After talking to CEOs, CISOs and founders, I thought it might be helpful to be a bit more of a truth detector and reality seeker rather than join the club of congratulating basic corporate cooperation.
Around 50 companies got a copy of an advanced model in order to scan their environments, identify vulnerabilities, create fix recommendations and then release them to their customers. This is great. Thank you.
Lets say that happens incredibly fast. In this dream scenario I’ll say 30 days. Lets also give them all the access they need to hit all the infrastructure, apps and repositories to find all the vulnerabilities and config issues. This won’t happen, but we can dream.
Now, if you're on the the side of Mythos not being that good at finding exploits you can stop reading now. I hope you're right, but for now I'm going to believe them when they say they are finding things that haven't been found in years.
Let’s say those issues get kicked to the enterprises they protect. Cyber teams now have to scramble to understand how these issues impact them personally and if we’ve learned anything over the years each enterprise is different. So we have to understand the vulnerability, determine the severity, the risk and test the fix. Critical vulnerabilities usually have an SLA of 15 days, Moderates 30-60 days Lows just get fixed on major releases if at all.
Now, if Mythos finds as many issues as they are indicating, very little gets fixed in 90 days. In the normal course of business we fight over who owns the issue, the severity of the issue and the time it will take to fix them for weeks if not months. I’ve been at places where we’ve had hundreds of critical and high vulnerabilities (some exploitable) that we just couldn’t or wouldn’t fix. It’s just reality. You can't manage risk to zero.
So what other levers do we pull. Policy creation and control improvements. Basically detection engineers are going to get killed over the next year as we place more burden on them to work with security vendors to create better policies in your EDR, WAF, Firewalls, CSPMs, etc. This is brutally hard, takes massive testing to avoid production impacts and is usually avoided. Ransomware isn't effective because it's better than the EDR you have. It's effective because you haven't enabled the right policy to protect yourself. Ask your local cyber experts how much they rely on policy/control improvements vs a config change, code change or “just wait for the vendor to release the patch”.
This is the reality that none of the press is capturing. They aren’t capturing it for obvious reasons that I’ll leave out of this because I want this to be productive. The model is going to be amazing. Amazing at writing code and amazing at exploiting it. We have to now deal with the consequences long after the 90 days and 50 companies get a head start and the benefits those 90 days give us will be null and void on the 91st day. That is what scares me. That doesn't mean it's a bad idea. We just need to be more honest about what we're up against.
So now what? What do we do? As a former CISO, I would move every single person I have in operations from the Vulnerability Management Team, Application Security Team, and others and put them on one team that focuses on traditional patching, testing, validation, policy creation, etc, etc. I would use Mythos to identify any/all vulnerabilities in my environment and replace all the Ops people that usually sit in the those organizations. You don't need those teams anymore. You just replaced them with this new model. I would then have one huge team focused on remediation. This would include cyber, infrastructure, application development, cloud ops and more. You no longer have to focus on finding bad things. Claude will do that for you. ALL of your efforts should be on the fix. We’ve been complaining about this for years. Well, now Anthropic lit a match that provides us the fire we need to focus on fixing and remediating more so than scanning and finding.
I've been getting a lot of questions on how to communicate this to your boards. That's a very difficult answer but I encourage everyone to be honest with their boards about the reality of the situation and what these models are going to do to improve the identification of vulnerabilities, but overload us on the fixes. I would not allow them to believe what they are reading in the press that this somehow is a gift over the next 90 days. This is nothing more than the calm before the storm. After 90 days the storm will begin with a level of force that we have not seen. 90 days does not give us enough time to prepare. On day 91, Mythos gets pushed out broadly, and whatever head start defenders got, evaporates. The assumption that critical infrastructure can be meaningfully hardened in that window is naive and you should set expectations properly with your board now.
I also think we are overlooking a critical component of what is about to happen. Mythos is a large, centralized model with access controls. But the same capabilities will trickle down into SLMs that run locally, offline, on edge devices. The Small Models will be just as powerful without any guardrails and be able to do much more damage. It scares me. It's the democratization of exploit generation that creates systemic risk, not the existence of one powerful centralized tool. Good people will do bad things. Bad people do terrible things. That hasn't changed over a thousand years.
I don’t have the answers. Just observations and worries. I always try to assume good intentions and I’m really trying to do that here. Mythos gives defenders faster time-to-identify vulnerabilities and exploit generation. I’m a fan. But that speed is going to kill cyber operators and overwhelm an already overworked industry that works under incredibly high stress. And a PR campaign that hails the effort of giving them a 90-day head start shows a lack of understanding and appreciation of how large enterprises protect their environments.
Thank you in advance to all of you who work tirelessly to protect the public and private sectors. You all deserve our gratitude and I hope I’m wrong.
Let's Secure Tomorrow, Together.
We're always looking for the next generation of cybersecurity innovators. Reach out to our team to start the conversation.
Other Articles
Artemis: Reimagining Security Operations for the AI-Era
Brightmind Partners announces their investment in Artemis, a new security operations platform founded by Shachar Hirshberg and Dan Shiebler (former leaders at AWS and Abnormal Security) that aims to reimagine SIEM for the AI era. The company introduces "adaptive protection," an approach that automates detection, investigation, and response by embedding deep enterprise context into an autonomous detection lifecycle, eliminating false positives and evaluating threats as complete attack stories. Unlike traditional SIEMs built on centralized data ingest and retention economics, Artemis offers architectural flexibility that works across multiple SIEMs, datastores, or its own storage, avoiding vendor lock-in. Brightmind praises the team's rapid execution—building in six months what the SIEM space has attempted for over a decade—along with their strong customer-obsessed culture.
What everyone seems to be overlooking with Mythos and Project Glasswing
Stephen argues that while Mythos (an AI security model) giving 50 companies a 90-day head start to find vulnerabilities sounds promising, it's largely illusory — enterprises are already drowning in unpatched critical vulnerabilities and the remediation pipeline is far too slow and contentious to meaningfully close the gap in time. On day 91, when Mythos is broadly released, whatever defensive advantage was gained evaporates and attackers gain the same powerful exploit-generation capability. He recommends CISOs restructure their security orgs entirely — retiring traditional scanning teams in favor of one massive remediation-focused team, letting AI handle identification while humans focus solely on fixing. His deeper fear is that these capabilities will trickle into small, offline, guardrail-free local models, democratizing exploit generation in a way that creates systemic risk far beyond what any centralized tool with access controls can contain.