Everything we do at MongoDB starts with customers and we work backward from their needs. As a result, I frequently engage with customers, partners, and industry peers to proactively find new ways to collectively strengthen our defenses—ideally, long before any issues arise.
One of the most rewarding parts of my role at MongoDB is the time I spend in these customer conversations. Lately, a common theme is the fundamental shift the IT security landscape is undergoing. The introduction of ever-more-powerful AI tools has made it easier and faster for both well-intentioned security researchers and malicious actors to find vulnerabilities, putting increasing pressure on technologists across the industry.
Here is how MongoDB is thinking about security in this AI-driven era. We are focusing our security strategy on four key shifts designed to address the new speed of discovery:
Communication: Providing deeper context around security releases beyond Common Vulnerability Scoring System (CVSS) scores to help customers prioritize risk
Patching: Aggressively reducing time to patch through automation and managed services
Resourcing: Expanding MongoDB’s security engineering investments even as others in the industry pull back
AI usage: Leveraging frontier models to harden our code and inspect legacy systems
As I always tell my team, any successful technology offering must deliver security, durability, availability, and performance—in that order. And proactively identifying, addressing, and communicating issues is a key part of maintaining trust. My hope is that sharing our perspective helps drive deeper discussions with customers and partners.
The velocity of discovery
To understand why MongoDB is making these shifts, we have to start with the data. We can see the scale of the new security landscape in the volume of Common Vulnerabilities and Exposures (CVEs) across the industry, which has risen dramatically over the past several years, and is projected to continue to rise.
AI is acting as a force multiplier here, enabling both internal engineering teams and independent researchers to uncover vulnerabilities that were previously invisible. I don’t see this as a sign that software is necessarily getting worse; it’s a sign that our discovery tools are getting better, and that the bar is rising.
The reality of risk
In my discussions with customers and peers, we often compare notes on how we’re managing this firehose of information. The faster and more efficiently we can communicate across the industry, the more secure we’ll all be. However, an increase in information can create a signal-to-noise problem.
This is where the distinction between CVSS scores and actual risk becomes vital. While CVSS plays an important role in triage, it is a vulnerability scoring system derived from technical attributes, not a risk scoring system that accounts for your unique environment. To truly assess risk, you have to look beyond the score and factor in:
The environment: Is the asset reachable from the internet?
Asset value: What is the sensitivity of the data it contains?
Operational impact: What would a compromise actually do to your business?
To help MongoDB customers cut through the noise, we will be providing more context in our security releases to enable you to evaluate your individual risk more effectively. In future updates, we will include additional details on the nature of patches alongside CVSS scores. Our goal is to provide the environmental context you need to decide how quickly you need to deploy a specific fix.
The real challenge: Patch latency
The real risk to an organization is the time it takes to patch a vulnerability, not the frequency at which they are found. The scariest scenario isn’t just that AI finds a zero-day vulnerability in the software you use. It’s that AI finds one while your software is several versions behind the current release, and you don't have a path to patch it quickly.
This is exactly where managed services like MongoDB Atlas earn their keep. Atlas handles the patching for you on a cadence that few individual customers can match on their own. We saw the value of this in December 2025: MongoDB was able to patch hundreds of thousands of Atlas hosts within days. This was possible because of our sustained investment not just in security, but also across MongoDB’s developer productivity, SRE, and build teams.
For customers owning their own software deployments, the focus needs to be different. In these environments, automation and close vendor engagement are key. To maintain a strong security posture, you must have a practiced, reliable path to move from a vendor's disclosure to a production deployment as quickly as possible.
Scaling MongoDB’s security investment in talent and AI
Lately, many companies have made headlines for laying off engineers, citing the introduction of AI tooling as their rationale. At MongoDB, we’ve taken a different approach. Over the last two years, we have grown our security engineering team and made additional security investments. We deliberately made this investment because we anticipated the rise in CVEs and knew our teams would need the space to experiment with and implement the latest AI security tools. We’ve also made a multi-year investment to incorporate security practices throughout our software development lifecycle, a strategy often referred to as “shifting left.”
We have empowered all MongoDB builders to use the latest AI models, not just to create new code, but also to rigorously inspect and improve our legacy systems. As a participant in Anthropic’s Cyber Verification Program, our teams are already using frontier models like Opus 4.7 to conduct deep security analysis across our codebase. This work provides a powerful foundation that will be further enhanced when we gain access to Claude Mythos Preview and entry to Project Glasswing, Anthropic’s invite-only cybersecurity initiative. Our team is ready to integrate these advanced capabilities into our stack as soon as they become available.
MongoDB’s internal work is only part of our strategy. We have also expanded MongoDB’s Bug Bounty Program to incentivize security researchers, ethical hackers, and other “good guys” to use these same AI tools to find and report vulnerabilities to us. By working alongside the community and leveraging the best available technology, we can stay ahead of the curve and position MongoDB’s discovery process to remain faster than the threats we face.
The basics remain paramount
While we continue to lean into the latest frontier models to stay ahead of the curve, it is important to remember that these tools are not a replacement for foundational security. Fundamentals like (but not limited to) defense in depth—the use of multi-layered security controls to protect data—and the principle of least privilege are always critical. In times of rapid change, they’re even more important. My advice to customers here is simple: even as you adopt new AI tools, keep focusing on these basics as the foundation of your security strategy.
Nothing delights me more than when I’m talking to a customer or a peer, and they say, “OK, that new vulnerability is scary, but we’re already protected because of X, Y, and Z security controls we have in place.” That’s the goal. When security is proactively baked into an organization’s standard operating procedures—rather than treated as a reactive task—you build an inherently robust system. With AI now being used to find vulnerabilities at unprecedented scale and speed, maintaining this sort of foundational rigor is only growing in importance.
Earning your trust, every day
AI-accelerated vulnerability discovery is fundamentally changing software security. As AI tools become more powerful, they’ll continue to compress the window between disclosure and potential exploitation. A patching cadence that worked in 2020 no longer works today.
Addressing this reality requires an increased focus on maintenance. Reducing patch latency must become a top priority of every organization. When you combine rapid, proactive patching with rigorous security fundamentals like defense-in-depth and the principle of least privilege, you build a system resilient enough to handle the pace of the AI age. The objective is to move from a reactive state to a practiced, operational environment where security is a seamless part of how you run your organization.
Operating software and services securely at high scale is complex. Our responsibility is to continuously improve our products, act with urgency and transparency, and strengthen how we protect our customers. To stay informed on our latest security updates and releases, I encourage you to visit the MongoDB Alerts page. We appreciate the trust our customers place in MongoDB and remain committed to earning that trust every day.
– Jim Scharf, Chief Technology Officer, MongoDB