Anthropic Mythos Preview: Faster patching isn't enough

Anthropic recently announced Claude Mythos Preview, an AI model which claims to have autonomously discovered and exploited thousands of high-severity vulnerabilities across major operating systems and web browsers. The cybersecurity community is paying attention, and rightly so.

AI driven, machine-speed exploit generation is plainly an emerging threat and has been for some time. From our many conversations with CISOs across our clients, partners and the wider security community — and from our own direct experience — we know that AI is lowering the barrier to sophisticated cyberattacks and expanding the cybercriminal talent pool. Mythos is a concrete demonstration of that trajectory. 

But the harder problem for most organizations isn't discovering more vulnerabilities; it's deciding which ones matter most and reducing exposure before they can be exploited. That's where leadership attention needs to go.

A product launch, not a turning point

The Mythos announcement has prompted a more watchful response in some parts of the security community. There's nothing wrong with heightened awareness provided it translates into action rather than alarm. But let's be clear-eyed about what this actually is.

Mythos is a new, more powerful model which seems to have genuinely impressive capabilities. But it is, at its core, a product launch. There will be many more launches like it, not just from Anthropic, but also from OpenAI, Google and the increasingly capable open-weight models emerging from Chinese labs. The capability frontier is moving constantly and Mythos is needs to understood as one data point, rather than a singular event.

What the announcement does amplify, however, is an already difficult challenge in vulnerability management. Organizations already struggle to focus remediation on what truly matters; a flood of new discovery and prioritization signals may further strain teams' ability to act on the most critical issues. That strain, rather than the model itself, is the problem leaders should be solving for.

The pace is changing

AI has been accelerating the speed of software development for several years now. The same acceleration applies to the people writing malicious code. The tooling that makes a developer more productive makes an attacker more productive too. Mythos demonstrates that at scale. 

The speed of cyber is increasing in multiple dimensions: discovery, exploit development, prioritization pressure and response coordination. What matters here isn't just the volume of vulnerabilities a system like Mythos can find. The point is that AI is compressing the time between a vulnerability existing and the working exploit code being available for it and That changes the economics of attack across the board. Flaws that might previously have sat unexploited, because writing a reliable exploit was expensive and time-consuming, become viable targets at scale.

The implication for technology and security leadership teams is direct. You probably cannot scale your headcount sufficiency to match the increased speed; you have to scale decisions, automation and focus. Modernising and scaling your vulnerability management programme is no longer optional. It's the cost of operating in a landscape where exploit development is cheap and fast.

What this means in practice

The instinctive response to a flood of new vulnerabilities is to patch faster. And although accelerated patching matters, if it's your entire strategy, you're playing cat and mouse, reacting to an attacker's discoveries, competing on their timeline. You'll never get ahead because the economics of discovery is now stacked in a completely different way thanks to AI.

Prioritization

Prioritization is the first focus. More visibility only helps if it drives teams toward the handful of vulnerabilities that materially change risk. The job is not to manage thousands of findings equally; it is to cut that universe down to the first few dozen that matter now. Most organisations are still over-invested in approaches that generate too many false positive results and under-invested in deciding which to solve.

Asymmetric defence

The second is asymmetric defence. Good architecture gives defenders a structural advantage that doesn't depend on winning the patching race: segmentation contains blast radius, identity controls limit what a compromised component can reach and application-layer controls close off exploit paths. Pair that with monitoring built for real-time decisions rather than compliance reporting, and you can respond at the speed the threat demands.

Reducing the attack surface

The third is attack surface reduction, which too many organizations still treat as hygiene rather than strategy. The fastest vulnerability to fix is the one that no longer exists. Decommission unused assets, consolidate tooling, cut unnecessary external exposure. Every path you delete is one an attacker cannot take. The principle may not be new, but the urgency is.

Getting ahead of the tempo of today's threats

The speed of new cyberthreats are increasing. AI is making attackers faster. It can make defenders faster too, but only if they evolve toward AI-assisted, well-architected systems that continuously triage, correlate and drive responses at machine speed. Mythos Preview doesn't change the fundamentals of how good security works, but it does raise the tempo at which those fundamentals need to be applied, and exposes when organizations are solving the wrong vulnerability management problem.

The organizations that will weather this well are the ones that do three things now: sharpen prioritization so remediation effort tracks real risk, reduce attack surface so fewer vulnerabilities are reachable in the first place and scale security decisions through automation and architecture rather than more headcount.

If you treat vulnerability management as a first-class investment and have the necessary structural controls in place, when the next Mythos-scale capability arrives, you won't be scrambling.

The pace is new, but the right response isn't panic. It needs to be a combination of sharper focus, smaller attack surfaces and more automation in how security decisions are made.