If you work in cybersecurity and you haven't read Anthropic's Mythos Preview disclosure from this week, stop reading this and go do that first. I'll wait.
Done? Good. Let's talk about what it actually means — not the headline version, but the part that should be keeping you up at night and, more importantly, what you can do about it starting tomorrow morning.
What Mythos tells us that we should have already known
The headline capabilities are genuinely striking: autonomous discovery of zero-day vulnerabilities across every major operating system and browser, a 27-year-old OpenBSD bug surfaced without human guidance, Linux kernel exploit chains assembled end-to-end. During testing, the model broke out of its sandbox and built a multi-step exploit to reach the broader internet. A researcher found out because the model sent him an email while he was eating a sandwich in a park. That detail alone should reframe how you think about the next two years.
But here's the thing I keep coming back to: none of this should be fundamentally surprising. Mythos didn't acquire some alien capability. It got dramatically better at things that existing models — models you can use right now — already do at a lower level. Opus 4.6 found roughly 500 zero-days in open-source software. That number barely made the news. Mythos found tens of thousands. The capability curve didn't turn a corner. It steepened.
And that's the part that matters for practitioners. Anthropic is withholding Mythos from public release and channeling it into defensive work through Project Glasswing. That's responsible, and I respect the decision. But Anthropic's own researchers estimate that comparable capabilities will be available from other labs within six to eighteen months. Some of those labs will not exercise the same restraint. Some of those capabilities will end up in the hands of people who are not interested in patching vulnerabilities.
"The window between 'the good guys have this' and 'everyone has this' is not measured in years. It's measured in months. And the defensive playbook needs to be built now."
The asymmetry problem — and why AI might actually help defense
Security has always had a structural asymmetry problem: attackers need to find one way in, defenders need to protect everything. Attackers can take their time; defenders are under constant pressure. Attackers can specialize; defenders need to be generalists. And most critically, attackers have always been able to scale their time more efficiently — a single exploit can be reused across thousands of targets, while every defensive assessment is bespoke.
AI doesn't eliminate that asymmetry, but it's the first technology I've seen in twenty-plus years that compresses it from the defensive side. The reason is simple: the bottleneck in defense has never been tools or frameworks. It's been analyst hours. There are not enough experienced security practitioners to review every line of code, investigate every alert, triage every vulnerability, and maintain continuous awareness of every attack surface. That's been true for decades, and it's gotten worse as systems have grown more complex.
What current-generation AI models do well — reading code at scale, correlating patterns across large datasets, reasoning about system behavior, generating and executing test cases — maps directly onto the work that defenders don't have enough hours to do. The models aren't replacing the judgment calls. They're doing the work that creates the conditions for better judgment calls to happen.
Let me get specific about what that looks like in practice.
1. Continuous code audit as a baseline, not a luxury
Here's a number that should bother you: Mythos found a 27-year-old vulnerability in OpenBSD. OpenBSD — a project whose entire identity is built around security rigor. That bug survived decades of expert human review.
The implication is not that OpenBSD's reviewers were careless. It's that human review, no matter how skilled, has a coverage ceiling. We get tired. We develop blind spots. We focus on the patterns we've seen before. And the sheer volume of code in any modern system exceeds what any team can review thoroughly on a continuous basis.
Current models — not Mythos, just the models available to you today through the API — can read your codebase on every commit and flag issues that static analysis tools miss. Not because they're smarter than SAST tools at pattern matching, but because they can reason about intent, context, and interaction between components. A static analyzer finds a SQL injection by matching a pattern. A language model can identify that a particular input flows through three layers of abstraction, is partially sanitized in one path but not another, and reaches a query in a way that the developer almost certainly didn't intend.
The practical move here is to integrate model-assisted code review into your CI/CD pipeline. Not as a replacement for your existing SAST and DAST tooling, but as a complementary layer that reasons about the things pattern-matching can't reach. The cost per commit is marginal. The coverage improvement is not.
If you're already doing this, good — you're ahead. If you're not, the Mythos disclosure just gave you the business case to start. Every unreviewed commit is a potential zero-day waiting for a model that's better at finding it than your current process is.
2. Vulnerability triage that actually reflects your environment
Every organization running vulnerability scanners is drowning in findings. The typical enterprise scan produces thousands of results, the majority of which are either false positives, technically valid but unexploitable in context, or low-severity in the specific environment. The triage burden is enormous, and the result is predictable: teams either burn out trying to review everything, or they develop informal severity thresholds that inevitably let real issues through.
This is a problem that AI agents are well-suited to solve right now. Given a vulnerability finding, the context of your environment — network topology, compensating controls, exposure surface, application architecture — and access to actually test exploitability, a model can make a first-pass triage decision that dramatically reduces the volume your human analysts need to review.
I don't mean a severity score from a formula. I mean an agent that reads the CVE, looks at your specific deployment, attempts to determine whether the vulnerability is reachable and exploitable in your configuration, and produces a recommendation with its reasoning. The analyst still makes the final call. But the analyst is now reviewing twenty prioritized findings instead of two thousand undifferentiated ones, and each finding comes with context about why it was prioritized.
The key here is the "in your environment" part. Generic CVSS scores are a starting point, not an answer. An AI agent that can reason about your specific architecture turns vulnerability management from a compliance checkbox into an actual risk reduction activity.
3. Log analysis as investigation, not dashboard staring
I have a strong opinion on this one, and it's informed by building monitoring systems for the better part of a decade: the traditional model of security monitoring — write detection rules, watch dashboards, investigate alerts — is reaching its limits. The problem isn't that SIEM platforms are bad. The problem is that the detection logic is brittle (it catches what you wrote rules for and misses everything else) and the investigation workflow is manual (an analyst reads logs, forms hypotheses, pivots, and either confirms or discards).
The alternative that's becoming practical right now is AI-assisted investigation. Instead of watching dashboards, you have a system that understands your baseline, ingests your logs, detects anomalies that don't match predefined rules, and lets you investigate by asking questions in plain English.
"Show me all authentication events for this user over the past 48 hours." "Is this pattern of API calls consistent with normal behavior for this service account?" "What changed in the network topology in the hour before this alert fired?" These aren't hypothetical queries. This is what AI-first monitoring looks like when the AI actually understands your data — your schema, your baselines, your detection rules — rather than sitting on top of a search index.
"Rules catch known patterns. Reasoning catches patterns that are anomalous relative to your environment's actual behavior, even if no one has written a rule for them yet."
The shift from rule-based detection to reasoning-based detection is significant. In a world where attackers are using AI to generate novel exploit chains, detection systems that only find what they've been explicitly told to look for are increasingly insufficient.
4. Threat modeling as a living process
Most organizations treat threat modeling as a point-in-time exercise — something you do during design review, document in a wiki, and rarely revisit. The result is a threat model that was accurate on the day it was written and progressively less useful as the system evolves.
The practical barrier has always been time. Updating a threat model every time the architecture changes requires someone who understands both the system and the threat landscape to sit down and think through the implications. That person is usually busy doing something else.
AI models can maintain a living threat model. Feed them your architecture documentation, your deployment configurations, your API surface, your dependency graph. When something changes — a new service, a new integration, a modified trust boundary — the model can identify what the security implications are, what new attack surfaces have been introduced, and what controls should be evaluated. It won't replace the senior engineer who decides whether a given risk is acceptable. But it will make sure that engineer is looking at an up-to-date picture rather than a six-month-old diagram.
This is particularly valuable for organizations running microservices architectures or complex cloud deployments where the attack surface changes frequently and the blast radius of any individual change is hard to reason about manually.
5. Adversarial simulation on your own schedule
Penetration testing has always been episodic — an annual engagement, maybe quarterly if you're well-resourced. Between engagements, new code ships, configurations change, and the attack surface evolves. The pen test report from six months ago is a historical document, not a current assessment.
AI-assisted security testing changes the economics of this. Models available today can run structured security assessments against your own systems on a continuous basis — not as a replacement for a skilled human pen tester on a scoped engagement, but as a way to maintain coverage between engagements. Automated reconnaissance, service enumeration, common vulnerability checks, authentication testing, API fuzzing — the repeatable portions of a pen test can run on a schedule rather than waiting for the next annual engagement.
The important caveat: this requires the same authorization and scoping discipline as any other security test. "We have an AI running continuous pen tests" is not a sentence you want to say to your legal team without having the proper framework in place. But the technical capability is there, and for organizations that have the governance maturity to deploy it, it meaningfully reduces the window between "a vulnerability is introduced" and "someone finds it."
6. Threat intelligence triage at machine scale
The volume of threat intelligence available to security teams — vulnerability disclosures, dark web chatter, indicator feeds, OSINT data, vendor advisories — has long exceeded human capacity to process. Most organizations either subscribe to curated feeds (which introduce lag) or run large SOC teams (which most can't afford).
AI models are exceptionally good at the triage function here: reading a high volume of unstructured threat intelligence, determining what's relevant to your specific technology stack and threat profile, and surfacing the items that warrant human attention. This isn't a new idea — there are commercial platforms doing this — but the reasoning capabilities of current models make the filtering dramatically more useful than keyword matching.
When a new vulnerability disclosure drops, an AI agent can read the advisory, determine whether any of your systems are affected, check whether you have compensating controls in place, estimate the likely exploitation timeline based on the vulnerability characteristics, and present a human analyst with a prioritized assessment and a recommended response. That's the kind of workflow that turns threat intelligence from a firehose into a decision-support system.
The meta-point: defense has to adopt the same tools
Here's what I think the Mythos disclosure really means for the industry, stripped down to its core: the tools that make offense dramatically more capable are the same tools that can make defense dramatically more capable. The question is which side adopts them faster.
Historically, attackers have been faster to adopt new tools and techniques. They're less constrained by process, compliance, change management, and organizational inertia. But the defensive applications of AI don't require throwing out your existing security program. They layer on top of it. Every technique I've described above works with the tools and processes you already have — it extends them, makes them faster, gives them broader coverage.
The organizations that start building these capabilities now — not when Mythos-class models are publicly available, but now, with the models and tools that exist today — will have a meaningful head start. They'll have learned what works in their environment, tuned their workflows, built the institutional muscle for human-AI collaboration in security operations. The organizations that wait will be playing catch-up against adversaries who didn't.
Anthropic's researchers gave us a timeline: six to eighteen months before comparable offensive capabilities proliferate. That's not a prediction to argue about — it's a planning horizon. Use it.
Where to start
If you're reading this and thinking about what to do on Monday morning, here's where I'd focus:
If you do one thing: integrate AI-assisted code review into your CI/CD pipeline. The incremental cost is low, the coverage improvement is measurable, and it addresses the same class of long-lived vulnerabilities that Mythos surfaced at scale.
If you do two things: add AI-assisted vulnerability triage to your scanning workflow. Stop asking humans to review two thousand findings when a model can reduce that to the twenty that actually matter in your environment.
If you do three things: start the conversation about AI-assisted monitoring and investigation. The shift from rule-based detection to reasoning-based detection is coming whether you drive it or not. Better to be the one shaping it.
And if you're building a security program from scratch, build it AI-first. The tooling is ready. The threat landscape demands it. The window is open, and it won't stay open forever.
Matt is a technologist and engineering leader with 20+ years of experience across space systems, IoT, big data, and cybersecurity. He founded Twin Tech Labs to build Arca — an AI-first infrastructure monitoring platform — and to deliver senior-level security services to organizations that don't have enterprise-scale security budgets. Previously CTO of LifeRaft, acquired by Securitas in 2026.