US weighs cutting cyber fix deadlines to 3 days as AI speeds up cyberattacks

Published: 1 May 2026
Last updated: 13 May 2026
AI threat actor
Image by Mdisk | Shutterstock

US cybersecurity officials are considering sharply shorter deadlines for fixing critical flaws in government IT systems, amid concerns hackers could exploit them using artificial‑intelligence tools such as Anthropic’s Mythos, people familiar with the matter said.

Key takeaways:
  • US officials considering slashing cyber fix deadlines from 2-3 weeks to just 3 days as AI models like Mythos and GPT-5.5-Cyber accelerate attacks.
  • AI has compressed exploit timelines from months or weeks to hours in some cases.
  • CISA's tighter deadlines will likely become a model for state governments and private sector.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The move, which has not been previously reported, would slash the deadline for responding to actively exploited vulnerabilities from an average of two or three weeks to three days, the people said.

ADVERTISEMENT

Anxiety over the power and proliferation of AI models like Anthropic’s Mythos and OpenAI's GPT‑5.4‑Cyber has been building for weeks.

Although hackers have been deploying AI since at least 2023, these newer models are said to be able to easily identify previously unknown vulnerabilities or seize on freshly disclosed ones to enable complex hacking operations.

openai-model-cybersecurity
Image by Cybernews.

So while it previously might have taken hackers several months, weeks, or days to take advantage of software flaws, that timeframe has been compressed, in at least some cases, to a matter of hours.

AI shrinking attack timelines

That in turn is putting pressure on defenders to kick into high gear, said Stephen Boyer, the founder of cybersecurity company Bitsight, which has previously helped CISA catalog vulnerabilities.

"If you're going to protect civil agencies, you're going to have to move faster," Boyer said. "We don't have as much of a window as we used to have."

The two sources familiar with the matter said the deadline proposals were being discussed by Nick Andersen, the acting chief of the Cybersecurity and Infrastructure Security Agency, and Sean Cairncross, the US national cyber director.

ADVERTISEMENT
CISA2

Reuters could not establish whether a final decision on the matter has been made or when one could be expected. CISA and the Office of the National Cyber Director did not immediately offer comment.

CISA has for years curated a catalog of known-and-exploited vulnerabilities, or KEVs, which are seen as priorities because they are out in the open and actively being abused by criminals or spies.

CISA has typically given civilian agencies a three-week deadline to fix such flaws once they are added to the database, according to cybersecurity researcher Glenn Thorpe, although that has recently dropped to around two weeks.

Deadlines are occasionally compressed to deal with particularly serious problems, but the new proposal would see the default cut down to just three days, the sources said.

anthropic vuln disclosure
Image by Cybernews

Push to cut patch deadlines to 3 days

The discussions at CISA come as business leaders and the digital security industry grapple with the fallout from the release of more advanced AI models. The banking industry, in particular, has been sent scrambling as regulators race to get a handle on how dangerous the new technology is.

Tightening deadlines at CISA will likely serve as a model for state and local governments as well as businesses and other groups, said Nitin Natarajan, who served as the deputy director of CISA under former President Joe Biden.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us
ADVERTISEMENT

"This is a signal to others that says, 'Hey you need to do this more quickly,'" he said.

Natarajan, who now runs the cyber consultancy NN Global, said speeding up the deadlines made sense given how quickly AI-powered threats were evolving. But he warned that CISA - which has been depleted by deep job cuts and buffeted by government shutdowns under President Donald Trump - needed the capacity to handle the strain of tighter deadlines.

"We've seen a reduction in their resources, both in funding and expertise," Natarajan said.

Strong password generator

Upgrade the security of your online accounts.
Create strong passwords that are completely random and impossible to guess.
Generated unique password
Ad link_title
Convenient way to secure and use all your passwords. Now 72% OFF!
Get NordPass

Kecia Hoyt, a vice president at the threat intelligence firm Flashpoint, warned that patching software flaws could be a complicated process involving detailed tests ahead of deployment. "Realistically, three days is simply impossible for some environments," she said.

John Hammond, the senior principal security researcher at Maryland-based Huntress, said dropping deadlines to three days would be "quite a change." While he said he was cautiously optimistic about running things faster, "only time will tell how well the industry keeps up."

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked