Cisco Rethinks Patching for AI-Accelerated Vulnerability Discovery
2 min readCisco is changing how it ships security fixes, and the reason is AI-accelerated vulnerability discovery. Starting in July 2026, the company is moving to a scheduled, twice-monthly disclosure model, a direct response to frontier AI models and agentic tools that are now surfacing software bugs faster than the old ad-hoc patch process could handle.
Responding to AI-Accelerated Vulnerability Discovery
In a post by Russ Smoak, Cisco’s VP of Information Security, the company explains that the scale of vulnerability discovery has fundamentally shifted. AI systems can scan enormous code bases and flag defects at machine speed, while the gap between a bug being disclosed and being exploited has effectively closed. One-off advisories at unpredictable intervals, Cisco argues, are no longer the right tool for the job.
What Is Actually Changing
Beginning in July, Cisco will reserve the first and third Wednesday of each month for security-hardened software releases. Seven days before each drop, its PSIRT team will publish exactly which technologies and platforms are affected, so customers can pre-stage change windows and testing. Core network operating systems, including IOS XE, IOS XR, NX-OS, Firepower/ASA, and SD-WAN, will move to a quarterly schedule.
The bigger shift is philosophical. Instead of assigning an individual CVE to every bug, Cisco will publish bundled CVEs tied to broader weakness categories, and fix the underlying class of defect across its whole portfolio rather than patching one instance at a time. Its agentic discovery framework runs static analysis, live testing, configuration review, and exploit simulation, with security engineers kept in the loop for validation.
Why It Matters
Cisco frames this as risk going down, not up. Vulnerabilities that sat latent in code for years are now being found and fixed on a schedule the vendor controls, before attackers can weaponize them. The company says the safest posture is running a current, hardened release rather than chasing individual patches on older ones.
The move is a preview of how the wider infrastructure industry may adapt as AI reshapes both offense and defense. Predictable, batched security updates could become the norm, and how customers respond over the first few cycles will shape what comes next.
