Mythos Broke the Clock, Now Defenders Are Racing the Storm

Security teams are staring down a structural break in how cyber risk behaves, and it’s happening faster than most organizations can process.

Anthropic’s Mythos preview didn’t just introduce incremental improvement in AI-assisted hacking, it demonstrated something far more destabilizing: autonomous vulnerability discovery and exploitation at scale, compressing the time from discovery to weaponization from weeks or even days into hours – an “AI vulnerability storm” where attackers gain asymmetric advantage because they can discover and chain exploits faster than defenders can patch them.

That reality triggered emergency huddles across the cybersecurity ecosystem in recent days. Major financial institutions, government stakeholders, and industry leaders scrambled to understand what Mythos means for systemic risk. At the same time, Anthropic’s Project Glasswing attempted to coordinate early patching across a limited set of partners, highlighting both the potential and limits of coordinated defense at this scale.

Out of that urgency came this paper: a week-end sprint led by Gadi Evron, CEO of Knostic and CISO-in-Residence for AI at the Cloud Security Alliance; Rob T. Lee, Chief AI Officer and Chief of Research at SANS Institute; and Rich Mogull, Chief Analyst at the Cloud Security Alliance, alongside 16 authors, 250 CISOs and practitioners, and former leaders from CISA, NSA, and the White House. The speed of its creation is the signal. As Mogull put it, the collaboration itself is the point: defenders must now operate like attackers: fast, collective, and coordinated.

Full list of authors/contributors:

You Can’t Patch Your Way Out of This

Before getting into what to do, one thing is clear: the old model is already broken.

The report underscores a harsh truth: patching alone cannot keep up. AI lowers the cost and skill required to find vulnerabilities, while increasing their volume and complexity. Even as AI helps generate patches, defenders are still constrained by testing cycles, deployment risk, and operational downtime.

At the same time:

• Vulnerability volume is set to spike dramatically
• Exploit timelines are collapsing
• Attack chains are becoming more complex and automated
• Security teams are already operating at capacity

What To Do Now: Build a “Mythos-Ready” Security Program

The report is blunt: organizations need to reorient their entire security program around speed, scale, and resilience. Here’s the suggested path forward:

Infographic: 7 Moves to Survive the AI Vulnerability Storm

As AI-driven threats collapse the time to exploit, this infographic distills a rapid-response playbook from leading cybersecurity experts on how defenders must adapt fast.

CYBR.SEC.MediaBill Brenner

1. Match Machine Speed with Machine Speed

You cannot defend against AI-driven attacks with human-only workflows. The report recommends immediately deploying:

• LLM-based vulnerability discovery in development pipelines
• AI agents for code review, red teaming, and remediation
• Automated triage and patch validation processes

These capabilities already exist and are usable today. Organizations that delay adoption will fall behind attackers who are already using them.

2. Rebuild Vulnerability Management for Volume

Traditional vulnerability management assumes a manageable flow. That assumption is gone. Security teams must:

• Prepare for continuous waves of vulnerabilities, not periodic spikes
• Shift to prioritization models based on exploitability and blast radius
• Accept shorter patch windows—and more operational disruption

The key shift: stop thinking in terms of backlog reduction and start thinking in terms of real-time vulnerability operations (VulnOps).

3. Double Down on the “Boring” Controls

The report repeatedly emphasizes:

• Network segmentation
• Egress filtering
• Phishing-resistant MFA
• Identity and access controls
• Defense-in-depth architectures

These controls don’t stop vulnerability discovery, but they limit attacker movement and reduce impact, which becomes critical when prevention fails.

4. Redefine Risk—and Communicate It Upward

Most organizations are operating with outdated risk models. CISOs must:

• Recalculate risk based on collapsed exploit timelines
• Adjust tolerance for downtime driven by urgent patching
• Update board-level reporting to reflect increased incident frequency

This is as much a business problem as a security problem. If leadership doesn’t understand the shift, response will lag.

5. Prepare for Constant, Parallel Incidents

The report urges teams to assume a new normal: multiple high-severity incidents happening at once. That means:

• Running tabletop exercises for simultaneous crises
• Building playbooks for compound attack scenarios
• Increasing reliance on automation in incident response

The goal isn’t perfect response, but maintaining operational continuity under sustained pressure.

6. Invest in Human Resilience or Lose the Fight

One of the most overlooked risks: burnout. The report is explicit that security teams are facing:

• Exponential workload increases
• Cognitive overload from integrating AI
• Rising attrition risk

Organizations must:

• Add headcount and reserve capacity
• Automate aggressively to reduce manual load
• Treat team resilience as a strategic priority

If the people break, the program fails.

7. Build Collective Defense Now

Perhaps the most important takeaway: no organization can handle this alone. Attackers already operate as collectives. Defenders must do the same.

The report calls for:

• Deeper engagement with ISACs, CERTs, and industry groups
• Shared threat intelligence and coordinated response
• Cross-sector collaboration on vulnerability handling

As the authors put it: “Teams beat stovepipes. Coalitions beat teams.”