Executive Summary

What happened?

• AI, as demonstrated by Anthropic’s Mythos, has significantly increased the likelihood of attackers discovering new vulnerabilities, creating new exploits, and using them in complex automated attacks at scale.
• While AI also increases the speed to develop patches, and reduces defects in new software, the burden on defenders, by comparison, increases due to the inherent limitations of patching. The attackers gain asymmetric benefits.

How is this different from the status quo?

• In the near term, security organizations will likely be overwhelmed by the need to apply patches and respond to AI-discovered vulnerabilities, exploits, and autonomous attacks.

What to do now to deal with the current risk spike?

• Adjust risk calculations and re-orient security program resources for increasing volume of patches, decreasing time to patch, and more-persistent complex attacks.
• Focus on the basics and harden your environment further. Segmentation, egress filtering, multifactor authentication, and defense-in-depth/breadth all increase the difficulty for attackers.

What do we believe will happen next?

• The storm of vulnerability disclosures from Project Glasswing is the first of many large waves of AI-discovered vulnerabilities that may occur in rapid sequence.
• The capabilities seen in Mythos will quickly become more widely available, as demonstrated with the rapid release of ChatGPT 5.5, and the capabilities demonstrated by new open weight models, dramatically increasing the number and frequency of complex, novel attacks organizations will face.

What else should start now to be ready for the next waves?

• Prioritize robust dependency management to reduce vulnerabilities in third-party and open-source components.
• Consistently enforce automated security assessments in your development processes, including using LLM-powered agents to find vulnerabilities before the attackers.
• Introduce AI agents to the cyber workforce across the board enabling defenders to match attackers’ speed and begin closing the gap.
• Re-evaluate your risk tolerance to operational downtime caused by vulnerability remediation to account for shorter adversary timelines.
• Update governance for more efficient vendor onboarding and increase headcount to facilitate a faster cycle deployment of new AI-based defenses.
• As an industry we need to strengthen our coalitions, cooperation, and coordination.

Key Takeaways for the CISO

Use LLM-based vulnerability discovery and remediation capabilities.

Unlike defensive AI technologies, LLM-based vulnerability discovery capabilities are already mature and can be used to our advantage. Start immediately by asking an agent for a security review of any code, and build toward a VulnOps capability.

Update risk metrics.

With the shifting landscape, many of your metrics and risk assessments may be outdated, and could potentially even affect business reporting. Consider how to update these, and communicate the challenge with stakeholders.

Accelerate your team by the use of coding agents.

While defensive AI technologies are lagging behind offensive ones, coding agents can already accelerate human action across the board, and naming aside, they enable far more than code, from GRC to incident response. Triage and test patches, red team your environment, automate audit data collection, and accelerate security operations overall. Encourage and demand for your team to make use of these agents to accelerate their capabilities, alongside deploying security controls to deploy them responsibly.

Prepare to respond to more incidents.

Run tabletop exercises for multiple, simultaneous, high-severity incidents occurring within the same week; have playbooks in place for high level, critical incidents. Examine how to automate remediation capabilities to the degree possible. Verify and enable mitigating controls such as segmentation, egress filtering, Zero Trust architectures, phishing-resistant MFA, and secrets rotation, to limit impact when post-exploitation. The supply chain will be affected.

Increase focus on the basics.

The basics remain valid and can be prioritized for risks that can’t be otherwise mitigated. Segmentation, patching known vulns, Identity and Access Management, and defense-in-depth/breadth all increase the difficulty for attackers. To lower latent risk, expanding these efforts while there is time, is prudent.

We cannot outwork machine-speed threats. Re-prioritize, automate, and prepare for burnout.

The cadence and volume of vulnerability disclosures will exceed anything we have experienced before. Consider how you manage current priorities, and request additional headcount and budget for reserve capacity to avoid exhausting available resources, or potentially burning out existing staff. This, in parallel with adoption of coding agents, re-prioritization, putting more automation in place, and helping your team through career uncertainties and upskilling challenges.

Evolve to a Mythos-ready Security Program.

Mythos is one of what will likely be many changes to cybersecurity risk. If not already underway, incorporating Mythos and its implications into your strategy should be seriously considered.

Build Collective Defense Now.

Attackers already operate as syndicates, crowdsourcing, sharing tools, and moving as a collective. Engage now with sector coordinating groups, ISACs, CERTs, and standards bodies to share threat intelligence, coordinate response, and produce sector-specific guidance for this moment. Defenders must do the same and leverage our coordinating groups, especially when considering organizations that fall below the Cyber Poverty Line, as introduced by Wendy Nather.

Introduction

Many of our prior assumptions about the capabilities of AI in vulnerability research, exploitation, and autonomous attacks are outdated. Throughout 2025 and into 2026 we’ve seen continuous examples of increasing capabilities, in research and in actual in-the-wild attacks. AI-driven vulnerability discovery and exploitation has been accelerating for over a year.
Heather Adkins and Gadi Evron issued an industry warning about AI vulnerabilities, in September 2025, and called for urgent preparation. Then in October, they teamed up with Bruce Schneier, and introduced Vulnerability Operations (VulnOps). Average criminals will soon, if not already, possess capabilities that once required nation-state resources.

We have already seen advancements since the initial draft release of this paper two weeks ago:

• Mozilla reported they discovered 271 vulnerabilities in Firefox using Mythos (but only 3 of which warranted CVEs).
• A stealth startup released MOAK: The Mother of All KEVs, a site that uses existing public frontier models to autonomously create exploits based on a submitted CVE.
• Code is being removed from the linux kernel to reduce the attack surface due to concerns about LLM driven vulnerability research.

See Appendix A for more examples, details, and historical evidence.

Anthropic’s Claude Mythos (Preview) represents a step change in that trajectory, autonomously finding thousands of critical vulnerabilities across every major operating system and browser, generating working exploits without human guidance, and empowering autonomous attack orchestration, all at a speed and scale that outpaces any prior capability.

Diagram from the Zero Day Clock, by Sergej Epp, demonstrating the collapsing time to exploitation,
which is now down to hours.

The asymmetry this creates is structural. AI lowers the cost and skill floor for discovering and exploiting vulnerabilities faster than organizations can patch them. The window between discovery and weaponization has collapsed into hours. Attackers gain disproportionate benefit, and current patch cycles, response processes, and risk metrics were not built for this environment.

While many of these capabilities pre-date this new model, Mythos-class capabilities do represent a step-change, and will proliferate. The organizations that respond well will be those that build the muscle now: the processes, the tooling, and a culture willing to adopt AI as a core part of how security gets done. That adaptability will help determine who meets the next wave on their own terms.

This moment requires reprioritizing resources, reviewing risk levels and controls, and leveraging AI where feasible. At the time of this writing, most AI defensive controls and approaches are not yet mature. That said, AI attacker technology may be used for defensive purposes and coding agents, and can help across the board for anything from GRC to incident response (code is just one of their functions).
The detailed recommendations are included later in this document.

Essential viewing

The [un]prompted talks below are, in our view, the fastest route to a serious working grasp of where capabilities and opportunities currently stand. They are not tutorials, but high-density briefings from practitioners at the frontier. We consider all of these required viewing to grasp where we are, and how successful organizations are responding.
To quickly learn about capabilities and opportunities, we recommend watching the following [un]prompted talks:

• Nicholas Carlini, Research Scientist at Anthropic, on AI vulnerability research in the age of LLMs.
• Heather Adkins, CISO of Google, and John “Four” Flynn, CISO of DeepMind, on Google’s journey to zero vulnerabilities within two years.
• Dan Guido, CEO of Trail of Bits, on becoming an AI native organization.
• Adam Laurie (Major Malfunction), CISO of Alpitronic and legendary hacker, on breaking new ground in hacking with LLMs, by example of hardware “glitching”.
• Sergej Epp, CISO of Sysdig, on 8 Minutes to Admin. We Caught it in the Wild, a lightning-fast autonomous attack.

Mythos & Glasswing: Why They Matter

Mythos

Mythos is distinguished from previous model capabilities at both technological and strategic levels; even if many of its attributes already existed and have evolved over the past year.
Technologically, Mythos exhibits three specific capabilities that make it different:

1. Exploits without scaffolding. Internal lab environment testing at Anthropic showed Mythos generated 181 working exploits on Firefox where Claude Opus 4.6 succeeded only twice under the same conditions, marking a substantial jump in autonomy and reliability.

2. Complex, chained vulnerabilities. Mythos identifies vulnerabilities composed of multiple primitives chained together, such as scenarios requiring multiple memory corruption bugs combined into a single exploit path.

3. “One-shot” (single-prompt) capability. Mythos accomplishes significantly more with a single prompt, without elaborate scaffolding or agent configuration infrastructure.

Strategically, Mythos broke into mainstream media beyond technical security communities and reached into boardrooms, raising awareness and the urgency of AI-driven vulnerability risks. This has forced security teams to respond and opened the door for new resources and funding across the industry.

Glasswing

The scale and speed of Mythos prompted Anthropic to create Project Glasswing, possibly the largest multi-party vulnerability coordination effort in history. Anthropic provided selected critical infrastructure providers, industry partners, and open source maintainers early access to Mythos so they could patch their own products. Other AI model vendors have launched similar vetted-participant programs. Earlier in the year, OpenAI announced the Trusted Access program, now expanded.

The most significant limitation of Project Glasswing is that it can only cover so much. The world’s exploitable attack surface is vastly larger than what any curated partner ecosystem can cover, and most organizations that build or maintain critical software will not have early access to Mythos-class capabilities. Meanwhile, the competitive landscape is narrowing that window. If comparable offensive capabilities emerge in other frontier models within months, and in open-weight models within six months to a year, the defensive advantage conferred by early access becomes time-limited by definition.

While the coordination model Glasswing established is critically important, its impact will depend heavily on how quickly it can expand coverage, and whether the patch and disclosure pipeline can keep pace with both AI progress and adversarial adoption.

The Mythos-ready Security Program

The changing landscape, and the resulting risk and impact, demand an approach that is both operational and strategic, incident-response-driven in the near term, program-building over the long term. This plays out across three time horizons.

It is beyond the scope of this text to be exhaustive or prescribe how a full-fledged AI security program should be built. Rather, we selected high-impact recommendations that you can start with today, based on what the community can clearly discern at this early stage.

Beyond Application Security and Vulnerability Management, Mythos affects the wider security program. For example:

• Operationally, expect a potential deluge of new patches released from the 40 (and growing) vendors and Open Source projects in the early access program, similar to recent experience of needing to respond to multiple supply chain incidents within a two-week timeframe.
• Risk management-wise, business risk is shifting and engagement with stakeholders on risk planning and tolerance is key. The CISO’s ability to manage risk has been reduced to a degree that could potentially have effects on business reporting and projections.
• Strategically, longer-term gap analysis and selective overhaul of various functions will be beneficial, including governance processes to support faster technology onboarding and the implementation of innovative AI-based security controls.

To start, a Mythos-ready security program should achieve minimum viable resilience. It will upgrade and realign measurements to a higher maturity level on key metrics such as cost of exploitation, early detection of compromise, and blast radius containment.

This matters because many of the assumptions underlying our cyber defense programs are challenged. For example, time to exploitation has been reduced to minutes, we can no longer assume a patch will be ready in time for remediation purposes, incident frequency is likely to increase, the CVE system may not scale, shadow IT will fragment central control as coding agents proliferate to Citizen Coders, employees develop their own infrastructure, and threat intelligence is lagging behind vulnerability discovery and exploitation.

The First of Many Waves?

Any program we build must acknowledge that Mythos is only the first wave of future AI technology disruptions. In building a Mythos-ready program, we are not only seeking a return to equilibrium but also preparing to maintain balance for the waves ahead.

A Mythos-ready program should also account for how these shifts affect your team. The pace of change is real, and practitioners across all levels are working through what AI means for their roles and skills. This is a normal response to disruptive capability shifts, not a crisis of relevance. The practitioners who adapt fastest will be the ones who lean into AI tooling rather than viewing it as a threat to their expertise.

The path forward is doubling down on fundamental security controls and hands-on adoption of agents at every level, from the CISO down. Every security role is becoming an “AI builder” role, and the barrier is lower than most people realize. Using a coding agent is now easier than using Excel, and they are effective across multiple functions, from GRC to incident response, far exceeding their original, code-focused purpose.

Are We Outmoded? The Human Cost and the Opportunity Ahead

Leaders must understand the human cost of this transition. This isn’t just about burnout, but rather about reprioritization, automation, and an opportunity for clarity in communications and personal growth. Security teams are caught in a vice: AI is simultaneously accelerating the frequency of vulnerability reports they must respond to, the volume of code their organizations are shipping, and the expanding attack surface.

Beyond a workforce already at capacity that is absorbing exponential increases in workload, staff is also now operating with increased uncertainty.

They often feel they are falling behind from a skills perspective and are concerned about being replaced by AI, all while handling the cognitive intensity of management demands to integrate AI into their own workflows. Often without reprioritization from management or corresponding investment in automation and tooling, or even appropriate headcount or focus on well-being.

• Burnout and attrition in security functions represent a direct operational risk - the expertise needed to navigate this transition is scarce, takes years to develop, and is not replaceable on short timescales. Security team resilience, including sustainable workload, mental health support, and retention, should be treated as a strategic priority with the same urgency as the technical challenges AI presents.
• Security practitioners, ourselves included, are facing a culture challenge. Many are uncertain about how their roles will evolve. It is often unclear to them, and us, how we could keep up with the pace of change. This affects even the most technical, such as vulnerability researchers, many of whom are asking questions about the future and if they will have a place in it.

For now, we are not outmoded. Agents, often in the form of coding agents (although they are useful across the board, such as in GRC and incident response, and far beyond their original use case - code), also represent an opportunity for personal growth, and a feeling of empowerment. Everyone on your team, including you, can become hands on. All roles will likely become “AI builders”, where technical skills and specific domain know-how are augmented by agents. Getting started is now easier than using Excel. All you need to know is English.

The Shrinking Time Horizon

The time available for action is shrinking, and we need to find ways to move faster. Long-term goals should be considered a quarter away at most.

10 Questions to Understand Your Security Program State and Influence

A questions-based approach to triage your understanding of your security program, to reach ground truth, as well as gauge your influence on various business functions.

• What is our actual stance on AI today?
  • Allowed, tolerated, restricted, or unknown.
• Can employees use agentic coding tools in the enterprise today?
  • Making use of agentic capabilities such as looping LLM tool use, and specifically coding agents (regardless of writing code), not just chatbot access. Do you have security guardrails in place for these coding agents?
• Can employees contribute to open source without legal ambiguity?
  • A legal and IP question, not a technology philosophy question.
• Do we have disciplined control repos, artifacts, and software, including for agentic supply chain such as MCP servers, plugins, and skills?
  • Source control, package paths, artifact provenance, and what is actually allowed in, in the CI/CD pipeline and through coding agents.
• Is there a real cooling-off point/security gate between code change and production?
  • Demonstrates enforcement of security in release cycles and control of software supply chain.
• Is security operational, or primarily advisory?
  • The extent to which the security function can directly affect outcomes, or does it serve mostly as a review and escalation function.
• What is the fastest this company has made a security-driven production change in the last year?
  • Use a real example, not a policy statement.
• Are our critical “crown jewels” explicitly tracked and current?
  • Not theoretically important systems. The actual few that matter most, and their main dependencies.
• Do we know how to get urgent work prioritized by our key third parties?
  • Feature requests, bug reports, security escalations, relationship ownership, and leverage
• Does executive leadership have a working definition of urgency?
  • If everything is a crisis, nothing is urgent.

Updating Your Security Program

With those answers in hand, we start with a draft risk register, followed by a list of prioritized actions and controls for a Mythos-ready security program, based on what the writers believe are most likely to be effective and impactful for most organizations.

Then, we provide an action plan for consideration in updating your security program. Each action below is broken down into when it should commence, and a generalized estimate on a potential risk is linked to recognized frameworks. Then, each action has a time horizon under which it could be completed, for most organizations.

A Mythos-ready Security Program Risk Register (DRAFT)

See appendix for a full legend. Grouped by severity. PA = Priority Action from the Mythos-Ready Security Program table. See Appendix B for framework reference legend.

Priority Actions for a Mythos-ready Security Program - Aggressive Time Table (DRAFT)

For the CISO who needs to walk into a room Monday morning with a plan. This is meant as a quick reference to facilitate strategy and action. We assumed an aggressive time table in our recommendations, which may prove unrealistic for all organizations.

As you read through the table below, consider:

• Organization size, complexity, and budget should be taken into consideration. From very complicated environments to entirely SaaS-based ones, some would find it difficult to be agile, while others won’t have an available budget.
• Program updates should be considered in context, as some recommendations could prove contradictory if followed as-is. For example, the requirement to delay patching due to supply chain risks, with a cooldown period, directly competes with the need to patch faster. This calls for nuance in decision making and in policy, broadly, as well as in mitigating controls or specific incidents.

Risk: Critical = immediate exposure if unaddressed High = significant exposure within 45 days Category: Governance = structural prerequisite Risk Control = direct risk reduction Operational Enabler = makes risk controls executable

Executive and Board Briefing: the AI Risk Summary

Mythos is now a boardroom concern, and that creates an opportunity. This section is a working tool for CISOs preparing a leadership and/or board update, organized around two things: justifying the current program and making the case for what comes next. Every organization is different, so make sure you align the talking points and timelines with your actual current situation and programs.

The Shift

AI with the capability level demonstrated by Mythos will transform how organizations operate, compressing development cycles and accelerating time to market. The business is already pursuing that value with current highly-capable models.

That same capability in adversary hands compresses the time between a vulnerability existing and causing business disruption from weeks to hours; a permanent acceleration, not a temporary spike.

This has two implications for the organization. First, several assumptions behind current risk metrics may no longer hold and need re-examination. We have moved into a world of containment and a focus on resilience, so metrics should now focus on the speed to recover to normal operations. Second, the same AI capabilities that create this risk also create a defensive opportunity: organizations can now identify their own weaknesses before attackers do, review code at machine speed, and respond to incidents faster than any human team can. Organizations that invest will be both faster to market and more resilient to attack.

Talking Point: AI Accelerates Both Sides

AI is making us faster and more competitive. But those same capabilities make attackers faster and more dangerous. It has compressed the time to a serious incident from weeks to hours, and that gap will continue to narrow. Turned inward, these tools let us find and fix our own weaknesses before adversaries do. Without attention to buying down risk, we move faster as a business while accumulating risk just as rapidly.

The security program this company has funded is what makes our AI security strategy viable. The investments already in place ensure that no single point of entry becomes a full business disruption. In an environment where entry points and weaknesses are discovered faster, that containment architecture is more valuable, not less.

With continued support, the changes we recommend here will return risk to pre-Mythos levels and demonstrate due diligence in response to a documented shift in the threat environment. This program builds the foundation that lets the business move fast with confidence.

Talking Point: An Aggressive Plan Is Needed

An appropriately funded foundation means our programs can adapt rather than merely react in a crisis. What changes is the speed and volume it must now handle.

This is not an open-ended AI initiative. We are seeking alignment to execute a targeted and aggressive 90-day plan with clear owners and outcomes:

• Increase People and Capacity. Plan for repurposing of existing staff (within the security org, but also, and especially, within engineering teams) and/or onboarding of additional headcount and contractor capacity to handle the anticipated increases in triage, remediation, and incidents, while protecting experienced staff from burnout, especially as the first wave of Glasswing patches hits.
• Deploy AI Tooling. Formalize AI agent usage across all security functions as standard practice: scanning our own code, ensuring AI-driven review before code ships, and augmenting teams with purpose-built agents. This equips our teams to operate at the same speed as adversaries.
• Harden Infrastructure. Prioritize updating asset inventories; reducing unnecessary exposure; and enforcing segmentation, Zero Trust, egress filtering, and phishing-resistant authentication. Validate these elements across internal systems and key third-party providers (MSPs, SOCs).
• Accelerate Procurement and Governance. Align across functional teams (security, legal, engineering) to evaluate threats and fast-track priority defensive technology onboarding. Current approval cycles are too slow for the coming threat environment.
• Update Playbooks. Update technical and communications response plans to execute at the required speed and scale, including pre-authorized containment and coordination for simultaneous incidents.
• Track Progress. Provide regular check-ins throughout the 90-day period to capture results and identify roadblocks.

Conclusions and Recommendations

AI-based attacks represent a structural shift in how offense and defense work, and it will not change. The cost and capability floor to exploit discovery is dropping, the time between disclosure and weaponization is compressing toward zero, and capabilities that previously required nation-state resources are now becoming broadly accessible.

While vulnerability discovery capabilities comparable to Mythos have shown to be present through earlier AI models, the Mythos announcement has grabbed the attention of the boardroom. Defenders can seize this opportunity and make a compelling business case to become “Mythos-ready” and prepare for an oncoming onslaught of patches.

Being “Mythos-ready” means:

• Engineering a resilient architecture that limits the ability of attackers to exploit discovered vulnerabilities and contains the impact if they are exploited.
• Discovering more vulnerabilities yourself in advance of any adversary (or vendor advisories).
• Responding quickly to incidents at scale and containing the impact to minimize business disruption.
• Accelerating your security program and staff capabilities with AI agents.

Empower your teams to use AI for defense, starting today. Every action in this brief can begin this week.
We have done this before. Y2K was a systemic threat with a hard deadline, and the industry met it through coordinated, disciplined effort. This is the same kind of problem, requiring the same kind of response, with more powerful tools available to defenders. Building a “Mythos-ready” security program is not about reacting to one model or announcement. It is about permanently closing the gap between how fast vulnerabilities are found and how fast your organization can respond.

Appendix A: Historical Precedence

Background

This all began with the DARPA Cyber Grand Challenge, a landmark competition organized by DARPA in 2016 that demonstrated the potential of fully automated cybersecurity systems. Teams developed autonomous platforms capable of identifying, exploiting, and patching software vulnerabilities in real time, without human intervention. The challenge highlighted a shift toward machine-speed cyber defense, showing how automation and artificial intelligence could significantly enhance vulnerability management and incident response, while also raising important questions about trust, control, and the future role of human operators in cybersecurity.

By mid-2025, XBOW, an autonomous offensive security company, topped the HackerOne leaderboard. The DARPA AI Cyber Challenge (AIxCC) found 54 vulnerabilities in four hours of compute. Google’s Big Sleep discovered real zero-days in open source.

Anthropic was used to automate full attack chains from reconnaissance through exfiltration. And, open source tools such as raptor proved autonomous vulnerability research is available to anyone able to use an agent.

In September 2025, Heather Adkins (CISO, Google) and Gadi Evron (CEO, Knostic) published a warning that attackers were racing toward a singularity moment, with autonomous vulnerability discovery and exploitation roughly six months away.

In February 2026 Anthropic, using Claude Opus 4.6, reported more than 500 high-severity vulnerabilities in open source software. AISLE found 12 OpenSSL zero-days, including a CVSS 9.8 vulnerability dating to 1998.

Linux kernel maintainers saw vulnerability reports climb from 2 to 10 per week, largely hallucinated at first, but that changed rapidly. The volume has held steady, but the reports are now all verified as real bugs.
The curl project, which originally discontinued its bug bounty program because it was drowning in hallucinated vulnerability reports (“AI slop”), last week echoed the above observation from the Linux team, reporting an increasing number of AI-supported quality security reports.

Sysdig documented an AI-based attack that reached admin-level access in eight minutes. This week, Gambit released a report on the AI-led compromise of Mexican government infrastructure, originally reported in February.

In March, Sergej Epp and others introduced the Zero Day Clock, visually demonstrating the disappearing time to exploit development, demonstrating the drastic fall in time to exploitation to less than a day in 2026. It is worth noting that the historical collapse in time-to-exploit has not yet produced a proportional increase in the impact of exploitation. Many of the most consequential incidents of recent years involved credential abuse, social engineering, or supply chain compromise rather than zero-day exploitation. The ZeroClock trend is a leading indicator of where attacker capability is heading, not a direct measure of current damage.

Diagram from the Zero Day Clock.

Appendix B: Mythos Risk Register Legend

OWASP LLM 2025 · OWASP Agentic 2026 · MITRE ATLAS · NIST CSF 2.0

1. Framework Prefixes

Every code in the Frameworks column belongs to one of these four frameworks.

2. All Framework Codes Used in This Register

3. Severity

4. Risk Type