Two things landed in the same week. OpenAI released GPT-5.5-Cyber, which it calls its strongest model yet for finding and patching software flaws, alongside a "Patch the Planet" effort to harden major open-source projects. And researchers using Anthropic's Claude Mythos uncovered Squidbleed, a serious bug in the widely used Squid proxy that had been hiding in the code since 1997. Together they make one thing clear: AI is now finding and fixing software vulnerabilities at a scale and speed people cannot match. Here is what that means for a small business that will never run either tool.
What just happened
On the defensive side, OpenAI expanded its security program with GPT-5.5-Cyber, a model built to scan large codebases, confirm whether a flaw is actually exploitable, and write and test a patch, mostly on its own. Its Patch the Planet initiative, run with the security firm Trail of Bits, points that capability at the open-source software the whole internet depends on, with projects like cURL, Python, and Go signed up. On the discovery side, Squidbleed (CVE-2026-47729) is a 29-year-old flaw that leaks fragments of other users' web traffic, including passwords and session tokens, and it took an AI model reading decades-old code to finally spot it. Human reviewers and audits had walked past it for three decades.
The good news: the software you rely on is getting safer
This is genuinely positive for small businesses. You depend on a deep stack of software you never see, the open-source libraries inside your website, your apps, and your vendors' products, and that layer has always been under-resourced for security. Pointing AI at it means long-buried flaws get found and fixed faster than a volunteer maintainer ever could alone. Over time, the tools and services you already use become more secure without you doing anything.
The catch: the clock speeds up for everyone
The same capability cuts the other way. If AI can find a 29-year-old bug, attackers can use the same kind of tools to find flaws too, and the gap between a vulnerability becoming public and being exploited keeps shrinking. We made this point when Anthropic's Mythos first appeared, and Squidbleed proves it: once a flaw like this is known, the window to patch before someone weaponizes it is measured in days, not months. The advantage no longer goes to whoever is biggest, it goes to whoever updates fastest.
What a small business should actually do
You will not run GPT-5.5-Cyber or Mythos, and you do not need to. What matters is being able to act when a fix lands. That means knowing what software and services you actually run, keeping automatic updates on, and patching the important things quickly instead of "sometime." In other words, the lesson of this AI arms race for a small business is unglamorous: a basic vulnerability management habit is now your real defence, because the software will keep getting safer, but only if you install the fixes.
Sources:The Hacker News, OpenAI Expands Daybreak With GPT-5.5-Cyber to Help Defenders Patch Security FlawsCalif, Squidbleed (CVE-2026-47729)