Mythos Didn't Create a New Problem. It Removed the Time Buffer.

There's been a lot of noise this week about Anthropic's Claude Mythos. Some of it is justified. A system that can discover vulnerabilities and generate working, chained exploits – autonomously, overnight, for under $20,000 a run – is a real inflection point. When Treasury Secretary Bessent and Fed Chair Powell called an unscheduled meeting with the CEOs of America's largest banks days after its release, they weren't overreacting. They were doing the math.

But the reaction I'm seeing across the industry is familiar. We're treating this like a brand-new threat. It's not.

A few years ago, I testified before Congress about a different version of this same problem: mounting tech debt, unpatchable legacy systems embedded in critical infrastructure, and a security model that assumes organizations can keep up with the volume of risk they're already carrying. Most can't. Nothing about Mythos changes that underlying reality. It just removes the time buffer people assumed was there.

The Constraint Has Moved

For a long time, the industry operated as though finding vulnerabilities was the hard part. That was true a decade ago. It isn't true now, and it's definitely not true in a world where systems like Mythos exist.

The constraint has moved. Finding vulnerabilities is no longer the hard part — the hard part is deciding what to do about them once you have more than your team can realistically process. That's where most organizations were already stuck, and Mythos doesn't change it. It makes it worse.

What changes in the near term is volume. More vulnerabilities discovered, more disclosures moving through the pipeline, more findings landing on teams that are already behind. Most organizations had more to fix than they could handle before this week. That backlog just got longer.

There's also a tendency to frame this as handing attackers a significant new advantage. That's overstated. Attackers are already effective using known vulnerabilities. They don't need thousands of new zero-days to cause real damage – they need one that works in your environment. Expanding the pool of available vulnerabilities gives them more options. It doesn't suddenly make them more capable than they already were.

Defenders Have the Structural Advantage.

Most Don't Use It.

Here's what gets missed in most of the Mythos coverage: defenders actually have the structural advantage here. They just don't operate like it.

Attackers work with what they can find, test, and exploit right now, against this target. Defenders have access to something very different – everything the industry has ever seen exploited. Which vulnerabilities actually got weaponized. How attacks unfold across systems. Which combinations of weaknesses lead to real impact and which findings sit in trackers for years without ever mattering. That's a real edge. Most organizations just don't operate like they have it.

Instead they're reacting to whatever surfaced this week, treating every finding as though it carries the same weight. That's a symptom of a bigger problem. We built an ecosystem optimized around discovery – scan more, find more, report more – without building the part that tells you what any of it actually means. Mythos finds more. It doesn't help you decide what matters. Those are different problems, and only one of them is getting solved.

Attacks Are Sequences.

Most Teams Still Treat Them as Single Events.

The other shift worth naming: attacks aren't single vulnerabilities. They're sequences. Initial access, privilege escalation, lateral movement, persistence. If you're triaging a vulnerability list by severity score and working top to bottom, you're solving the wrong problem — because that's not how the attack actually unfolds.

Patching everything is no longer a realistic goal, and chasing that target burns cycles that could be spent on something more useful. The actual goal is breaking the chain before it completes. That means understanding which vulnerabilities, in combination, are the ones attackers use to move – and building controls around those sequences specifically. Network segmentation, least-privilege enforcement, credential hygiene, identity fabric hardening. Not exciting work. But these are the things that stop a sequence from becoming a breach, and they matter more now than they did a week ago.

The Structural Problem No Coalition Resolves

Project Glasswing - Anthropic's gated access program for roughly 50 organizations including AWS, Google, Microsoft, CrowdStrike, and JPMorgan Chase - is the right instinct. Coordinated disclosure at this scale, with serious defenders, is meaningful.

But the Glasswing partner list tells you something important about its limits. None of the organizations operating water utilities, hospital networks, municipal transit systems, or the OT environments inside energy infrastructure are on it. The organizations most exposed to what Mythos enables are not the ones with access to it. Wiz estimates roughly 12 to 18 months before equivalent capabilities reach open-source models with no access restrictions. Elite access for elite defenders buys time - it doesn't change who's vulnerable when that window closes.

The underlying problem goes back further than this week. Three decades of building software without any real accountability for what ships broken is what created the attack surface Mythos is now mapping. Aviation holds manufacturers responsible for faulty components. Pharmaceuticals doesn't let drug makers disclaim their way out of harmful effects. Software has been the exception, and that exception has compounded into millions of lines of legacy code sitting inside critical infrastructure that was never designed to be defended against anything like this.

"Secure by Design" is still a voluntary pledge with no teeth. Until software procurement contracts hold vendors to exploitability standards, the way aviation maintenance contracts include airworthiness requirements,the incentives don't move. That's a conversation CISOs can start pushing internally now, and it belongs in front of boards as a liability question, not a technical one.

Mythos is a real moment, but it doesn't introduce a new failure mode — it makes an existing one harder to ignore. Discovery is becoming effectively unlimited. The organizations that fall behind won't be the ones that couldn't find risk. They'll be the ones that couldn't figure out what to do with it.

Attackers work with what they can find right now. Defenders have the full history of what's actually been exploited – every pattern, every sequence, every vulnerability that ever led somewhere. Most still don't operate that way. That's the real exposure, and it was there before Mythos shipped.