What If Mythos Claims to Be True?

An AI model is quietly forcing cybersecurity leaders to rethink long-held assumptions about software risk, vulnerability discovery, and the speed of exploitation.

A few months ago, Anthropic reportedly chose not to broadly release one of its internal security-focused AI models. Instead, access was limited through Project Glasswing, a controlled programme intended to help critical infrastructure organisations identify and remediate weaknesses before comparable capabilities become more widely available.

The model, referred to as Mythos, has been described as capable of chaining together multiple lower-severity weaknesses into sophisticated attack paths rather than identifying isolated vulnerabilities alone.

Whether or not every public claim surrounding Mythos proves accurate is almost secondary. The larger shift is already visible across the industry: AI is steadily reducing the time, expertise, and cost required to discover exploitable weaknesses at scale.

That changes the economics of cyber risk in ways many organisations are still underestimating.

What changes when vulnerability discovery becomes machine-scale

For years, the practical limits of offensive security were defined by human constraints:

Time

Expertise

Coordination

Cost

Even highly motivated attackers could only evaluate so much software, so quickly.

AI changes that equation.

Modern applications depend on enormous open-source ecosystems spanning authentication libraries, databases, networking frameworks, logging systems, package managers, container components, and thousands of indirect dependencies.

Most of it is publicly accessible. Much of it is reused repeatedly across industries.

An AI engine does not fatigue, deprioritize targets, or move on because analysis becomes repetitive. It can continuously evaluate dependency trees, compare versions, test exploit paths, and identify relationships humans would likely never examine manually.

The important shift is not that AI suddenly creates “super hackers.” The shift is that activities which once required highly specialized expertise are becoming dramatically more scalable and accessible.

The economics of offensive security are changing

AI is changing more than vulnerability discovery. It is changing the economics of offensive security itself.

Activities that once required weeks of specialized manual analysis can increasingly be performed continuously and at scale. Vulnerability discovery, exploit path analysis, and dependency correlation are becoming dramatically faster and more accessible.

That affects both attackers and defenders.

The challenge is no longer whether sophisticated analysis is possible. It is how quickly organizations can adapt once that level of analysis becomes widely available.

In many cases, exploitation now begins within hours or days of public disclosure rather than months. Security teams built around lengthy remediation cycles are increasingly operating against timelines that no longer exist.

The board-level question: If a sophisticated attack previously required months of expert work and significant resources and that constraint no longer exists does the current security investment reflect that reality?

Three assumptions that no longer hold

Some of the most dangerous assumptions in cybersecurity are the ones that used to be true.

Where many organisations are still exposed

Most enterprises already have security teams, vulnerability scanners, compliance programs, patching workflows, and monitoring platforms.

The problem is that many of those systems were designed around known vulnerabilities and human-paced attack models.  

The question worth organisations asking themselves:

If every open source dependency in production were examined by a model that never sleeps and costs less than a consultant’s day rate to run how confident is the organisation in what it would find?

Why software trust becomes central in the AI era

AI changes more than exploit speed. It changes the importance of software provenance itself.

When attackers can analyze dependency ecosystems continuously and at scale, organizations can no longer rely on assumptions about where software originated, how artifacts were built, whether dependencies were modified, or whether remediation pipelines themselves can be trusted.

This is why software supply chain integrity is increasingly becoming a foundational security requirement rather than a specialized engineering concern.

The organizations adapting fastest are moving toward verified source-based builds, reproducible pipelines, isolated build environments, continuously maintained dependencies, cryptographic provenance, and remediation processes designed for both speed and integrity.

The goal is no longer simply reducing known CVEs.

It is building software environments where trust can be continuously validated even under machine-speed adversarial pressure.

Defenders are not powerless

The same AI capabilities accelerating attackers are also improving defensive analysis, remediation, and verification.

AI can help defenders identify risky dependency relationships, prioritize remediation, detect anomalous packages, analyze software behavior, and continuously validate infrastructure integrity.

The long-term advantage will likely belong to organizations that industrialize software trust faster than adversaries industrialize exploit discovery.

That is ultimately the real shift underway.

Not an AI apocalypse.

A transition from human-scale security assumptions to machine-scale security realities.

A final word

The organizations that navigate this transition successfully will not be the ones reacting to each new model announcement individually.

They will be the ones that recognize the deeper structural change already underway: software ecosystems are becoming continuously analyzable at machine speed.

That changes how vulnerabilities are discovered. How attacks scale. How quickly trust can break down. And how software must be built and maintained going forward.

Well-maintained, continuously verified software stacks will become increasingly difficult to compromise over time.

But getting there requires moving beyond security models built for a slower era.