Two stories broke the same week. Most small business owners missed both. Put them side by side, and they describe the new reality of IT security – and why the old “set it and forget it” approach to technology doesn’t hold up anymore.

Here’s what happened, what it means for your business, and why the gap between the companies that will weather this quietly and the ones that won’t comes down to one thing: whether you have a real IT partner in your corner.

Story One: Microsoft’s Biggest Patch Day of the Year

On Tuesday, April 14, Microsoft released security patches for 165 vulnerabilities across Windows, Office, SharePoint, Defender, Active Directory, and other core products. That’s one of the largest Patch Tuesdays in Microsoft’s history – second only to October 2025.

Two of those bugs stood out:

• CVE-2026-32201 – A SharePoint Server vulnerability that attackers were already using before Microsoft had a patch ready. If your business uses SharePoint for documents or collaboration, this one matters.
• CVE-2026-33825 – A Microsoft Defender flaw (nicknamed “BlueHammer”) that was published publicly before Microsoft could release a fix. That means the bad guys had the blueprint before defenders did.

Eight of the 165 bugs were rated “Critical.” Seven of those allow attackers to run code remotely – meaning they can take over a machine without the user clicking anything or doing anything wrong.

For a small business, the honest translation is: if your computers aren’t patched within a reasonable window, you’re exposed to risks that didn’t exist last week.

Story Two: An AI That Finds Bugs Nobody Could Find

The same week, the AI company Anthropic revealed something they called Claude Mythos – an AI model so capable at finding security vulnerabilities in software that they decided not to release it to the general public.

What does it do? In testing, Mythos found:

• A 27-year-old bug in OpenBSD – an operating system designed from the ground up to be secure, reviewed by humans for decades.
• A 16-year-old bug in a widely used video codec that had survived more than 5 million automated tests.
• A 17-year-old bug in FreeBSD that let attackers take over a server from across the internet with no credentials needed.
• Thousands of other high-severity flaws across every major operating system and every major web browser.

Not only did Mythos find the bugs. It wrote working exploit code for them – autonomously, in about 83% of cases.

Anthropic decided the technology was too dangerous to hand out broadly. Instead, they launched something called Project Glasswing, which gives early access to roughly 12 to 52 of the world’s largest tech and security companies: Microsoft, Apple, Google, Amazon Web Services, Cisco, CrowdStrike, Palo Alto Networks, JPMorgan Chase, the Linux Foundation, and a handful of others.

The idea is that those companies use Mythos to find and fix bugs in their own products before attackers can build an equivalent tool.

Anthropic’s own researchers estimate that adversaries – criminal groups, nation-state hackers – will have equivalent capability within six to eighteen months.

Why These Two Stories Belong Together

Put them side by side and the picture becomes clearer.

Patch Tuesday has always been a race. Microsoft (or Apple, or Adobe, or Google) releases a fix. Attackers reverse-engineer the fix to figure out the bug. Defenders scramble to install the patch before the attackers can weaponize it. Historically, that race took weeks. Sometimes months.

With AI-driven vulnerability discovery, that window is collapsing. Anthropic’s model built a working exploit for a 17-year-old bug in hours, at a cost of about $10,000 in compute. Attackers who get their hands on similar tools – and they will – can chain dozens of newly-patched bugs into working attacks almost as fast as the patches come out.

That changes the math for every business that runs Windows, uses Microsoft 365, hosts a website, or connects a laptop to the internet. The old assumption – “we’ll get around to patching next month” – isn’t a reasonable plan anymore.

What This Means for Small Business Owners

If you run a small business in the Research Triangle, Johnston County, or nation wide, here’s the honest read.

You are not the target a Fortune 500 bank is the target. Nation-state hackers aren’t typing your company name into a keyboard. But the threat model doesn’t work that way anymore. Most attacks on small businesses are automated. Bots scan the internet for known vulnerabilities, find unpatched systems, and drop ransomware on whatever answers. They don’t care if you’re a law firm in Selma or a dentist’s office in Clayton. If the door is open, they walk in.

What’s new – and what these two stories together spell out – is that the doors are going to open faster than ever before. The pool of “known vulnerabilities” attackers can scan for is about to grow dramatically. The time between “Microsoft releases a patch” and “bots are scanning for unpatched machines” is shrinking toward zero.

And Project Glasswing? That’s a head start for the twelve biggest tech companies in the world. Your business is not on that list. Neither is the software vendor who made your practice management system, your property management platform, your point-of-sale – or probably your email provider.

What You Should Do This Week

If you take one thing away from these two stories, make it this: get your servers and workstations patched, and don’t wait on it.

• Windows servers running Active Directory, file sharing, or SharePoint need the April 2026 updates installed now – not next month.
• Workstations running Windows 10 or Windows 11 should be pulling updates on a reliable schedule, and someone should be verifying they actually installed.
• Line-of-business software – accounting, point-of-sale, practice management, CRM – should be on current supported versions with vendor security updates applied.
• Network gear – firewalls, switches, wireless access points – needs firmware checked and updated. This one gets forgotten almost everywhere.
• Backups should be running, recent, and tested. If ransomware hits an unpatched system, a clean backup is the difference between a bad afternoon and a bad quarter.

If you have someone handling this already – great. If you’re reading this thinking “nobody is doing that for us right now,” that’s where we come in. Server patching, workstation updates, and ongoing security maintenance are part of what we do for clients every month. We take it off your plate and make sure it’s actually happening – on a schedule, with logs and reports so you can see it.

The New Reality: You Need a Partner, Not a Vendor

Here’s where we land, and we’ll say it plainly.

The small business IT model of the last twenty years – buy a firewall, install antivirus, call someone when something breaks – is running out of runway. It worked when attacks were slow, manual, and noisy. It doesn’t work when bots are scanning millions of IP addresses an hour for freshly-disclosed bugs.

What small businesses need now is the same thing hospitals and Fortune 500 companies have always had: someone watching. Someone who reads the patch bulletins on a Wednesday morning and decides within hours whether your systems are affected. Someone who knows what a “SharePoint spoofing zero-day” is – and whether it touches your business. Someone who calls you when something needs attention, instead of waiting for you to call them.

That doesn’t have to cost what an enterprise security operations center costs. It just has to be a real relationship with a real professional who treats your business like theirs.

How Pendergrass Consulting Helps

We built Pendergrass Consulting on a simple idea: small businesses deserve the same caliber of IT support that hospitals and Fortune 500 companies rely on – without the enterprise price tag and without the runaround.

That means:

• Server and workstation patch management. We install security updates on your servers and computers on a regular schedule, test them first, and send you reports so you know it’s actually getting done. No more wondering whether your Windows Server has the latest fixes.
• Monitoring that catches problems early. Not waiting for a user to notice something’s wrong.
• Security built in, not bolted on. Twenty years of enterprise healthcare IT experience informs how we configure every network, every server, every workstation.
• A real human who picks up the phone. Not a ticket system. Not a chatbot. A person who knows your environment and your business.
• No contracts, no surprise fees. You stay because we deliver. That’s it.

If your current setup is “we have a nephew who helps when things break,” or “we bought a firewall three years ago and haven’t thought about it since,” the next twelve to eighteen months are going to be bumpy. The good news: it’s not hard to get ahead of this. It just takes a conversation.

Let’s Talk

There’s no pressure, no obligation, and no sales pitch on a first call. Just a conversation about what your business runs on, what you’re worried about, and whether we’re a good fit for each other.

Pendergrass Consulting
Phone: 252-432-3325
Email: Sales@PendergrassConsulting.com
110 S. Massey St., Suite 201, Selma, NC 27576

Pendergrass Consulting is a full-service IT firm based in Selma, NC, serving small businesses across the Research Triangle, Johnston County, and nationally for web, hosting, email, backup, and digital marketing services.