When Vulnerability Discovery Gets Faster, Response Has to Follow – Especially for IBM Power
Pieter de Villiers, Product Lead for IBM Concert for Power
For decades, the cycle from published CVE to deployed fix on mission-critical infrastructure was measured in weeks. That worked because the threat side moved at the same speed.
That assumption is breaking. In April 2026, Anthropic's Claude Mythos Preview (AI model) identified thousands of previously unknown vulnerabilities across major operating systems and browsers, some surviving decades of human review.
Access is restricted today. It won't stay that way. The question isn't whether AI-accelerated vulnerability discovery becomes universal — it's how much time you have to prepare.
Why the response gap is bigger on IBM Power
The AI-accelerated threat tempo applies to every platform. The IBM Power estate is not uniquely exposed, but it is uniquely difficult to respond on at speed, for three structural reasons:
- Heterogeneous patching, distributed ownership. Each layer of the Power stack has its own tooling and often its own team. Coordinating a CVE response across them in hours is hard — the change boards don't naturally talk to each other.
- Coordinated downtime Firmware and hypervisor patches traditionally demand planned outages. LKU on AIX and ZPD on Power11 address the runtime side, not the orchestration across an estate.
- Change processes built for weeks. Change processes assume time. Few estates can absorb a morning exploit advisory and act on it the same day.
What has to be true to close the gap
To stay ahead, organizations running large Power estates need four things working together:
1. Discovery: one view across the full Power stack, fed by CVE bulletins and vendor advisories, scoped against inventory.
2. Explanation: not a CVE list, but AI-generated context for each: what the vulnerability is, how it could be exploited, where it lands in the environment.
3. Fix-level guidance: "What should I apply, and to which level?" - where AI moves from triage to direction.
4. Coordinated, approval-driven action: patches deployed across the stack by automating existing change management operations, utilizing the same tooling.
Any one of these is achievable in isolation. The hard part is closing the loop. A CVE list handed from team to team — discovery, analysis, approval, execution — is what makes the response cycle weeks long. Compressing that loop without weakening approval gates is the entire problem.
How IBM Concert is approaching this
IBM Concert for Power is built around this four-step model: Discover, Understand, Recommend, and Act for AIX, IBM i, VIOS, Power Linux, HMC, system firmware, and IO adapters.
The Recommended step uses AI to identify the optimal fix level for each component, not just to re-rank CVEs. The Act step coordinates patches across the heterogeneous IBM Power stack through the customer's existing approval workflows using Concert workflows automation.
In May 2026, IBM joined Project Glasswing, an Anthropic-led industry initiative focused on finding and remediating vulnerabilities in widely used software at AI speed — and openly sharing the resulting fixes. Concert for Power is one place where that broader posture shows up operationally for Power customers: shortening the path from a discovered vulnerability to a deployed fix across a heterogeneous stack, on the platform where that path is hardest. The discovery side will not slow down. The industry response has to catch up, and it has to do so without weakening the approval gates that make enterprise change management trustworthy in the first place.
Questions worth asking
If you run an IBM Power estate, the diagnostic questions are simple:
· How long does it take, in days, to go from a published CVE affecting AIX, IBM i, or VIOS to a deployed fix?
· Are firmware, HMC, and IO adapter patches owned by a different team than your OS patches — and if so, how often do those teams coordinate on a single CVE response?
· Are your approval workflows built for weeks, or for hours?
Organizations that can answer these clearly are ready for the threat tempo we are now in. The rest have work to do, and the time to do it is shrinking.