The patching paradox: The reality of AI in security

Blog

The patching paradox: The reality of AI in security

David Girvin
Table of contents

Header Blog PatchingParadox 700x200

A warning from a hacker at a blue team company

Let’s stop pretending AI is going to save security. Sure, it’s going to help — it already is. But the idea that defenders will somehow “keep up” with attackers just because they both have access to generative AI is a fantasy.

I come at this from a red-team mindset. I’ve spent years thinking like an attacker. Now I work at a blue-team company trying to defend real systems. And here’s what’s obvious to me:

AI is going to let attackers move faster. And defenders still can’t patch.

That’s the bottleneck. That’s the flaw in the plan. AI-assisted patching isn’t going to fix fragile, 15-year-old codebases duct-taped together across thousands of assets, teams, and approval chains. The same problems that slowed us down in 2015 are still here. And they’re about to be weaponized — just not by us.

AI won’t save you from legacy tech debt

There’s this shiny hope in the security world right now that we’ll throw some AI at vulnerability management and start shipping secure-by-default software.

But, in reality, this is the state of real enterprise environments.

  • End-of-life systems are still in production.
  • Fragile integrations that break with every OS update.
  • Firmware that hasn’t been touched in six years.
  • OT networks running unpatchable Windows XP.

You can’t “AI your way” out of tech debt.

Security is observability. Observability is security. If you can’t see it, you can’t defend it. And if you can’t patch it, well, it’s not secure, no matter how many dashboards you have.

This is fundamentally an architecture issue. Especially in older systems. It’s a design failure that now needs to be unwound at scale, and AI isn’t going to write you a miracle hotfix for brittle software built in the pre-cloud era.

Infrastructure as Code (IaC) and Kubernetes: Not a silver bullet

Now, let’s talk about the modern stack, such as infrastructure as code, Kubernetes, and containers. This should be where we get it right, right?

Sort of.

Yes, IaC and K8s give us the possibility of consistent, fast, safe patching. But only if we use them that way. And guess what?

Most organizations don’t.

You’d be amazed how many Kubernetes clusters are still being manually configured, with YAML copied from blog posts two years ago. IaC templates rot like any other code — and when they do, they become another liability.

  • Clusters spun up with no RBAC controls.
  • Images based on unpatched base layers.
  • Secrets embedded in Helm charts.
  • Terraform state files sitting in public buckets.

We’ve taken the promise of ephemeral, redeployable infrastructure and treated it like another static data center. That’s a missed opportunity — and a security disaster waiting to happen.

If you want AI to help patch your Kubernetes environment, you first need a clean, versioned, well-maintained IaC baseline. And you need teams that actually use it. That’s not a given.

Modern tools won’t save you from old habits. They just make the blast radius bigger when things go wrong.

Team turnover took the architecture with them

Let’s not forget another brutal truth: layoffs and team turnover have accelerated.

In the last couple of years, team turnover and layoffs have been headlines in the news. Whether through reductions in force or changes in team structures and people moving on to new roles, organizations have lost people who actually understood the internal architecture. The ones who knew why this integration worked that way. Who remembered the custom patch to a forgotten library. Who could trace a broken auth flow across four services, without needing a two-week ticket cycle.

They’re gone.

And with them, that tribal knowledge? Gone too. It wasn’t documented. It wasn’t replaceable. It lived in Slack threads and war rooms and human memory.

Now you’re trying to patch systems that no one fully understands anymore — and wondering why it’s taking weeks. That’s not an engineering failure. That’s an organizational one.

AI can’t fix that. You can’t prompt your way to institutional memory.

The security industry’s quiet compromise

And let’s be real: part of this is on us.

Many security companies — especially the big ones — have prioritized productization and profits over the actual mission of securing systems. We’ve built platforms, dashboards, and alerts. But the underlying issue — patching and architectural brittleness — hasn’t been solved because it doesn’t demo well.

There’s no flashy interface for “We spent a year removing technical debt.”

You don’t get a booth at RSA for “We made the patching process 20% faster across 4,000 endpoints.”

But that’s where the fight is.

This gap between knowing a system is vulnerable and being able to fix it is the real war, and it’s not glamorous.

So here’s the real call to action

We need to confront the uncomfortable truth: our biggest weakness is operational, not informational.

You can know everything, see everything, alert on everything — and still get popped because you couldn’t patch fast enough.

So what do we do?

  1. Kill the “unpatchable” narrative. If it’s critical and can’t be updated, it needs to be replaced, isolated, or removed. Stop building systems where patching = downtime = business risk.
  2. Fix your org chart before your tools. Silos between security, ops, dev, and compliance teams are killing response time. AI won’t solve it. Communication will.
  3. Demand secure-by-default software. Put pressure on vendors to ship patchable, modular, auto-updating components. Don’t accept excuses anymore.
  4. Automate where it actually matters. Not more dashboards — automate patch validation, rollouts, and reboots. If AI’s writing shell scripts, make them ones that patch.
  5. Design systems with failure in mind. Assume patching will lag. Build containment, segmentation, and rollback into the architecture itself.
  6. Reward teams for reducing risk, not just adding controls. Patching 10,000 endpoints with zero headlines is a bigger win than another shiny AI feature.

Final word

Attackers have always had the edge in speed. AI just made that worse. Defenders are still stuck trying to push patches through change control while attackers are generating polymorphic exploits in real time.

This isn’t about tooling. This isn’t about threat intelligence. This is about the fact that we still haven’t solved the oldest problem in security: how to fix the thing after you find the problem.

If we want to survive this AI wave, we need to treat patching as a strategic priority — not an operational burden. And we need to do it now.

Because the attackers aren’t waiting. They never did.

So, what do we actually do? The first step is implementing an effective security program, having good logging, and a Cloud SIEM solution like Sumo Logic. But to truly fix this problem, we need smart people like you to problem-solve this, and hopefully help the community. I have some answers for another blog, but you wont like them.

David Girvin
Lead Technical Advocate
David Girvin is a Technical Advocate at Sumo Logic, facilitating technical accuracy in the cloud of marketing. Previously, he was an AppSec / offensive security architect for places like 1Password and Red Canary. When not working, David travels to surf destinations for surfing and foiling.

People who read this also enjoyed

Meta RapidMTTRMonitor Blog 1200x628 1

Solve your MTTR mysteries faster with Sumo Logic

Top five metrics to monitor in IIS Logs

postgreSQl on kubernetes

How to deploy PostgresSQL on Kubernetes