Cybersecurity is entering a new phase. One defined not by a gradual evolution of tools, but by a fundamental acceleration in how risk emerges, escalates, and materialises. The announcement of Anthropic’s Claude Mythos Preview and the launch of Project Glasswing signal artificial intelligence has crossed a threshold in offensive cyber capability.
Mythos does not simply automate known security tasks. It demonstrates the ability to autonomously analyse complex codebases, identify previously unknown vulnerabilities, chain subtle weaknesses into reliable exploits, and do so at a speed and scale which outpaces traditional defensive processes. While access to Mythos remains tightly controlled, its existence provides a clear preview of what is coming. Comparable capabilities will become more widely available. Once they do, the balance between offence and defence will shift again.
For organisations, the question is no longer whether AI‑enabled cyber offence will affect them, but whether their security programs are prepared to operate in an environment where discovery, exploitation, and adaptation happen at machine speed.
It is fair to ask whether Mythos is marketing hype. The reality is the industry has been moving toward AI‑augmented offensive security for some time, and there are already credible public examples. XBOW reached the top of HackerOne’s U.S. leaderboard in 2025, and Google announced its LLM‑based vulnerability researcher Big Sleep found and reported 20 real‑world vulnerabilities in widely used open‑source software. These examples, along with a growing set of agentic security tools, point to a clear direction of travel. Automated discovery and exploit development is becoming more capable, more repeatable, and more accessible.
What Mythos changes is not the existence of the trend, but the undeniability of it. By publishing standout performance metrics (including 181 working Firefox exploits and a 72.4% exploit success rate during evaluation), Mythos makes the threat credible at the executive level. This is a real capability shift, and it will diffuse. Whether through other frontier systems, open‑weight models, or commercial tooling, similar approaches will propagate across the security ecosystem. Ultimately, Mythos is just the messenger in an industry showing clear signs that the offensive tides are turning and defence needs to keep up with it.
Historically, the difficulty of advanced exploitation acted as a natural limiter. Sophisticated attacks required rare expertise, significant manual effort, and time. These attacks took weeks or months between vulnerability discovery and reliable weaponisation.
Mythos compresses that timeline. It demonstrates many of these steps can be automated or heavily accelerated. Vulnerabilities that once required specialised researchers to identify, validate, and exploit can now be surfaced and operationalised far more quickly, sometimes with minimal human steering.
This does not mean every organisation will immediately face catastrophic attacks. It does mean the margin for error is shrinking. Defensive models that depend on slow patch cycles, static risk prioritisation, or reactive response will struggle to keep up. Incremental improvements will no longer be sufficient.
The real implication of Mythos is not volume, it is context and speed and once again, time becomes the true battlefield.
In an AI driven threat environment, not all vulnerabilities matter equally, and not all weaknesses deserve the same urgency.
Traditional vulnerability management programs often focus on severity scores and backlog reduction. These approaches generate awareness but rarely provide clarity on what actually puts the organisation at risk. Exposure management demands a different lens.
Organisations must prioritise:
AI assisted attackers excel at identifying and chaining precisely the kinds of subtle issues such as logic flaws, misconfigurations, and overlooked paths, that traditional risk models downplay. AI accelerates patch-diffing and reverse engineering of fixes, so every disclosed patch becomes an exploit template for unpatched organisation within hours rather than weeks. This dynamic alone argues for prioritisation by exposure rather than Common Vulnerability Scoring System (CVSS) and for a remediation cadence that closes the highly reachable findings in the same windows the patch is published. Security leaders need to adopt an attacker’s perspective and focus resources where exploitation would meaningfully impact the business. What this means for risk reporting Stop equating Common Vulnerabilities and Exposures (CVE) counts and CVSS averages with exposure. Move toward exposure-based metrics: reachable attack paths, mean time to contain, blast-radius caps, and identity-blast-radius reduction. Pre-AI risk models will under-report the controls that matter most. |
As AI accelerates vulnerability discovery and exploit development, the window between “known” and “exploited” continues to narrow. Manual, ticket‑driven patch processes cannot scale to this reality.
Organisations need to modernise patch management with:
The goal is not reckless automation. It is deliberate speed, allowing teams to act quickly without sacrificing accountability. The long-horizon answer is a permanent Vulnerability Operations (VulnOps) function staffed and automated like DevOps but oriented around continuous discovery, triage, and remediation across the full software estate.
AI‑enabled offence makes one truth unavoidable: some vulnerabilities will always escape detection or remediation long enough to be exploited.
Resilience must therefore become a first‑class design principle. Organisations should assume that exploitation will occur and focus on limiting impact when it does.
Key resilience principles include:
In a world where exploitation can happen faster than patching, limiting blast radius matters as much as prevention. Preparing and practicing critical vulnerability response team actions will be critical in building resilience by driving key decisions based on level of risk. Decisions pertaining whether to keep services available or suspend services, while defect fixes are being deployed will become a more frequent occurrence. These decisions need to be rehearsed, with pre-authorised thresholds, before they are needed.
Threat modeling must evolve beyond static diagrams and compliance exercises. It should reflect how modern attacks actually unfold: rapidly, adaptively, and across interconnected systems.
Organisations should expand threat modeling to address:
Living attack‑path models, continuously updated to reflect environmental changes, help security teams understand where defences will have the greatest impact and where assumptions break down under AI‑enabled pressure.
If AI can analyse and exploit code at unprecedented speed, defenders must use the same capabilities earlier in the lifecycle.
Organisations should integrate AI‑assisted security into development workflows to identify flaws in custom code and critical dependencies before deployment. This is particularly important for foundational systems and externally exposed services.
At the same time, organisations must reassess software supply chain exposure. Many critical dependencies are maintained by small teams or communities that may lack access to advanced defensive tooling. Understanding where third‑ and fourth‑party software concentrates risk, and having plans to mitigate or isolate it, is becoming essential.
Security operations centers (SOC’s) are already overwhelmed by alert volume. As AI increases both the pace and sophistication of attacks, detection, analysis, and response will increasingly rely on automation. Defender operating at human speed against attackers’ operation with AI augmentation is a clear mismatch. Teams who do not adopt agentic tooling cannot match the speed of AI-augmented threats regardless of their underlying skill.
Modern SOC and Managed Extended Detection and Response (MXDR) capabilities must evolve to:
As more decisions are delegated to machines, governance and accountability become critical risk controls rather than administrative overhead. Machines can focus on defending against machines at machine speeds, while humans provide the oversight, control, and adaptability needed to continue to drive successes.
Agentic response in the SOC alone is not sufficient. In a machine‑speed threat environment, defence must also become dynamic, continuously measuring posture, recalculating likely attack paths as the environment changes, and taking real‑time actions that alter an attackers’ route before impact. This is where posture management and living attack‑path models move from reporting to control. When the system detects conditions that make lateral movement or privilege escalation feasible (for example, newly exposed services, risky identity permissions, or misconfigurations which open a path to high‑value assets), it should be able to automatically apply bounded mitigations tighten identity access, constrain egress, isolate risky endpoints, quarantine accounts, or enforce segmentation. So, the easiest paths disappear while the attacker is still mid‑operation. The outcome is not just faster alert response it is active disruption, where defenders continuously reshape the environment, so exploitation and chaining become harder in real time, with governance and oversight defining what changes are safe to make automatically.
AI‑enabled cyber incidents will escalate more quickly than many traditional crisis management processes are designed to handle. Executive teams and boards must be prepared to make decisions with incomplete information, under compressed timelines.
Organisations should incorporate AI‑enabled attack scenarios into executive tabletop exercises, focusing on:
Teams that rehearse these moments respond more deliberately when real pressure arrives.
Project Glasswing demonstrated what coordinated defence at the top of the market can look like with a list of top companies receiving access to fortify their defences before further release to other organisations. The harder question is what happens to the rest of the market. Wendy Nather’s concept of the Cyber Poverty Line which is the threshold which organisations lack the resources to maintain even baseline security hygiene is top of mind. For mid-market organisations, public-sector entities and critical infrastructure SMBs practical implications are:
Security teams are caught in a vice: Ai is simultaneously accelerating the volume of vulnerability reports, the volume of code their organisations are shipping, and the size of the attack surface. They are also operating with personal uncertainty around how their roles will evolve. Without re-prioritisation, additional headcount, or technology (automation/tooling) investment the result is predictable. Attrition of the exact senior expertise that organisations need to navigate this transition.
Treat security-team resilience, sustainable workloads, retention, support, and visible career path into AI-augment roles as a strategic priority with the same weight as technical agenda. The talent that knows how to operate machine speed defence is scarce, takes years to develop, and is not replaceable on short timelines.
In the Mythos era, the most resilient organisations will not be those with the longest vulnerability lists closed. They will be those that understand where they are truly exposed, how attacks could realistically unfold, and how quickly they can detect, contain, and recover.
As security decisions increasingly rely on AI, organisations must also grapple with algorithm risk, ensuring automated systems are transparent, governed, and aligned with broader trust principles such as accuracy and fairness, not just technical security.
AI‑enabled cyber offence is no longer theoretical, and this is no longer a strategy paper exercise. The capabilities demonstrated by Mythos show that risk will materialise faster and escalate more sharply than many organisations are prepared for.
This moment calls for informed, deliberate action, not reactive responses. Organisations who treat this as a strategic turning point have an opportunity to strengthen resilience in meaningful ways: by prioritising real exposure, designing for containment, modernising response, and aligning security with business context.
The AI era of cybersecurity is already underway. Those who prepare now will be best positioned to withstand what comes next.