
After talking to CEOs, CISOs and founders, I thought it might be helpful to be a bit more of a truth detector and reality seeker rather than join the club of congratulating basic corporate cooperation.
Around 50 companies got a copy of an advanced model in order to scan their environments, identify vulnerabilities, create fix recommendations and then release them to their customers. This is great. Thank you.
Lets say that happens incredibly fast. In this dream scenario I’ll say 30 days. Lets also give them all the access they need to hit all the infrastructure, apps and repositories to find all the vulnerabilities and config issues. This won’t happen, but we can dream.
Now, if you're on the the side of Mythos not being that good at finding exploits you can stop reading now. I hope you're right, but for now I'm going to believe them when they say they are finding things that haven't been found in years.
Let’s say those issues get kicked to the enterprises they protect. Cyber teams now have to scramble to understand how these issues impact them personally and if we’ve learned anything over the years each enterprise is different. So we have to understand the vulnerability, determine the severity, the risk and test the fix. Critical vulnerabilities usually have an SLA of 15 days, Moderates 30-60 days Lows just get fixed on major releases if at all.
Now, if Mythos finds as many issues as they are indicating, very little gets fixed in 90 days. In the normal course of business we fight over who owns the issue, the severity of the issue and the time it will take to fix them for weeks if not months. I’ve been at places where we’ve had hundreds of critical and high vulnerabilities (some exploitable) that we just couldn’t or wouldn’t fix. It’s just reality. You can't manage risk to zero.
So what other levers do we pull. Policy creation and control improvements. Basically detection engineers are going to get killed over the next year as we place more burden on them to work with security vendors to create better policies in your EDR, WAF, Firewalls, CSPMs, etc. This is brutally hard, takes massive testing to avoid production impacts and is usually avoided. Ransomware isn't effective because it's better than the EDR you have. It's effective because you haven't enabled the right policy to protect yourself. Ask your local cyber experts how much they rely on policy/control improvements vs a config change, code change or “just wait for the vendor to release the patch”.
This is the reality that none of the press is capturing. They aren’t capturing it for obvious reasons that I’ll leave out of this because I want this to be productive. The model is going to be amazing. Amazing at writing code and amazing at exploiting it. We have to now deal with the consequences long after the 90 days and 50 companies get a head start and the benefits those 90 days give us will be null and void on the 91st day. That is what scares me. That doesn't mean it's a bad idea. We just need to be more honest about what we're up against.
So now what? What do we do? As a former CISO, I would move every single person I have in operations from the Vulnerability Management Team, Application Security Team, and others and put them on one team that focuses on traditional patching, testing, validation, policy creation, etc, etc. I would use Mythos to identify any/all vulnerabilities in my environment and replace all the Ops people that usually sit in the those organizations. You don't need those teams anymore. You just replaced them with this new model. I would then have one huge team focused on remediation. This would include cyber, infrastructure, application development, cloud ops and more. You no longer have to focus on finding bad things. Claude will do that for you. ALL of your efforts should be on the fix. We’ve been complaining about this for years. Well, now Anthropic lit a match that provides us the fire we need to focus on fixing and remediating more so than scanning and finding.
I've been getting a lot of questions on how to communicate this to your boards. That's a very difficult answer but I encourage everyone to be honest with their boards about the reality of the situation and what these models are going to do to improve the identification of vulnerabilities, but overload us on the fixes. I would not allow them to believe what they are reading in the press that this somehow is a gift over the next 90 days. This is nothing more than the calm before the storm. After 90 days the storm will begin with a level of force that we have not seen. 90 days does not give us enough time to prepare. On day 91, Mythos gets pushed out broadly, and whatever head start defenders got, evaporates. The assumption that critical infrastructure can be meaningfully hardened in that window is naive and you should set expectations properly with your board now.
I also think we are overlooking a critical component of what is about to happen. Mythos is a large, centralized model with access controls. But the same capabilities will trickle down into SLMs that run locally, offline, on edge devices. The Small Models will be just as powerful without any guardrails and be able to do much more damage. It scares me. It's the democratization of exploit generation that creates systemic risk, not the existence of one powerful centralized tool. Good people will do bad things. Bad people do terrible things. That hasn't changed over a thousand years.
I don’t have the answers. Just observations and worries. I always try to assume good intentions and I’m really trying to do that here. Mythos gives defenders faster time-to-identify vulnerabilities and exploit generation. I’m a fan. But that speed is going to kill cyber operators and overwhelm an already overworked industry that works under incredibly high stress. And a PR campaign that hails the effort of giving them a 90-day head start shows a lack of understanding and appreciation of how large enterprises protect their environments.
Thank you in advance to all of you who work tirelessly to protect the public and private sectors. You all deserve our gratitude and I hope I’m wrong.
Let's Secure Tomorrow, Together.
We're always looking for the next generation of cybersecurity innovators. Reach out to our team to start the conversation.
Other Articles
Pi: Building Zero Recurrence Code Security for the AI CodeGen Era
Pi Security is defining a new category, Zero Recurrence Code Security, built on the premise that the industry no longer has a vulnerability discovery problem but a vulnerability recurrence problem. Rather than generating more findings, Pi learns how an organization builds, breaks, fixes, and secures software, then turns that institutional security knowledge into preventative guardrails enforced across the software development lifecycle at design time, IDE time, and pull request time. The platform ingests context from prior incidents, tickets, pull requests, repositories, architecture decisions, and developer workflows to drive root cause analysis, variant discovery, contextual remediation, and ownership mapping, becoming a living security intelligence layer for developers, AI coding agents, and security teams. Founded by Guy Arazi, an offensive security operator and former CISO with roots at Palo Alto Networks and Microsoft, and Yonatan Ramon, who built safety-critical systems at Tesla, Pi raised a $35 million Series A alongside Third Point Ventures and angels including George Kurtz, Yevgeny Dibrov, and Nadir Izrael. Brightmind led Pi's Seed round in early 2025 and is continuing its support through the Series A.
Aryon: Building the Proactive Cloud Security Policy Enforcement Platform
Brightmind invested in Aryon, founded by Ron Arbel, Ariel Litmanovich, and Yair Ladizhensky, with the founders' firsthand experience securing complex cloud control planes on Project Nimbus as members of Matzov, the IDF's elite cybersecurity unit, serving as the driving force behind a proactive approach to policy enforcement. Traditional cloud security has been reactive and fragmented, catching misconfigurations only after they reach production and consistently failing enterprises due to native enforcement tools that are hard to configure, risky to enforce, brittle in production, and easily bypassed. Aryon's proactive, preventative platform enforces policy before misconfigurations ever ship, embedding safe enforcement directly into the cloud control plane to ensure context-aware governance that holds across Azure, AWS, and GCP and extends toward AI, SaaS, M365, identity, and data security. With AI-generated code and offensive AI introducing vulnerabilities at machine speed while patching and remediation still operate at human speed, Brightmind sees Aryon as the foundational layer for proactive cloud policy enforcement while also reducing operational friction for the IT and platform teams responsible for governance at scale.
