Some companies see cybersecurity as a cost center. We see things a little different. LEARN MORE >
Experiencing a Breach?
BLOG
Claude Mythos & The Coming AI Vulnerability Storm
Is Your Security Program Ready?
JUMP TO: A NEW BALLGAME | THE FUNDAMENTALS | PATCHING | VULN MGMT | HARDENING | RISK STRATEGY | AI DEFENSES | INCIDENT RESPONSE | CONCLUSION
Key Takeaways
- Claude Mythos changed the threat landscape. Anthropic's new model autonomously found thousands of critical vulnerabilities and produced nearly 200 working exploits — so they withheld public release and launched Project Glasswing with ~40 major companies.
- Open-source AI is 3–6 months behind. Once that gap closes, the cost of finding a critical vulnerability drops from hundreds of thousands of dollars to around $50.
- The fundamentals still work — but faster. Weekly (not quarterly) patching, continuous vulnerability scanning and pen testing, aggressive hardening, and updated board-level risk reporting are now table stakes.
- You need AI on defense too. AI-assisted detection, code review, and incident response are no longer optional, and formal AI governance policies are overdue for most organizations.
- The 90-day window matters. Organizations that act now to strengthen fundamentals and update their strategy will come out of this in the strongest position.
In April 2026, Anthropic announced Claude Mythos, its most advanced AI model to date.
Shortly after, the company reversed course, announcing they weren’t releasing Claude Mythos after all.
Not yet anyway.
And certainly not to the general public.
Turns out Mythos has made unprecedented leaps in its ability to autonomously discover thousands of previously unknown, critical vulnerabilities across every major operating system and browser, some decades old.
But it doesn’t just find them. While previous models have been able to produce a few working cybersecurity exploits under the same conditions, Mythos was able to produce nearly 200 during testing.
These results were so alarming that Anthropic made a choice: instead of releasing the model, they went to the White House, the Department of Defense and the Federal Reserve.
Within 72 hours of the announcement, the Treasury Secretary had convened emergency sessions with the CEOs of America’s eight largest banks.
From there, Anthropic launched Project Glasswing — giving early access to roughly 40 of the largest technology and infrastructure companies in the country. The idea is straightforward: use Mythos to find vulnerabilities in your own products and patch them before this capability reaches adversaries.
Because it will reach adversaries.
“Open-source AI models, including those developed in China, only trail Mythos-level capabilities by three to six months,” said Inversion6 CISO Jack Nichelson. “Once that gap closes, the barrier to scanning and exploiting these vulnerabilities will drop to near zero.”
Bottom line, Mythos isn’t just a product launch.
It’s a potential superweapon.
And the arms race is on.
A Whole New Ballgame
While Mythos itself is fascinating, it’s only part of the story.
The real issue is that we’ve entered an entirely new era in cybersecurity and we’re never going back.
“It used to take years to discover critical vulnerabilities,” said Nichelson. “Then it was months. Then it was weeks. Now we’re down to minutes, and organizations who aren’t ready to move at this pace are about to be very vulnerable.”
The economics have also shifted dramatically. Discovering a critical vulnerability in a major system once required tens of thousands — if not hundreds of thousands — of dollars in time and skilled effort.
“Before long, a threat actor is going to be able to find a vulnerability for 50 bucks,” said Nichelson. “It just completely changes the value proposition for who and what to target.”
We’re already seeing the ripple effects in real time. The SANS Institute and Cloud Security Alliance published an urgent strategy briefing signed by many of the most respected researchers and CISOs in the industry.
When that many leaders co-sign a single document, it sets off alarm bells.
“Right now, we’re hearing it in almost every client conversation,” said Nichelson. “CEOs are asking what’s happening because they’re seeing it on the nightly news. CIOs and CISOs are being asked to revise their 2026 strategies and spending estimates mid-year.”
“It’s all moving very quickly,” he added. “Which can be intimidating when you don’t live in this space. I just keep reminding my clients that the organizations who always come out strongest are the ones who plan when others panic.”
The Fundamentals Matter More Than Ever
Nichelson and his fellow Inversion6 CISOs are doing their best to strike a firm but realistic tone when talking to current and potential clients about this new era.
“We want to be careful not to fall into the hype and fear cycle,” he said. “The sky is not falling. But the ground has shifted, and it’s not shifting back. We need to be clear-eyed about that and so do our clients.”
“The SANS/CSA strategy briefing lays out clear recommendations for building a Mythos-ready security program,” he added. “And the good news for our clients is many of these recommendations map directly to the kind of work Inversion6 already does every day.”
Here’s how to think about what comes next.
Accelerate Your Patching Cadence
A 30- or 60-day patch cycle is about to become a major liability. With Glasswing partners beginning to disclose and patch the vulnerabilities Mythos uncovered, May and June patch releases are expected to be massive — and that’s just the first wave.
Organizations need to be ready to push patches weekly, if not faster. That includes third-party applications — not just operating systems.
This is exactly the kind of challenge our patch management and patching-as-a-service capabilities are designed for. We help organizations build the triage and deployment capacity to handle a high volume of critical patches without burning out their internal teams.
Shift to Continuous Vulnerability Scanning and Pen Testing
Quarterly penetration tests and periodic vulnerability scans were built for a slower threat landscape. When vulnerabilities are being discovered and weaponized in hours, you need continuous visibility into your environment.
That means ongoing vulnerability management and regular pen testing — not as an annual checkbox, but as a living function of your security program.
Our vulnerability management as a service and continuous penetration testing offerings through partners like Horizon 3, Pentera and Fortra are purpose-built for this kind of tempo. They give organizations the ability to find and address exposures before an attacker does.
Harden Your Environment
The SANS briefing is emphatic about the basics: segmentation, egress filtering, multifactor authentication on every account, least privilege access and defense-in-depth. Every boundary you put in place increases the cost for an attacker.
Our system hardening services can help organizations lock down their environments methodically — from secure configuration baselines to deploying web application firewalls in front of customer-facing portals and applications.
Update Your Risk Metrics and Strategy
Many of the assumptions behind current security reporting — about how long it takes for a vulnerability to be exploited, how frequently critical incidents occur and how much residual risk is acceptable — may no longer hold.
Leadership teams and boards are going to want answers, and you need a strategy that reflects this new reality.
Our CISO advisory services exist for exactly this kind of moment. We help organizations build and present updated risk strategies to their boards, align their security programs with the latest guidance and ensure their reporting metrics reflect the actual threat environment — not last year’s assumptions.
Get AI Into Your Own Defenses
One of the clearest takeaways from the SANS briefing and our own conversations with security leaders is this: the only way to defend against AI-powered attacks at this speed is to use AI in your own security program.
That means AI-assisted tools for code review, threat detection, log analysis and incident response. It also means making sure your IT and security teams are actively leveraging these capabilities — not just talking about them.
“Like it or not, increasingly, you’re going to need your own good AI to find and defend against the attacks that are coming from adversarial AI,” Nichelson said.
This also extends to governance. Nearly a third of organizations still lack any formal AI governance policy, and many others equate governance with simply blocking ChatGPT.
Our team helps organizations develop comprehensive AI policies and train their employees for a world where AI is embedded in both the threat landscape and the tools used to defend against it.
Review and Test Your Incident Response Plan
The SANS briefing recommends tabletop exercises that simulate multiple simultaneous high-severity incidents occurring within the same week. That scenario would have seemed extreme a month ago. Now it’s a realistic planning assumption.
Our incident response team helps organizations review, update and pressure-test their response plans against AI-accelerated attack timelines — so that when the moment comes, you’re executing a plan, not improvising one on the spot.
Inversion6 Was Built for This
As Nichelson pointed out, the recommendations coming out of SANS, the CSA and the broader security community line up nicely with the services Inversion6 delivers every day, not to mention that several partners in our own technology stack are part of the Glasswing coalition working on the front lines of this effort.
The companies that come out of this in the strongest position will be the ones that act in the next 90 days to strengthen their fundamentals, accelerate their vulnerability management and build a strategy they can confidently present to leadership.
We’re already having these conversations with our clients.
If you haven’t started yours yet, there’s still time to jump on the train before it leaves the station.
