The flaw is cheap to find. The fix is the constraint. — Tidra
[ SECURITY ] [ PLATFORM ENGINEERING ] [ MAINTENANCE ] [ AI ]

When Finding Vulnerabilities Gets Cheap, Fixing Them Becomes the Constraint

Matthew Holmes

Matthew Holmes

June 4, 2026 · // 5 min read

A high-severity CVE is disclosed. The fix is a version bump, two lines in a manifest. Deploying it everywhere takes a month.

The delay is coordination. You need to find every repo that pulls the affected library, open the change in each one, and get forty teams to deprioritize their roadmap long enough to merge. For an org with hundreds of repos, one CVE becomes dozens of conversations and a tracking spreadsheet that’s stale by Thursday.

Finding a vulnerability now takes minutes and costs a couple of dollars. Fixing it across hundreds of repos takes weeks.

Finding the flaw is now the cheap part

In April, the UK’s AI Security Institute published evaluations of frontier models on cyberattack tasks. OpenAI’s GPT-5.5 solved a reverse-engineering task in 10 minutes and 22 seconds for $1.73 in API cost. The institute estimates the same work takes a human expert around 12 hours.

The expertise barrier to finding a flaw is mostly gone, and so is the cost.

More than one lab is at this level. On AISI’s hardest “Expert” tier, GPT-5.5 and Anthropic’s Claude Mythos Preview scored within the margin of error of each other. Both completed a 32-step corporate-network attack the institute estimates takes a human around 20 hours.

The labs restricted their strongest variants. Anthropic gated Mythos behind a vetted-partner program; OpenAI ships GPT-5.5 broadly with guardrails and runs a separate permission-gated track for vetted defenders. Cheaper discovery now reaches your security team and the scanners pointed at your stack. The volume of disclosures your team needs to act on is going to climb.

Fixing a CVE takes longer than finding it

One CVE. One-line fix. Three hundred rollouts — the code change is simple, the coordination across 300 repos is the hard part

Most CVE fixes are small: a pinned version, a bumped dependency, a one-line config change. The code is rarely where the time goes.

The time goes into volume and coordination. A platform team needs to find every repo pulling the affected library, open the change in each one, get each owning team to prioritize the merge, and track every open PR until the count hits zero. At 40 teams and 300 repos, that is weeks of work.

A platform engineer at a 600-repo org described the cadence as going back every couple of weeks to upgrade libraries like Log4j or Spring Boot. The cadence is set by how often something needs patching, and cheaper discovery means more of it.

Remediation time across a large repository estate is a coordination problem. That is the variable about to move.

The gap is widening

Finding got cheap — 10 minutes and $1.73 per flaw — but fixing still takes weeks across 300 repos and 40 teams

Your exposure window is the gap between a disclosed vulnerability and a patched production environment. AI compressed the front of that window. Across hundreds of repos, remediation throughput held steady.

When inbound CVE volume climbs and patching capacity stays flat, the team that owns cross-repo maintenance becomes the constraint. The backlog grows longer. Security work competes with feature work for the same sprint capacity.

Remediation is now the bottleneck in vulnerability management.

Execution across every repo

Define the change once. Tidra opens a PR in all 312 repos, you review the diffs, teams merge, and it's tracked to zero

For a CVE, you already have the fix. You know the fixed version; your CI tells you whether the upgrade is safe. The work is opening the change across every affected repo and getting each team to merge.

Tidra is an AI coding agent for both implementation and coordination of code changes across your organization. For CVE remediation, that means describing the patch once, filtering to every affected repo, and opening PRs across all of them from a single dashboard.

Before any PR is created, you review the change plan and each per-repo diff. Each team then approves its own merge. A wrong assumption surfaces in one review instead of after 300 merges. The review takes a few minutes per repo against a diff CI already validated. The agent finds the affected repos, opens the change in each one, and tracks every PR to merge.

One platform engineer described it directly: Tidra is good for rolling out CVE patches across all services and then prompting teams to merge their pull requests. Another calculated the cost. A fix that used to take weeks, one repo at a time, now opens as a PR across every affected repo for about the price of a lunch. The engineering time that used to go into tracking and chasing comes back.

What you take to the next planning meeting

A government body measured this capability and published it. It holds across multiple labs and will not reverse.

Vulnerability discovery is now cheap for everyone who runs these models, including the scanners pointed at your stack. Remediation capacity held. When the next critical CVE drops and disclosure volume has climbed, patching throughput is your constraint.

Bring one number to your next planning session: how many weeks does “patched everywhere” take you today, and what does that become when volume doubles?

See how Tidra patches a CVE across every affected repo, then tracks it to merge

Book a Demo
// share