Before It Gets Better: Mythos and AI Uncovers Vulnerabilities and Solutions

Mythos changed something. Not just technically but also rhetorically. When Anthropic announced that its new model had found thousands of high-severity vulnerabilities across every major operating system and browser, including flaws that survived decades of human review and millions of automated tests, it wasn’t a product launch. It was a signal flare.

99% of those vulnerabilities remain unpatched. Let that sit for a moment.

We are at the beginning of a period that is going to get significantly worse before it gets better. I want to be honest about that, because I don’t think enough people in this industry are saying it plainly.

The First Wave

What Mythos represents, and what similar capabilities from OpenAI, Google, and others will represent, is not the creation of new vulnerabilities. The vulnerabilities have always been there. What’s changed is the speed and ease of finding and exploiting them. Work that once took a specialist team weeks can now be done in hours.

That distinction matters. We are not entering an era where software gets more broken. We are entering an era where the brokenness that was always there gets found, fast, at scale, by automated systems that don’t sleep and don’t bill by the hour.

For the next year or two, I expect we will be living through a first wave: the unearthing of unknown-but-existent vulnerabilities at a pace the industry has never had to absorb. Some of those will be disclosed responsibly. Some won’t. And across that entire landscape, the patching burden falls, as it always has, disproportionately on end users and under-resourced organisations.

That burden is about to become unbearable.

We already know most organisations can’t keep pace with patching. Add an AI-accelerated flood of newly discovered vulnerabilities, and you have a window, potentially a wide one, that threat actors will absolutely exploit.

Who Has Access, and Who Doesn’t

There’s another dimension to this that I think is being underplayed: restricted access to powerful defensive AI tools leaves some companies, central banks, and nations more vulnerable than others.

Anthropic’s Project Glasswing brings together AWS, Apple, Google, Microsoft and others to use Mythos defensively. That’s a meaningful start. But that consortium is not your NHS trust, your mid-market manufacturer, your local authority. Access determined by a single lab’s partner agreements is unlikely to be the final answer.

The organisations least equipped to respond are going to be exposed longest. That’s the uncomfortable reality of where we are.

The Turn

Here’s what I believe comes next, and why I think the worse period will eventually end.

Once the first wave does its work, once AI researchers on both sides have churned through the accumulated technical debt of decades of software, the nature of the problem shifts. The supply of undiscovered legacy vulnerabilities isn’t infinite. It’s large, but it’s finite.

When that first wave recedes, the incentive structure for software vendors changes fundamentally. Right now, finding bugs before release is a cost. In a world where an AI will find those same bugs within months of shipping, and where the reputational and regulatory consequences of that are escalating, fixing before release becomes the cheaper option. AI-assisted vulnerability discovery in the development lifecycle will stop being a differentiator and start being a baseline expectation.

Somewhere in the middle of all this, we’ll start to see the other half of the equation mature: AI systems capable not just of finding vulnerabilities, but of fixing them. The fixer agents are coming. They are not here yet in any reliable, production-ready form, but the trajectory is clear. Once find-and-fix becomes part of the build pipeline rather than a post-incident scramble, vulnerability management starts to look like a different discipline entirely. Quieter. More upstream. Less reactive crisis, more engineering hygiene.

What To Do In the Meantime

The transition period is real, and it will hurt. A few things I think matter right now:

Don’t wait for parity. You are not going to have access to Mythos-equivalent defensive tooling before threat actors have access to equivalent offensive capability. Plan accordingly. Your security posture needs to survive that gap.

Treat patching as the crisis it is. Organisations that treat patch management as a slow, low-priority process are already behind. The velocity of discovered vulnerabilities is about to increase sharply. Automate what you can, triage aggressively, and escalate the resource conversation internally.

Push the accountability upstream. The patch burden sitting entirely on end users is not a law of nature, it’s a product of how we’ve structured software liability. That is going to change. Regulators are watching, and the argument for vendor accountability gets stronger every time an unpatched, known vulnerability leads to a major breach. Be part of that conversation.

The next two years will be hard. But this is a transition, not a terminus. The same capability that’s creating the problem will, eventually, be the thing that resolves it. Getting through the middle is the challenge.

Author

Didar Gelici

Didar was recognised as the DevSecOps Trailblazer at the Unsung Heroes Awards 2020 and has twice been named one of IT Security Guru’s Most Inspiring Women in Cyber.
Her story is one of growth — from building self-confidence to leading with authenticity, empathy, and purpose. That journey is ongoing. Fuelled by a genuine love of people and a commitment to continuous self-improvement, she brings those learnings into everything she does: whether that’s sharing technical knowledge, speaking openly about women’s health, or exploring what real leadership looks like in practice.
With a career in Information Security Governance, Risk, and Audit stretching back to 2007, Didar has developed a particular focus on making risk and compliance work meaningfully within agile environments — and on creating more space for women in tech.
As AI continues to reshape the security landscape, Didar has been deepening her engagement with it — exploring the intersection of AI, security, and governance through active involvement in AI learning and practice communities. She is also part of an early-stage AI governance startup, contributing her security and risk expertise to help organisations think more carefully about deploying AI responsibly and ethically.
Community sits at the heart of how she operates. Active participation across multiple communities gives her both purpose and perspective, keeping her connected to the challenges shaping the industry while driving it forward.