Every CISO I’ve spoken with since April is asking which AI security tool to buy in response to Mythos. Wrong question. The right one is whether the foundation underneath any of those tools can carry the weight of what’s coming. Anthropic’s Project Glasswing, which gave partners early access to Mythos, surfaced more than 10,000 high or critical severity vulnerabilities in roughly a month.
Anthropic has warned that competing labs could release models with comparable capabilities within six to twelve months, potentially without the same safety controls.
You cannot patch your way out of this. The organisations that survive will be the ones who finally build what should have been in place years ago: a smaller attack surface, real-time visibility, automated remediation, and one source of truth for security and IT.
Shrink the attack surface
Mythos finds bugs in code untouched for decades. Every application, port, and service running on your endpoints that the business doesn’t need is a free target. The fastest way to reduce risk is not to fix more vulnerabilities. It is to have fewer things to exploit.
Most environments carry a staggering amount of unused surface: software installed for projects that ended, ports left open because no one’s sure what depends on them, browser plugins and admin tools sprawled across endpoints with no owner. Mythos will find the flaw in whatever is actually running, not what your asset inventory says should be.
Get a real-time inventory of what is installed and running on every endpoint. For every application, demand a current business owner. For every open port, demand a current dependency. Remove what isn’t needed. Lock down what is. Where you can’t remove, segment. Not new advice. Just no longer optional.
Patching is part of the answer, not the answer
Long before Mythos, Edgescan’s 2025 Vulnerability Statistics Report found that 45% of vulnerabilities in large enterprises globally remain unpatched after 12 months. Not a bottleneck. A choice. Project Glasswing’s own findings reinforce the point: of 1,094 confirmed high-severity flaws identified in open-source projects, only 97 have been patched. Patching gets deprioritised in favor of more visible work.
Most programs were designed around long sequential steps: package the patch, deploy to a test group, wait for results, review with stakeholders, schedule the next ring, deploy, validate, repeat. Every step is manual. Every step waits on a human. Every step runs on inventory data that’s days or weeks stale.
AI is about to make this worse. Project Glasswing partners are already using Mythos to write patches. That accelerates authoring but amplifies the deployment problem. More patches generated faster means a longer queue waiting on the same broken pipeline. The bottleneck moves onto the platform that has to push patches out, confirm they landed, and prove it across every endpoint.
And many things won’t be patchable at all: end-of-life systems, OT, embedded firmware, third-party software waiting on vendor fixes. For those, the answer is the same as for attack surface: visibility, segmentation, compensating controls.
Rewrite your patch SLAs from 30 days to hours. The technology to do that already exists. Reserve human approval for changes with real blast radius. Automate the rest.
Stop drowning in findings
AI-powered defenders will flood your queue too. The question is whether you can tell which things actually matter this week. CVSS won’t get you there. A critical-rated flaw in an isolated test environment is not the same as a medium-rated flaw in your payment system. Treating them as equivalent is how teams burn out chasing noise while real risks rot.
Prioritise on asset criticality, business context, exploit availability, and exposure path. Pull that data from one authoritative source, not reconciled across a dozen consoles. Every integration is a place where data goes stale, gets out of sync, or quietly disagrees with itself.
Vendor pitches argue the answer to Mythos is more AI on top. Sometimes true. More often it’s another layer on a foundation that was never built to carry it.
Mythos didn’t invent a new problem. It made the existing ones impossible to defer. The organisations that come through this intact will be the ones who used the next twelve months to finish what they started: a smaller attack surface, real-time visibility into every endpoint, automated remediation at scale, and one source of truth for security and IT to act on together.
