Article Don’t Hit “Later” On That Update Notification. Seriously.

A colleague dropped this in a group chat the other day with resounding agreement:

“I feel like my full-time job is installing updates.”

Annoying? Yes. Disruptive to actually getting work done? Without question. Necessary? 100%. Non-negotiable. And right now — more urgent than it has ever been.

Here’s why.

What is Project Glasswing?

The reason your update notifications are relentless right now isn’t random. It isn’t vendors finally clearing the maintenance backlog. It’s the direct result of something called Project Glasswing.

On April 7, 2026, Anthropic announced it had quietly deployed its most powerful AI model — Claude Mythos Preview — not to the public, but to a controlled coalition of companies that run the world’s most critical software infrastructure: Amazon, Apple, Cisco, CrowdStrike, Google, Microsoft, Palo Alto Networks, and roughly 40 others. The mission was entirely defensive: Use Mythos to find vulnerabilities before bad actors could.

What it found was staggering.

In a matter of weeks, Mythos identified thousands of critical, previously unknown vulnerabilities across every major operating system and every major browser — including flaws hiding in plain sight for years, sometimes decades. A now-patched-27-year-old bug in OpenBSD, long regarded as one of the most security-hardened operating systems, that allowed a remote attacker to crash any machine running it simply by connecting to it. A 16-year-old vulnerability in FFmpeg, the video encoding library that underlies nearly every major video platform, that survived years of intensive security research without being caught (also patched). The Anthropic red team documented it themselves: these bugs weren’t subtle oversights in fringe code. They were in software you run every day.

Vendors are now receiving disclosures on a tightly controlled schedule and racing to release patches. That wave of update notifications? That’s it. That’s the response.

Why patch delays increase your risk right now

There’s always been a gap between when a vulnerability is disclosed and when an attacker can weaponize it. That window is compressing fast.

Mythos itself demonstrated how quickly exploit development can move when AI is doing the work — the same model that found a 27-year-old OpenBSD bug autonomously also wrote 181 working Firefox exploits in a single test run, compared to 2 for the previous generation of AI models. Defenders who are used to measuring response time in days or weeks are now operating in a different environment. Once a patch is public, the clock is running — and the people on the other side of this aren’t waiting for your IT team’s next maintenance window.

It sounds alarmist. But the right response here isn’t panic.

“I don’t think Mythos is a freak out moment, rather more of a wake-up call,” says Will Pocknell, Sr. Mgr IT, Security & Compliance at Insight. “IT, developers and security teams have seen the need to increase patch/update/fix delivery speed for awhile, but we’re now in a world where that’s ‘must do’ rather than aspirational.”

Patch management has lived in the aspirational column for a long time. Faster deployment cycles, tighter windows between release and deployment, not allowing end users to defer critical updates — these were the goals on the roadmap, not requirements on the calendar.

That conversation is over.

How to close the patch deployment gap

The harder question is how to operationalize urgency at scale — especially when “later” is baked into the muscle memory of everyone who has ever clicked that little X on an update notification.

A few things worth doing now:

Know what you’re patching. Your highest exposure lives in critical infrastructure and core software: browsers, endpoints, operating systems, and anything internet-facing. If you don’t have a clear, current picture of what you’re running and which systems are receiving active vulnerability disclosures, that’s the first gap to close.

Shrink the deployment lifecycle. The time between “patch available” and “patch deployed” is your window of exposure. The old weekly or monthly cadence no longer fits the threat environment. This is the metric that matters — and the one that’s changed most dramatically with the arrival of AI-assisted exploit development.

Stop allowing deferrals on critical patches. The option to “remind me tomorrow” needs to come off the table for high-severity updates. Setting expectations with end users matters as much as the technical deployment — people push back less when they understand why the policy changed.

Think clearly about what you manage versus what you outsource. The managed endpoint services conversation is getting louder right now for a reason. Keeping pace with a coordinated, multi-vendor patch wave across an entire organization, with compressed exploitation timelines, is not a background task. It’s a primary one.

My colleague wasn’t wrong. The updates are relentless right now — and they’ll probably stay that way for a while. We’re in the middle of a patch response unlike anything the industry has seen at this scale or speed.

What Mythos revealed isn’t just a list of bugs. It’s something more unsettling: that the vulnerabilities have always been there. Hiding in software we’ve trusted for years, invisible to tools that looked at them millions of times. The difference now is that we know about them — and we have a path to fixing them.