A faster release cadence: What's changing at F5, and what you need to do

F5 ADSP | July 06, 2026

I recently shared how F5 is using frontier AI models to find and fix vulnerabilities in our own code. Finding more issues, faster, is only half the work. The other half is getting those fixes into the hands of our customers at the same pace. A quarterly release cadence was built for a different era. In a world where the patch window has effectively inverted, quarterly is no longer enough.

I believe AI will ultimately tip the scales toward defenders. But right now, it runs the other way. Attackers can move from a discovered weakness to a working exploit faster than most organizations can patch. The changes below are how we start shifting that balance back, through faster remediation and faster deployment.

Finding more issues faster is only half the work. The other half is getting those fixes into the hands of our customers at the same pace.

These changes did not happen in isolation. For several months, we have been listening to and learning from customers who run F5 in their most critical paths, organizations with some of the largest-scale, most complex infrastructures in the world. We have taken what they told us seriously, and we are adjusting our approach because of it.

What’s changing with our release cadence

There are two significant changes you and your teams need to know about.

1. We are moving to monthly hardened software releases. Hardened software releases will ship on the third Wednesday of every month, starting July 15.

Each release will contain a broad set of fixes. These will come from our AI scanning, from the issues that surface as we chase those findings down, from internal teams and outside researchers, and from our own security and stability hardening. As frontier models keep improving, discovery will keep accelerating, and these releases will include a growing number of issues.

Our guidance has always been to run the latest release. That is truer now more than ever. I strongly urge you to deploy these releases as quickly as you are able, and not only for the critical severity issues. Across the industry, attackers are increasingly capable of chaining low- and medium-severity vulnerabilities together into novel exploits, so the severity of an individual fix is a less reliable guide to its importance. Treat every release as though it closes a critical gap.

We will limit the detail we disclose about specific fixes in each release. Given what these models can do, we are not going to hand attackers a roadmap to locate vulnerabilities and build exploits against them before customers are able to patch.

2. Quarterly security notifications are becoming monthly security notifications. We intend to issue monthly security notifications for vulnerabilities fixed in the previous month’s hardened release, while retaining flexibility to adjust timing, content, or notification approach where law, contract, coordinated-disclosure obligations, government coordination, active exploitation, materiality assessment, embargo, or customer-protection considerations require a different approach. The first one lands August 19 and covers the July 15 release.

This delay is deliberate. It gives you a window to update before additional information becomes public. We will continue issuing security alerts outside of the monthly cadence whenever urgent vulnerability information needs to reach you immediately.

With this shift to a monthly cadence of hardened releases and security notifications, you will continue to see us deliver:

  • Maintenance releases (F5 BIG-IP, F5 BIG-IQ, F5OS, F5 NGINX) with bug-fixes, including a roll up of recent CVE fixes, small features, and enhancements focused on stability and defect remediation.
  • Major releases (BIG-IP, BIG-IQ, F5OS) tied to product roadmap milestones with new features, modules, capabilities, and core security architecture improvements.
  • Annual long-term stability releases (NGINX) that provide a stable foundation for organizations that prioritize consistency and extended support windows.
  • Engineering hotfixes (EHFs) to address urgent issues requiring immediate remediation, released as needed based on customer impact.

What you can do now

We are not the only vendor moving toward more frequent releases. As patch frequency rises across the industry, your teams will absorb more updates, across more vendors, more often. That is a real operational burden, and we are committed to making it easier, not harder.

A few things you can do now:

  • Deploy F5 Insight for ADSP. We are investing heavily in fleet management, with an update coming very soon. Those capabilities will be delivered through F5 Insight, so deploying it now gives you visibility into your current posture and positions you to use fleet management when it is available.
  • Automate updates across your BIG-IP estate. Use F5 automations and Red Hat Ansible collections so you can absorb more frequent security releases without the manual overhead.
  • Engage F5 Professional Services. Let us help design an automated, low-risk update process tailored to your environment, turning a faster cadence into an advantage rather than a tax.

What you can expect from us

A faster cadence asks more of you. Here is what you can expect of us as we roll out these changes, and adapt to what comes next:

  • Protecting our customers comes first. You put us in your most critical paths, and every change we make starts with that responsibility.
  • We will apply whatever resources it takes to find and fix vulnerabilities quickly. We have built dedicated infrastructure and pulled engineering from across the company so you can run our products with confidence.
  • We remain committed to transparency, responsible disclosure, and engagement with the security community. Delayed disclosure is not less disclosure. We will keep working alongside customers, researchers, and frontier AI labs as we all adapt to this new threat landscape together.
  • We will keep adapting as your needs and the threats evolve. This cadence is right for where we are today. The same discipline that moved us off quarterly will move us again when the landscape demands it.

The reality we are facing is that every advance that helps us find vulnerabilities is an advance available to attackers. We have prepared for this with the infrastructure, the tooling, and the operational muscle to find and fix issues and get patches to you as fast as we can. That work is not slowing down. Thank you for your partnership as we navigate this together.

For more on how we handle vulnerabilities, see our vulnerability disclosure policy. Details on each hardened release will be published as they become available. And if you have questions or need help adjusting to this new cadence, contact F5 Support at any time.

Share

About the Author

Kunal Anand
Kunal AnandChief Product Officer | F5

Kunal Anand leads the F5 product organization as Chief Product Officer. Responsible for product vision, strategy, and execution, he ensures development of breakthrough solutions that solve critical challenges and create exceptional experiences for customers. In his previous role as Chief Technology and AI Officer, Kunal charted the company’s technology and AI strategy and vision. Prior to F5, Kunal held the dual role of Chief Technology Officer and Chief Information Security Officer at Imperva. His journey to Imperva began in 2018 with the acquisition of Prevoty, an application security startup he co-founded in 2013. Before joining Prevoty, he was the Director of Technology at BBC Worldwide. Kunal has a deep history of innovation and technical expertise, and has held roles leading security, data, technology, and engineering teams at Gravity, MySpace, and the NASA Jet Propulsion Lab. Kunal has over 15 years of experience in AI and machine learning, ranging from model training, employing AI-driven algorithms to enhance products, and designing and implementing AI architectures. Kunal holds a Bachelor of Science degree in computer science from Babson College.

More blogs by Kunal Anand

Related Blog Posts

Kubernetes-native WAF for the gateway era: F5 WAF for NGINX now integrates with F5 NGINX Gateway Fabric
F5 ADSP | 06/04/2026

Kubernetes-native WAF for the gateway era: F5 WAF for NGINX now integrates with F5 NGINX Gateway Fabric

F5 extends WAFs to deliver consistent, scalable protection across clusters and environments with F5 NGINX Gateway Fabric and F5 NGINX Ingress Controller.

From dashboard fatigue to operational excellence: Why XOps needs F5 Insight for ADSP
F5 ADSP | 03/26/2026

From dashboard fatigue to operational excellence: Why XOps needs F5 Insight for ADSP

Learn how F5 Insight for ADSP lays the visibility foundation for XOps—turning fragmented signals across applications and infrastructure into actionable intelligence.

The hidden cost of unmanaged AI infrastructure
F5 ADSP | 01/20/2026

The hidden cost of unmanaged AI infrastructure

AI platforms don’t lose value because of models. They lose value because of instability. See how intelligent traffic management improves token throughput while protecting expensive GPU infrastructure.

Govern your AI present and anticipate your AI future
F5 ADSP | 12/18/2025

Govern your AI present and anticipate your AI future

Learn from our field CISO, Chuck Herrin, how to prepare for the new challenge of securing AI models and agents.

F5 recognized as one of the Emerging Visionaries in the Emerging Market Quadrant of the 2025 Gartner® Innovation Guide for Generative AI Engineering
F5 ADSP | 11/25/2025

F5 recognized as one of the Emerging Visionaries in the Emerging Market Quadrant of the 2025 Gartner® Innovation Guide for Generative AI Engineering

We’re excited to share that F5 has been recognized in 2025 Gartner Emerging Market Quadrant(eMQ) for Generative AI Engineering.

Self-Hosting vs. Models-as-a-Service: The Runtime Security Tradeoff
F5 ADSP | 05/01/2025

Self-Hosting vs. Models-as-a-Service: The Runtime Security Tradeoff

As GenAI systems continue to move from experimental pilots to enterprise-wide deployments, one architectural choice carries significant weight: how will your organization deploy runtime-based capabilities?

Deliver and Secure Every App
F5 application delivery and security solutions are built to ensure that every app and API deployed anywhere is fast, available, and secure. Learn how we can partner to deliver exceptional experiences every time.
Connect With Us