The latest generation of AI is transforming how software vulnerabilities are identified and fixed, increasing the speed and scale of discovery and remediation.
At Oracle, we have long applied AI across our cloud and software environments to support security testing, vulnerability detection, and code analysis. These capabilities run on Oracle Cloud Infrastructure (OCI), leveraging OCI AI services, infrastructure, and development platforms to operate continuously at scale.
Oracle has access to leading frontier AI models, including Anthropic’s Claude Mythos Preview and OpenAI’s most capable models through Trusted Access for Cyber, and we are extending our capabilities with these models to improve how quickly and effectively vulnerabilities are identified. Combined with our AI-enabled security operations, these capabilities are applied across Oracle-developed software and services, Oracle Health, and the open-source components we build and use in our products.
The result is stronger code, earlier identification of risk and mitigations, and better protection for Oracle and our customers.
Security across cloud and on-premises environments
Maintaining a strong security posture requires good detection and response, well-managed access controls, network protections, and the use of AI to identify and respond to issues earlier. Moving workloads to the cloud can simplify this model, with protections and updates applied continuously in Oracle-managed services.
These controls do not replace the need to address vulnerabilities in the software itself. Running supported versions and applying security updates remains fundamental. Systems on supported releases continue to receive fixes, while older versions do not, leaving known issues unaddressed over time.
Security responsibilities differ depending on whether customers are using Oracle-managed cloud services or running customer-managed deployments (either on-premises or on OCI).
In Oracle-managed cloud services, vulnerabilities are identified and addressed continuously. Oracle monitors its infrastructure, platform services, and SaaS applications and applies fixes as they become available, reducing operational burden and helping keep systems up to date.
For customer-managed deployments, Oracle identifies vulnerabilities and delivers patches for supported products, but customers remain responsible for planning, testing, and applying those updates, whether those deployments run on-premises or on OCI.
For example, customers running Oracle Fusion Applications in the cloud benefit from security updates applied by Oracle as part of the service. Updates are integrated and delivered continuously, allowing customers to stay current without managing the process themselves.
The difference is even more visible with database environments. In a customer-managed deployment, securing an Oracle Database requires coordinating updates across the operating system, database, and supporting components. With Oracle Autonomous Database, patching is automated as part of the service, removing the need to manage patch cycles or coordinate dependencies and significantly reducing the effort required to keep systems current.
Keeping systems current with patches is one of the most direct ways to reduce risk. Applying updates in a timely manner helps limit exposure and maintain security over time.
Upgrades and ongoing patching can be complex in large, highly integrated environments. Oracle provides resources including My Oracle Support, Technical Account Management, and Customer Success teams to help customers plan, test, and execute upgrades and stay current.
Expediting how Oracle delivers critical fixes for customer-managed environments
Oracle is expanding how security fixes are delivered to customers with a monthly Critical Security Patch Update (CSPU), starting in May 2026. CSPUs provide targeted fixes for critical security issues, allowing customers to address high-priority vulnerabilities without waiting for the next quarterly release. Each CSPU is smaller and more focused, making it easier to apply critical fixes quickly. Quarterly Critical Patch Updates will continue to include all fixes released in prior CSPUs.
This approach enables customers to apply critical fixes more quickly on premises, while continuing to support established quarterly patching cycles through cumulative updates. All patches are applied automatically in Oracle-managed cloud environments.
What this means for customers
Security depends on identifying vulnerabilities quickly and applying fixes just as quickly. Oracle is using AI, including frontier models, to improve how issues are found and to accelerate how fixes are delivered, including the introduction of monthly CSPUs. For customers, maintaining security means staying on supported software and keeping systems up to date with patches. Moving to Oracle Cloud can simplify this significantly by shifting patching and much of the operational burden to Oracle, helping keep systems secure and current with less effort.