Anthropic recently announced Claude Mythos, an AI model that can autonomously find and exploit software vulnerabilities at a scale and speed no human team can match.
In two weeks of testing, it found 271 vulnerabilities in Firefox alone. It uncovered a flaw in OpenBSD that had gone undetected for 27 years, and a bug in FFmpeg that survived five million automated test runs over 16 years.
Mythos was built for defenders. But the rules of security do not change based on intent.
What This Actually Means for the Future of Cybersecurity
Every security control built before 2025 assumed a human was between the AI and the action. That assumption is gone. AI can now discover vulnerabilities, build working exploits, and chain attack paths without a skilled human driving it.
What makes this different from previous advances is the combination of three things happening at once: speed, autonomy, and scale. Faster scanners existed before. SIEM platforms existed before. What did not exist was a system that could move from reconnaissance to working exploit, across an entire codebase, without a human directing each step. The attack surface has not changed. The resource required to exploit it has collapsed.
Mythos itself is currently invitation-only, accessible to a small group of vetted partners including CrowdStrike, Microsoft, Cisco, and Palo Alto Networks. But comparable capabilities already exist in publicly available models. The threat is real and it is not waiting for broader access.
Vulnerability Numbers Worth Knowing
- CrowdStrike states than more vulnerabilities will be discovered in the next six months than in the last 30 years combined *
- Time-to-exploit has collapsed from months to hours *
- Zero-day volume is up 42% year on year *
- 42% of zero-days are being exploited before public disclosure
- 81% of employees already use unapproved AI tools at work
AI Security Readiness: What to Expect
Now
Patch queues are already under pressure. CVE volume is growing faster than teams can remediate. Stop prioritising by Common Vulnerability Scoring System (CVSS) scores and start measuring actual exploitability. What can be used against you today is the signal that matters most.
Next
Attackers will have access to the same tools defenders do. Time-to-exploit will collapse further. AI-native detection, zero standing privileges, and agentic red teaming are no longer future investments. They are the response to a present reality.
Later
Periodic scans and patch backlogs will be obsolete. The threat environment will operate entirely at machine speed. Continuous exposure management, measuring attack paths, identity risk, and blast radius, and automating detection through to remediation will be the baseline.
What to Do to Protect Your Organisation Today
Know what AI is in your environment.
Most organisations are governing a fraction of the AI actually in use. Employees are running unapproved tools, connecting them to corporate data, and making decisions based on outputs nobody has reviewed. Shadow AI does not appear in your SIEM, it does not trigger your Data Loss Prevention (DLP) controls, and it does not respect your data classification policy. Visibility starts with your network. Cloud Access Security Broker (CASB), Security Service Edge (SSE), and endpoint telemetry will surface what your approval process missed. Know which tools are running, what data they can access, and who is accountable when something goes wrong.
Prepare your architecture to respond at machine speed.
Zero trust is the foundation: no standing privileges, just-in-time access, identity as the control plane for everything. When an attacker can move from initial access to data exfiltration in under 30 minutes, a human-reviewed approval queue is not a control. AI-assisted triage, automated remediation playbooks, and continuous exposure management replace the patch backlog model. Empower your teams to use AI to respond faster, shorten incident response cycles, and close vulnerabilities before they become incidents.
Fix the fundamentals, then adapt them to AI.
The organisations that navigate this well will not be the ones with the most tools. They will be the ones that took their existing security foundations, identity controls, access governance, incident response, patch management, and adapted them to an AI-native threat environment. Clear AI governance means a live inventory of what is in use, defined ownership for each tool, a use policy that reflects actual risk, and a review cadence that keeps pace with the environment.
How Sekuro Helps Secure AI for Organisations
We’ll help you work through steps to prepare and secure your organisation today for, and with, AI.
Depending on where you are in your journey, we’ll support across our key Practices:
Strategy & Architecture
The AI Security Readiness Assessment gives you a clear view of how well your organisation is prepared to adopt AI securely, manage AI-driven threats, and respond at speed.
Technology & Platforms & Engineering
We deploy and configure leading platforms including CrowdStrike, Wiz, Netskope, Zscaler, and CyberArk.
Managed Security Services
We run your Security Operations and Vulnerability Management to detect and respond at machine speed.
Governance, Risk and Compliance
We help you meet ISO 42001, NIST AI RMF, and EU AI Act requirements with GRC frameworks that works in practice, not just on paper.
Offensive Security Testing
We test your AI deployments the way an attacker would. Our Offensive Security services cover LLM penetration testing, AI agent assessments, and red and purple teaming.
Your AI Security Readiness: Next Steps
Mythos is a signal, not an isolated event. The question is not whether your organisation will face AI-assisted threats. It is whether your architecture will be ready when it happens.
Unpack how prepared your organisation is for the use of, and security with, AI. Our AI Security Readiness Assessment gives you an honest, evidence-based view of your posture and prioritised roadmap to take to the board and take action.
Contact us today to discuss how our AI Services help secure organisations and foster innovation.
———
*Source: More vulnerabilities will be found in the next six months than in the last 30 years, CrowdStrike, 2026.
