Semper Sec | May 2026
I had a tough, mean, and brilliant boss whose favorite expression was YGBSM! He wrote it so often on papers I handed him that I considered getting him a rubber stamp to save his wrist. It stood for “You Gotta Be Spoofing Me!” okay, it wasn’t “Spoofing,” but you get the idea.
I was tempted to dust off that phrase when I reviewed one of the references for this month’s blog. Did you know there is a formal term, “N-day vulnerability,” for a flaw that is known but not yet widely patched? In 2026, with AI moving at machine speed, that should sound absurd. Yet here we are.
The widespread utility of AI is already obvious. What is becoming impossible to ignore is the speed at which advanced models can now identify weaknesses, chain exploits, and compress the time defenders have to respond. Anthropic’s Claude Mythos Preview is one of the most public examples of that shift, and it points back to an older threat pattern we are likely to hear much more about again: script kiddies.
Remember the original script kiddies? They became so numerous because they did not need years of technical training. Skilled attackers built or refined the tools; less sophisticated attackers simply downloaded them and started swinging. AI script kiddies will be far more dangerous. Give a minimally skilled actor an AI system that can help surface vulnerabilities, explain exploit paths, and accelerate reconnaissance, and the barrier to entry drops fast.
That is what makes the old Patch Tuesday mindset so dangerous now. In 2003, Microsoft standardized Patch Tuesday to release a burst of fixes on the second Tuesday of each month. It made operational sense for a different era. But attackers quickly learned to treat the day after as Exploit Wednesday, reverse-engineering patches and looking for organizations that had not yet updated. Predictability helped defenders coordinate, but it also helped attackers prioritize.
That old rhythm does not fit the current threat environment. A zero-day is dangerous because defenders have no patch at the time of disclosure or exploitation. An N-day is dangerous because the patch exists, but organizations still have not applied it and in many environments, that lag is exactly where the breach happens.
This is why the Patch Tuesday mindset must die. Patches cannot wait. AI is too fast and too thorough. You need a security program that operates continuously, not one that wakes up when the calendar tells it to.
We have had automated scanning for a long time. SATAN caused a stir back in 1995 because it made it easy for administrators and attackers to probe Unix networks for known flaws. That was a big deal at the time, and in a sense it was the ancestor of every vulnerability scanner and exposure management platform that followed. What is newer is not the existence of scanners. It is the move toward continuous monitoring, continuous assessment, and continuous validation, all tied more closely to operational workflows than periodic reports ever were.
That is the real shift. The question is no longer whether organizations can scan for vulnerabilities. They have been able to do that for decades. The question is whether they can turn what they learn into action fast enough to matter when AI is shrinking the window between discovery and exploitation.