Preparing for a ‘vulnerability patch wave’

Summary

The UK's National Cyber Security Centre (NCSC) is alerting organisations to prepare for an imminent surge of software patches driven by AI-assisted vulnerability discovery and decades of accumulated technical debt. The advisory recommends prioritising external attack surfaces, enabling automatic patching where possible, and implementing risk-prioritised update strategies. Beyond patching, the NCSC emphasises adopting memory safety technologies and cyber security fundamentals like Cyber Essentials to build systemic resilience.

Full text

Blog Post Download & print article PDF Download & print article PDF Preparing for a ‘vulnerability patch wave’Organisations must act now to prepare for a wave of patches that will address decades of technical debt. Ollie Whitehouse Chor muang via Getty ImagesWhether they are technology producers and vendors, or consumers and operators, all organisations have ‘technical debt’; a backlog of technical issues – that is both expensive and time-consuming – as a result of prioritising short-term gains over building resilient products.Artificial Intelligence, when used by sufficiently-skilled and knowledgeable individuals, is showing the ability to exploit this technical debt at scale and at pace across the technology ecosystem. As a result, the NCSC expect there will be a ‘forced correction’ to address this technical debt across all types of software, including open source, commercial, proprietary and software as a service.This is why we are encouraging all organisations to prepare now for when a ‘patch wave’ arrives; a rush of software updates that will need to be applied across the technology stack to address the disclosure of new vulnerabilities. Prioritise external attack surfacesAll organisations must take steps to identify and minimise their internet-facing (and other externally-exposed) attack surfaces as soon as is possible. As we’ve argued for some time, you should prioritise technologies on your perimeter and then work inwards covering cloud instances and on-premises environments. By doing this, organisations can reduce the risk that latent vulnerabilities pose when they become known and exploited by attackers.Where organisations cannot apply updates across their entire environment, they should prioritise applying updates to their external attack surfaces. Where capacity extends beyond the external attack surface, organisations should prioritise critical security systems.It is also important for organisations to realise that patching alone will not always suffice; some technical debt may be present in ‘end of life’ or legacy technology that is out of support, and so can’t receive updates. In such instances, organisations will need to replace technologies, or bring them back within support, especially where it presents an external attack surface. Prepare to patch quickly, more often, and at scaleBuilding on the principles contained within our Vulnerability Management guidance, organisations should make plans to deploy software security updates quickly, more frequently, and at scale, including across their supply chains. We are expecting an influx of updates to address vulnerabilities across all severities, and expect a number to be critical.The NCSC recommend that:where automatic secure ‘hot patching’ is available (that is, patching that doesn’t involve service disruption), this should be enabled as a prioritywhere automatic updates are available (including for embedded devices), this should be enabled to reduce the workload on support teamswhere neither of the above are available, organisations will need to ensure that processes and risk appetites support frequent and scaled-updating, noting the operational trade-offs around disruption and safety critical systems. A risk-prioritised approach such as the Stakeholder Specific Vulnerability Categorisation (SSVC) system can be used to prioritise installing the updatesHowever, should a critical vulnerability be under active exploitation (especially one affecting an internet-facing system), then it is essential to accelerate the update process. Organisations can refer to the NCSC’s new guidance on ‘Responding to active exploitation of vulnerabilities’ for more information.To summarise, you should put in place a policy to ‘update by default’ where you always apply software updates as soon as possible, and ideally automatically. This should be at the core of your update management process, but we recognise that it may not apply in some circumstances (such as for safety-critical systems or operational technology). Beyond software updatesPatching alone won’t address the systemic problems that my previous blogs have addressed. I’ve appealed to technology producers and vendors to ensure systemic technical security debt is minimised by including - where appropriate - memory safety and containment technologies such as CHERI and others.Similarly, for consumers and operators, a focus on cyber security fundamentals to raise resilience and to reduce the impact of breaches should be a priority. This includes adopting and fully implementing Cyber Essentials, or the Cyber Assessment Framework for organisations operating essential services (such as energy, healthcare, transport, digital infrastructure and government).For organisations facing elevated threats, the NCSC have also recently produced guidance on:Privileged access workstations (PAWs)Cross-domain approach and architectureCyber resilience through observability and threat hunting Prepare for the patch wave nowIn conclusion, the NCSC advise all organisations, irrespective of size, to plan and prepare for the vulnerability patch wave. A good place to start is by reading the NCSC’s updated Vulnerability Management guidance. For larger organisations, we also recommend working to gain assurance from your supply chains both commercial and open source, so that they are prepared to navigate any required response.Ollie WhitehouseCTO, NCSC Share and print this article Download & print article PDF Download & print article PDF Share Share Close share options Share onFacebook Share onLinkedIn Share onX Copy Link Written by Ollie Whitehouse Chief Technology Officer (CTO), NCSCPublishedPublish date 1 May 2026Part of blog Inside the NCSC Was this article helpful? Yes the article was helpful No the article was not helpful Close Feedback Form Back to top Share Close share options Share onFacebook Share onLinkedIn Share onX Copy Link Also see News Publish date 12 Jan 2022NCSC joins US partners to promote understanding and mitigation of Russian state-sponsored cyber threats The NCSC supports CISA, FBI, and NSA advice in understanding and countering Russian cyber threats. Blog Post Publish date 15 Apr 2026Retaining defensive advantage in the age of frontier AI cyber capabilities As AI accelerates vulnerability discovery, organisations must raise their security baselines to safeguard their cyber security. News Publish date 19 Jan 2026Pro-Russia hacktivist activity continues to target UK organisations The NCSC encourages local government and critical infrastructure operators to harden their ‘denial of service’ (DoS) defences

Entities