Reuters reported that United States cyber officials are considering shortening the deadline for fixing critical vulnerabilities in government IT. The current patching timeline, which is an average of two to three weeks, would be reduced to three days.

This reported proposal follows shortly after the release of Anthropic’s Claude Mythos and OpenAI’s GPT-5.4-Cyber, which have raised concerns about the future of accelerating cyber threats. 

Below, security experts share their insights on this shift. 

Security Leaders Weigh In

Matthew Hartman, Chief Strategy Officer at Merlin Group:

A move from two weeks to three days reflects a fundamental shift in the threat landscape, driven by AI’s ability to accelerate vulnerability discovery and exploitation. What once took skilled actors weeks can now happen in hours, collapsing the defender’s response window. Having spent the last decade working with federal CIOs and CISOs on this challenge — albeit before the release of Mythos and GPT-5.4-Cyber — most organizations are not yet equipped to safely validate, prioritize, and remediate critical or actively exploited vulnerabilities at that pace without risking service disruption or incomplete fixes. Closing that gap will require sharper prioritization, along with significant investment in automation and real-time asset visibility.

Morey Haber, Chief Security Advisor at BeyondTrust:

In the span of a few years, the asymmetry between threat actors and organizations has crumbled. What once took weeks for a discovered vulnerability to be weaponized with a reliable working exploit now takes merely hours. The rapid development is driven by increasingly capable AI models that can discover and exploit vulnerabilities at machine speed simply by pointing them at a target and executing automated penetration testing.

The proposal by the U.S. government to compress remediation timelines from weeks to three days is not just an aggressive policy, it is a recognition that the threat landscape has fundamentally changed and organizations of every size need to respond accordingly. The problem however is not just operating faster to defend organizations but rather giving serious consideration to the possibility that security patches may not exist in the accelerated time frame from vendors and open-source communities, and have they gone through sufficient quality issuance testing in order to demonstrate they not create other vulnerabilities nor break existing functionality.

In addition, patching in large organizations is not a single action by one individual or team. It is a chain of dependencies to verify asset discovery, impact analysis, regression testing, change management, outage coordination, and often regulatory validation. In many environments, especially those tied to critical infrastructure or financial systems, a patch is not deployed until absolutely necessary because of the downtime needed simply to apply the patch and reboot. This behavior is traditionally negotiated between teams and compressing that lifecycle into three days ignores the operational physics of enterprise IT and maintaining uptime.

Unfortunately, most enterprises do not have continuous visibility into their attack surface, let alone the ability to prioritize and remediate vulnerabilities in near real time. Vulnerability scanning still occurs once a month or at best, once a week and some cases, still once a quarter. Technical debt, legacy systems, and fragmented ownership models create friction that no mandate can eliminate overnight, and government agencies are already resource constrained with recent staff layoffs and lack of funding and expertise. This raises an important question: Who absorbs the operational burden when timelines shrink but capacity does not? This is where the policy collides with real world execution.

This acceleration is possible, but only for organizations that have already invested in extensive patch automation, real time vulnerability management, cloud security posture management, identity-centric controls, and risk-based prioritization. For everyone else, you cannot compress remediation timelines if you have not first compressed your reporting and exposure of risk first.

Trey Ford, Chief Strategy and Trust Officer at Bugcrowd:

AI-powered offensive tools have effectively put vulnerability exploitation on a production schedule. The federal government compressing remediation windows is the right move, and the hard truth is that most organizations do not have continuous visibility into what they actually own and what is actually exposed. 

Closing the gap between a known finding and a remediated one requires continuous human verification at machine speed — and most enterprises are nowhere near that today.

• Three days is not a technical mandate — it is a business continuity objective. Organizations that have built remediation into a two-week approval chain will find that chain now creates liability and extends exposure.
• AI-powered offensive tools have effectively put exploitation on a production schedule. The federal government is not raising the bar arbitrarily; it is trying to match a threat reality already visible in attack telemetry.
• The finding is not the risk. The unpatched finding is the risk. Until organizations have real-time visibility into what is exposed, who owns it, and whether compensating controls are actually working, changing the deadline feels like theater.
• Most enterprises will not close this gap by accelerating their existing processes. They will close it by abandoning the assumption that periodic reviews are sufficient — and shifting to continuous adversarial testing as an operational baseline, not audit backed intervals.
• The companies that survive this shift will be the ones that treated patching as an operational discipline long before the mandate arrives.

Louis Eichenbaum, Federal CTO at ColorTokens:

This is a step in the right direction, but it’s still not enough. Even if agencies could patch every system within three days, that timeline is already too long in an environment where adversaries are using AI to discover and exploit vulnerabilities in near real time.

We also must acknowledge a structural reality: a significant portion of federal environments, particularly legacy and OT systems, cannot be patched quickly, and in some cases cannot be patched at all without risking mission disruption.

Patching alone is no longer a sufficient vulnerability management strategy.

Agencies must complement patching with a containment strategy. This is where microsegmentation becomes critical. By implementing granular microsegmentation, agencies can create secure, policy-enforced boundaries around vulnerable systems restricting traffic flows and preventing lateral movement even if a system is compromised.

This approach does two things: it reduces the blast radius of exploitation and provides enhanced visibility into vulnerable assets so they can be closely monitored until remediation is possible.

In effect, microsegmentation buys time, allowing IT and OT operators to patch and modernize on their schedule, not the adversary’s, while maintaining mission continuity.

John Gallagher, Vice President of Viakoo Labs at Viakoo:

CISA’s proposal simply reflects the reality that the speed of AI-driven cyber-attacks provide threat actors a clear advantage over cyber defenders operating at a much slower speed. Pushing organizations to remediate vulnerabilities faster than threat actors can exploit them is the right focus to have, and is overdue (even before Mythos the time to exploit a new vulnerability has come down to less than a day).  

AI-driven threats aimed at OT, IoT, and ICS environments is the real focus of CISA’s announcement. Methods already exist for IT systems to be rapidly patched using automation, so the real impact of this proposal will be mainly for non-IT systems.  

What makes this difficult to achieve is the unique nature of OT, IoT, and ICS environments, and how patching and remediation processes are different and more complex than IT environments. CISA has issued a challenging proposal to operators of non-IT systems, and should put more focus onto the methods they can use to achieve this.  

CISA put a spotlight onto the area needing the most attention (vulnerability remediation). This reflects the success that agencies have found in putting in place other parts of a threat management framework, such as asset discovery, continuous monitoring, and threat detection. Pushing federal agencies to turn their focus to automated and autonomous vulnerability remediation addresses the biggest weakness in current threat management.  

Collin Hogue-Spears, Senior Director of Solution Management at BlackDuck:

The federal patch policy did not get faster. It got honest. The proposal recognizes that attackers already work inside timelines most agencies still treat as exceptional. 

Three days is not a magic number. It is a deadline that admits attackers work in hours. AI-assisted research compresses exploitation windows from weeks to hours, and the proposal narrows the gap between policy time and attacker time. The hard part is not writing the deadline. It is knowing which systems can patch, which need isolation, and which need compensating controls.

Security leaders must replace emergency-patch heroics with pre-staged remediation lanes: named system owners, automated rollback testing, asset inventories, and pre-approved compensating controls. The 72-hour proposal does not change what good remediation looks like. It changes how much warning you get before you need it. If the first real decision happens after the clock starts, the attacker already owns the tempo.