Cisco is changing the way it releases vulnerability disclosures. Starting in July 2026, the company plans to move from a monthly disclosure cycle to twice-monthly security releases, on the first and third Wednesdays of each month.
The stated reason is simple: AI is changing the speed of vulnerability discovery.
AI-assisted scanning, multi-model code review, and automated bug-hunting tools are making it possible to find more security flaws, across more code, in less time. Cisco says this new process is meant to help customers plan better, patch faster, and avoid being surprised by large, once-a-month vulnerability drops.
That sounds reasonable. But it also raises an uncomfortable question.
Does this mean Cisco is finding more vulnerabilities because AI is getting better at detection, or does it mean modern software and infrastructure are introducing more vulnerabilities than before?
The answer is probably both.
What Cisco Is Changing
Cisco's new disclosure model is meant to make vulnerability handling more predictable. Instead of one large monthly batch of advisories, customers will get two scheduled releases per month.
Cisco also plans to give customers a preview one week before each release, showing which technologies and platforms are likely to be included. That matters because patching network infrastructure is not like updating a browser. Routers, switches, firewalls, identity systems, VPNs, and data center platforms often need testing, maintenance windows, rollback plans, and coordination across multiple teams.
Cisco is also introducing a capability called Cisco Live Protect. The idea is to provide temporary runtime protections or compensating controls while organizations prepare permanent fixes.
That part is important. In real environments, "just patch immediately" is often not realistic. A patch can break routing, authentication, integrations, performance, or business-critical systems. Temporary protection can help reduce exposure while teams test and deploy updates properly.
Why AI Changes the Vulnerability Conversation
AI does not magically make software secure. What it does is speed up the search.
Security researchers, vendors, and attackers can now use AI systems to review code, identify suspicious patterns, generate exploit hypotheses, and scale testing. That means flaws that might have remained hidden for months or years may now surface much faster.
This creates a strange situation.
On one hand, more vulnerabilities being found is good. You cannot fix what nobody has discovered. More discovery means more opportunities to patch, harden, and improve systems.
On the other hand, if disclosure volume keeps increasing, customers may struggle to keep up. Security teams already deal with alert fatigue, patch fatigue, and prioritization fatigue. Twice-monthly disclosures may be more manageable than huge monthly releases, but they still add pressure.
The real issue is not just how often Cisco publishes advisories. The bigger issue is whether the industry is building systems that are too complex to secure at the pace they are being shipped.
More Disclosures Can Mean More Underlying Risk
There is a polite way to frame this: AI is improving vulnerability discovery.
There is also a blunt way to frame it: we may be producing more vulnerable software than our old processes could reveal.
Both can be true.
When a vendor increases disclosure frequency, it does not automatically mean product quality is getting worse. It may mean detection is improving. It may mean the company is being more transparent. It may mean old vulnerabilities are being uncovered faster.
But customers are allowed to ask harder questions.
Are secure development practices improving at the same speed as vulnerability discovery? Are products becoming more complex than vendors can realistically audit? Are AI-assisted development workflows creating new classes of mistakes? Are customers being asked to absorb the operational cost of vendor-side complexity? Are temporary protections becoming a substitute for building safer products in the first place?
These are fair questions. The cybersecurity industry often celebrates faster detection, faster disclosure, and faster patching. Those things matter. But speed is not the same as safety. If the system keeps producing more vulnerabilities, then faster cleanup is only part of the solution.
The Good Side of Cisco's Move
There are real positives here.
A predictable schedule helps customers plan. A one-week preview helps infrastructure teams prepare. Smaller, more frequent releases may be easier to digest than one large monthly batch. Machine-readable advisories and automation-friendly disclosure formats can also help security teams plug vendor data into vulnerability management tools.
Cisco Live Protect could also be useful in high-risk situations where a patch cannot be applied immediately. For example, if a critical vulnerability affects a core switching platform, an organization may need days or weeks to test the update. A temporary compensating control could reduce the attack window.
This is a practical acknowledgment of how enterprise environments actually work.
The Concerning Side
The concern is that vulnerability management is becoming a permanent treadmill.
Vendors release increasingly complex products. AI helps find more flaws. Customers patch more often. Attackers also use AI to move faster. Vendors then create more mitigation layers to protect customers while they wait for patches.
That cycle may be necessary, but it is not ideal.
The industry cannot solve insecure software only by improving disclosure schedules. Disclosure is downstream. Patching is downstream. Runtime protection is downstream.
The upstream question is software quality.
If AI is powerful enough to scan massive codebases and find vulnerabilities faster, then vendors should also be using it earlier in the development process — not just after products are built, but before vulnerable code reaches customers.
That means AI-assisted secure code review, better threat modeling, safer defaults, stricter memory safety practices, fuzzing at scale, dependency control, and stronger internal gates before release.
Otherwise, customers end up carrying the burden.
The Technical Debt Problem
None of this is happening in a clean, perfect environment. It happens inside companies with legacy systems, outdated dependencies, undocumented assets, fragile integrations, understaffed teams, and years of postponed upgrades.
A company with low technical debt can respond to frequent disclosures with discipline. It knows what it owns, what versions are running, what systems are exposed, and how to test patches safely.
A company carrying heavy technical debt has a much harder time. Every advisory becomes a maze.
| Question Every Advisory Triggers in High-Debt Environments |
|---|
| Is this product still in use? |
| Who owns it? |
| Can it be patched? |
| Will the update break something? |
| Is the system too old to support the fix? |
| Is there a workaround? |
| Does anyone still understand this part of the environment? |
This is why the AI-era vulnerability treadmill could become brutal for large organizations. The more debt they carry, the harder it becomes to keep pace. Twice-monthly disclosures may be manageable on paper, but in a messy enterprise environment, they can expose years of accumulated shortcuts.
The companies most at risk are not always the ones with the most vulnerabilities. They are the ones with the least ability to respond.
What Security Teams Should Do Now
Organizations that rely on Cisco infrastructure should treat this as a signal to modernize their vulnerability management process.
Asset inventory has to be accurate. If you do not know which Cisco products, versions, and configurations you are running, twice-monthly advisories will not help much.
Separate "affected" from "actually exposed." Not every vulnerability applies to every environment. Configuration, feature usage, network exposure, and compensating controls all matter.
Make patch testing routine, not heroic. A predictable disclosure schedule allows teams to build predictable test cycles. Use the one-week preview window to start planning.
Evaluate temporary protections carefully. Cisco Live Protect and similar tools may reduce risk, but they should not become a reason to delay permanent fixes indefinitely.
Bring leadership into the conversation. Vulnerability response is not just a security task. It is an operations issue, a resilience issue, and sometimes a business continuity issue.
The Leadership Lesson
If a business has spent years avoiding modernization, ignoring asset inventory, delaying upgrades, and treating infrastructure as invisible plumbing, this new disclosure pace will hurt.
Security teams will be expected to move faster, but they may be working with systems that were never designed for speed. Executives need to understand that vulnerability response capacity is now part of business resilience.
You cannot demand fast patching while underfunding the systems, people, and processes required to do it. You cannot ignore technical debt for years and then act surprised when every security update becomes painful.
AI will make discovery faster. Attackers will move faster. Vendors will disclose faster. Businesses need to get faster too. But speed without stability creates chaos.
Is This the Way?
Cisco's move is probably a necessary adaptation to the AI era. More frequent disclosures, earlier previews, and temporary protections are useful improvements.
But they are not the full answer.
If AI only helps find and patch vulnerabilities faster, then the industry is still stuck in a reactive model. A better future would use AI to prevent more vulnerabilities from reaching production in the first place.
So yes, Cisco's approach may be the right direction for disclosure.
But the goal should not be "patch faster forever." The goal should be "ship fewer dangerous flaws in the first place."
And for major businesses, the next real test is not whether they can read more advisories. It is whether they can finally deal with the technical debt that makes every advisory harder than it needs to be.
Sources: - Axios — Cisco revamps vulnerability disclosures for the AI era