Cyber Posture

The customer side of the LLM-CVE arms race

What software users can do when CVE volume jumps 7–12× and patch windows shrink. Last updated: 2026-05-18 17:44 UTC

The two previous articles mapped attackers and vendors. The third actor is the software user. Customers have the least room to manoeuvre — they don’t write the code, file the CVEs, ship the patches, or set the cadence. Three things are landing on them anyway. A handful of moves help. Some apply to every customer; the rest only fit organisations large enough to run a security team.

What changes for customers

Three structural shifts hit the customer side of the table at the same time:

Net for the customer: more advisories, less time, harder to read.

For every customer

Three moves at any scale

These cost little and apply whether you have ten endpoints or ten thousand.

  1. EPSS first, CVSS second. The old habit is to patch Criticals first. The new reality is to patch what attackers are actually exploiting. EPSS is a daily score that estimates how likely a CVE is to be exploited in the next 30 days. The CISA KEV catalogue is the override signal: those CVEs are being exploited right now. The chart below shows what KEV-listed CVEs look like on a CVSS × EPSS map.

About 1 in 8 KEV-listed CVEs (around 200 of the ~1,600 entries) sit below CVSS 7.0. A team triaging on CVSS alone would skip them. Many of these have high EPSS, some have known ransomware use. EPSS plus KEV catches what CVSS misses; using all three together catches everything.

Open chart in new tab  ·  PNG version

  1. Accept higher patch velocity. Customers used to fear auto-update because a bad patch could break production. With auto-rollback, canary deployments, and LLM-assisted regression testing, that fear dissolves. The cost of waiting is now higher than the cost of a rare regression. Even consumer-grade auto-update tools satisfy this baseline; enterprises can push further with staged rollouts.

  2. Stay on supported versions. End-of-life software is a permanent supply of unpatched CVEs for attackers (this was move #3 in the previous article on the vendor side: retire old products on a public schedule). The customer-side mirror: don’t run EOL software. Migrate before vendor support ends. This single move avoids more risk than any patching ritual, because nothing on the host actively prompts an operator to fix a CVE that ships without a patch.

For large enterprise customers

Four moves that need scale or staff

These need dedicated people, budget, or contract leverage. Most are LLM-enabled.

  1. LLM-assisted advisory triage at scale. When advisory volume is 7–12× higher than today, ranking by hand stops working. An LLM reads the firehose and ranks each advisory by your fleet’s actual exposure: asset inventory, the EPSS score, the KEV status, and whether the affected system is reachable from the public internet. This is the single biggest leverage point on the enterprise side, because volume is the problem.

  2. Continuous LLM-driven configuration audit. The intro vulnerability-management article showed that TLS defaults from 2011 and SNMP defaults from 1999 still account for thousands of unpatched instances in real customer environments. These are not vendor bugs; they are operator-action items nobody prioritises. LLMs make continuous configuration audit cheap. Hardening guides become automated checks, and the checks run every day instead of every audit cycle.

  3. Vendor-group-aware procurement. The previous article grouped vendors by their AI-adoption posture and their attractiveness to attackers. Use that grouping when you buy. Demand pre-disclosure SLAs, patch-deployment commitments, and advisory-quality guarantees in the contract. Track each supplier’s position in the grouping over time. Only large customers have the contracting leverage to make this stick, and only large customers have the procurement team to track it.

  4. Detection that does not wait for the vendor. Honeypots, canary deployments, threat intelligence sharing through ISACs. When the patch-Tuesday-to-attack-Tuesday window collapses, you need attack signals that arrive independently of vendor disclosure. This requires a security-operations team that smaller customers will not have.

The asymmetry is the point

Vendors hold the patch-side initiative. The previous article catalogued thirteen tactics on the vendor side, several uncomfortable enough to break twenty-year norms. There is no customer equivalent to that catalogue. Customers are reactive. The leverage is not catalogue-rich — it is a small set of moves applied consistently.

Every customer can do moves 1–3. Only enterprises can do moves 4–7. The compounding gain happens when both halves of the list are adopted together: an EPSS-first triage that runs through an LLM-assisted ranking pipeline, feeding a fast-patch infrastructure that gets confirmed by independent detection. None of these moves wins on its own. All of them together change the shape of customer exposure, even though they do not change the volume.

Key takeaways

  • EPSS first, CVSS second. About 13% of the CVEs attackers actually exploit sit below a CVSS 7.0 cutoff.
  • Accept higher patch velocity. Auto-update with rollback is now cheaper than waiting.
  • Stay on supported versions. EOL software is the longest-lived risk in any backlog.
  • Triage the advisory firehose with an LLM. Volume is the enterprise-side problem; manual ranking breaks.
  • Demand SLAs from suppliers. Only large customers have the contract leverage. Use it.