Article

The 99% Problem: closing the remediation gap

By ·

A dense field of red vulnerability markers on a dark Readiness-blue grid, with a single narrow amber lane carrying one marker through to a deployed endpoint

A recent analysis of AI-driven vulnerability research opened with a number that should stop any security leader mid-sentence: fewer than one percent of the vulnerabilities that one AI system, Mythos, surfaced have actually been patched. Read it again. Not one percent unconfirmed, or one percent disputed — one percent fixed. The other ninety-nine percent are found, catalogued, and still running in production. That ninety-nine percent is the whole game now, and it has a name. It is the remediation gap, and it is not a detection failure. It is an operational one.

When detection stops being the hard part

The case that discovery is now cheap is hard to argue with. The same body of reporting credits one research outfit with roughly 180 externally validated CVEs across more than thirty projects since early 2025, including twelve zero-days in a single January 2026 OpenSSL release, and a flaw in OpenBSD that had survived undetected since 1999. More telling than any single find: eight different open-weight models independently located the same flagship vulnerability. This capability is not locked inside a frontier lab. It diffuses into commodity tooling within a year or two, and then everyone has it — including the people you would rather did not.

A note on the figures is fair here. The source itself offers a healthy rule of thumb: halve anything a vendor quotes, double anything a government quotes, and hold synthetic benchmarks pending real-world results. Good advice. So halve them all. The asymmetry does not move. As the analysis puts it, “discovering vulnerabilities at scale without remediating them at comparable scale produces a growing list of exposures, not improved security.” Discovery has become parallel, automated, and increasingly autonomous. The thing it produces — work — has not.

The remediation gap is operational, not technical

Here is the part that gets lost in the excitement about what AI can find. For the overwhelming majority of these vulnerabilities, the fix already exists. The vendor has validated the report and shipped a patched build. The CVE has a fixed-in version recorded against it. The technical problem — what is wrong, and how to correct it — is solved upstream, frequently within days. And yet the vulnerability persists on the endpoint for weeks or months.

The gap between “a fix exists” and “the fix is running on every machine that needs it” is not a research problem and not an engineering problem. It is a logistics problem. The remediation gap is the distance between a published patch and a deployed one, and almost none of that distance is technical.

Walking the supply chain

Trace what actually has to happen between disclosure and a patched desktop:

  • An AI, or a researcher, finds the flaw.
  • The vendor validates it and ships a patched build.
  • Someone has to notice that build, pull it in, and package it for enterprise deployment — repackage the installer, apply transforms, sort out the silent-install arguments.
  • Someone has to test it: the install path, the update path, the uninstall path, file associations, services, and whether the application still does the job it was deployed to do.
  • Someone has to publish it to a deployment platform and ring it out across the estate.

Each arrow is a handoff, and each handoff is a queue. The volume makes the queue depth concrete. The National Vulnerability Database published 6,595 CVEs in 2015 and 49,972 in 2025; the CISA Known Exploited Vulnerabilities catalogue grew from 311 entries at launch to nearly 1,500 in under five years. As I argued in packaging’s new cadence, each of those is a candidate for a packaging change, and release cadence has risen to match — Chrome shipped 29 stable Windows builds in 2018 and 169 in 2025. Discovery got automated. The handoffs, for the most part, did not.

The gap lives in the last mile

This is where the Sisyphean pattern stops being a metaphor and becomes the operating model. Automate discovery and you do not eliminate the work — you relocate it downstream, onto the packaging, testing, and publishing functions that turn a patch into a deployed fix. Those functions are the last mile of remediation, and in most organisations they still run on a back-office cadence: quarterly change windows, six-week regression cycles, sign-off by hand.

A patch that exists in twelve hours but ships in twelve weeks has spent eleven and a half of those weeks as a known, fixed, exploitable exposure. AI did not create that window. It made it impossible to ignore, by filling the queue faster than the queue can drain.

Closing the gap

The 99% does not close by finding vulnerabilities faster. The detection side is already running well ahead of anyone’s ability to respond, and adding to its lead just lengthens the backlog. It closes by industrialising the last mile — treating packaging, testing, and publishing as one continuous, automated pipeline rather than a relay of manual handoffs. Intake the new build automatically. Repackage it automatically. Run the comparison test — previous version against new, across install, update, runtime, and uninstall — automatically, and surface only the differences a human actually needs to judge. Publish on a cadence set by disclosure, not by the change calendar.

That is the operational layer the remediation gap has been waiting for, and it is the layer we built Readiness to be. None of it removes human judgement about whether an application still delivers its business value. It removes the mechanical distance between a fix that exists and a fix that runs.

The headline number will keep being quoted as proof of how much AI can now find. The more honest reading is the inverse. Finding was never really the problem. The 99% is.

Sources: the AI vulnerability-discovery figures and the “halve the vendor, double the government” rule of thumb are drawn from “The Mythos Moment” (prof serious, 17 May 2026). CVE counts from the National Vulnerability Database (NVD) API 2.0; KEV entries from the CISA Known Exploited Vulnerabilities Catalog; Chrome release counts from Chromiumdash. Cadence figures consistent with packaging’s new cadence.

#ai#security#vulnerability-management#remediation#packaging#cves