The four-hour patch window is the new security baseline

PraisonAI shipped a CVE on Tuesday. By suppertime there was a working exploit in the wild. Four hours, disclosure to weaponization — not by a named APT, by commodity tooling pointed at the AI orchestration layer.

In the same 48 hours: an unauthenticated RCE in NGINX's rewrite module that has been sitting in the tree for eighteen years, a CVSS 10.0 auth bypass in Traefik that makes every downstream service naked, a 9.8 auth bypass in MOVEit that pattern-matches the 2023 Cl0p campaign, an Argo CD bug that hands plaintext Kubernetes Secrets to any authenticated user, and LiteLLM landing on CISA's Known Exploited Vulnerabilities catalog — the first AI infrastructure component federally flagged as actively exploited.

That's the easy part of the story. The harder part is that the UK AI Security Institute confirmed this week that Anthropic's Mythos and OpenAI's GPT-5.5-cyber complete full network takeover chains autonomously. No human in the loop. The prior generation's ceiling was "advanced persistence" — maintain a foothold without owning the domain. The current generation closes the kill chain. AISI is already building harder benchmarks because the current ones are saturating.

The four-hour PraisonAI window is what that capability looks like when it leaks downhill. It will not be the last four-hour window this quarter.

The math the change board hasn't done

Most enterprise patch SLAs were written when the assumption was 30 to 90 days from CVE publication to widespread exploitation. Vendor disclosure, patch ships, ops gets a window, change advisory board gets a window, the rollout happens, and by then the script kiddies are showing up. That assumption is dead. Mozilla used Mythos with a custom harness to find 271 previously-unknown bugs in Firefox — sandbox escapes, use-after-frees, the kind of thing fuzzers had missed for years. Microsoft's MDASH found 16 exploitable Windows flaws in a single Patch Tuesday cycle. Palo Alto Networks ran frontier models against 130-plus products and pulled out dozens of serious bugs.

The finding rate is now machine-bounded, not human-bounded. Which means n-day vulnerabilities now behave like 0-days — independent rediscovery and weaponization happen in parallel with the vendor's patch shipping, not after.

A 30-day patch window is a 30-day exposure window with the trend lines current. Internet-facing assets need to be on hours, not days. Internal high-value systems need to be on days, not weeks. That is not a budget request, that is the cost of staying in business.

The endpoint stack just went transparent

TrustedSec published a study this week that pointed LLMs at five major commercial EDR products and found something quietly catastrophic: they all share the same architectural patterns. YARA-style rules, Lua scripting engines that decrypt in a single pass, behavioral logic, local ML classifiers. Reverse engineering work that used to take a skilled human weeks now takes days with AI assistance.

The reasonable objection is that endpoint detection was never supposed to be the load-bearing control. Correct. What that objection doesn't address is why the entire category has been priced and deployed for a decade as if obscurity were a control. The obscurity just evaporated for an order of magnitude more adversaries.

The compensating controls that matter for the next eighteen months sit above the endpoint — identity, network telemetry, behavioral analytics that can tell a human from an agent. Which is its own problem, because AI agents bypass legacy bot detection at an 81 percent success rate. Every WAF, CAPTCHA, and behavioral fingerprinting system designed to flag automation by pattern is decorative against an LLM-driven agent that mimics human cadence on purpose.

Agents act with your credentials

An agent framework called OpenClaw deleted a user's entire email archive this week without human approval. First confirmed destructive confused-deputy failure observed in production. In the same window, Coinbase's x402 payment protocol began shipping inside AWS Bedrock AgentCore by default — machine-to-machine payments, no API keys, no human in the loop, 99.8 percent of settlements in USDC on an irreversible chain. Anthropic shipped Claude Code's /goal mode, which runs unattended multi-turn coding sessions with a separate Haiku evaluator deciding when the goal is met. The evaluator only reads the conversation transcript. It cannot stat a file or run the test suite. There is no built-in token budget.

Vercel's production telemetry across 200,000-plus teams puts agentic workloads at 59 percent of all AI token volume. Six months ago that number was under 20 percent. The majority of inference traffic is now agents acting with user OAuth tokens at machine speed, and most SOCs have zero detection coverage tuned to that traffic pattern. The behavioral baselines were built for humans.

What to do this week

Patch order is ingress first. NGINX and Traefik tonight, before mass scanning lands. Then Argo CD — and rotate every Kubernetes Secret in any namespace it could read, because patching does not unleak what already left. LiteLLM is on KEV; if it's running 1.81.16 through 1.83.7, take it offline and rotate every provider API key stored in its database. MOVEit gets patched and gets a board-level replacement conversation, because the vendor's track record on this class of bug now has its own wing in the disclosure museum.

Then the structural work. Compress your critical-CVE patch SLA for internet-facing assets to under 24 hours and make the change advisory board adjust to that, not the other way around. Inventory every OAuth grant and API token issued to an LLM agent and strip modify/delete scopes where read would do. Audit AWS Bedrock AgentCore deployments for x402 — it's enabled by default, which means prompt injection is now a financial exfiltration path on infrastructure your team probably stood up last quarter without reading the changelog.

The number to instrument this week is mean-time-to-patch on internet-facing critical CVEs, measured in hours. If the answer is more than eight, that's the first board slide. The four-hour exploit tempo is the planning baseline now, and the gap between that number and your patch SLA is the exposure window — quantified, defensible, and the only honest way to ask for the budget the next quarter is going to require.