Not as a warning. It is already in the data. AI-powered systems are now part of the attack surface, and they are being exploited. The implication for vulnerability management teams is significant: the scope of what needs to be assessed is expanding, even as the capacity to manage the existing backlog remains under pressure.
Where AI is actually delivering value
The most effective use of AI today is not in replacing vulnerability management, but in strengthening it.
We are seeing value in two areas in particular.
Improved discovery: broader coverage, faster iteration, and the ability to identify issues that would previously have gone unnoticed. The XSS vector our scanner surfaced is a straightforward example. These are real findings with real remediation implications.
Rapid analysis: using AI to reduce false positives and triage results at speed allows teams to focus on what actually matters. It is this layer, between raw detection and remediation, where the majority of time is lost, and where the greatest gains can be made.
This is not about generating more data. It is about making better decisions with the data you have.
The role of vulnerability management going forward
The idea that AI will replace vulnerability management misunderstands the problem. If anything, the opposite is true.
As AI increases the speed and scale of vulnerability discovery, the need for effective vulnerability management becomes more acute. The challenge shifts from “how do we find issues?” to “how do we manage risk in an environment where issues are found continuously, at scale, and at speed?”
37% of vulnerabilities in large enterprise environments remain unresolved after 12 months. Nearly one in five of those are high or critical severity. That backlog does not shrink because detection gets faster. It grows. Managing it requires accurate validation, context-aware prioritisation, clear ownership, and consistent remediation. None of which disappear with better tooling. They become more important.
The real shift
We are moving from a world where the bottleneck was discovery, to one where the bottleneck is decision-making and execution.
The organisations that succeed will not be the ones that generate the most findings, or adopt the most advanced models first. They will be the ones that can prove what matters, act on it safely, and close the loop consistently.
AI will make it easier to find vulnerabilities and it is already helping teams analyse and prioritise them more effectively. But it does not remove the complexity of deciding what matters in your environment, or the risk involved in fixing it. That is where the real problem, and the real value, still lies.
