Skip to content

Mythos - Why Leaders Must Rethink Cybersecurity for the AI Era

By Dan Desko, Echelon Risk + Cyber

Artificial intelligence has once again entered the boardroom discourse, but this time cybersecurity is at the center of the conversation. 

What began as excitement around copilots, productivity gains, and workflow automation has rapidly evolved into a far more consequential executive discussion: how does AI fundamentally change enterprise risk? 

That conversation accelerated dramatically following the release of Anthropic’s “Mythos Preview,” an advanced research model reportedly capable of autonomously identifying software vulnerabilities and developing exploit paths at a scale and speed that many security leaders had not previously seen demonstrated publicly. Alongside the announcement, Anthropic launched “Project Glasswing,” a coordinated initiative designed to work with major software vendors, cloud providers, and infrastructure organizations to identify and remediate vulnerabilities before they could be broadly weaponized.  

According to Anthropic, Mythos was able to uncover vulnerabilities across major operating systems, browsers, and widely used software projects, including flaws that had reportedly persisted unnoticed for years. The company framed the initiative as a defensive effort intended to strengthen global cyber resilience before similar capabilities inevitably become more widely available.  

The announcements immediately triggered intense debate throughout the cybersecurity industry. 

Some researchers and executives viewed Mythos as a watershed moment, arguing that AI-assisted vulnerability discovery could fundamentally reshape offensive cyber operations by dramatically reducing the cost, time, and expertise traditionally required to discover exploitable weaknesses.  

Others pushed back on the more sensational narratives, noting that many of the vulnerabilities discussed were likely not “impossible” for humans to find, but rather economically unattractive for researchers to spend time auditing in the first place. 

The industry response quickly expanded beyond Anthropic itself. CrowdStrike launched “Project QuiltWorks,” an industry-wide coalition bringing together organizations and other ecosystem partners to help enterprises assess, prioritize, and remediate what CrowdStrike describes as a growing wave of “frontier AI-discovered vulnerabilities.” The initiative reflects a broader realization across the industry that the challenge is no longer theoretical.  

The conversation has shifted from whether frontier AI will impact cybersecurity operations to how quickly enterprises can adapt to the new pace of discovery and remediation.  

CrowdStrike’s messaging around QuiltWorks is particularly notable because it reframes the issue from isolated vulnerability discovery to enterprise-scale operational readiness. The coalition acknowledges that frontier AI is collapsing the traditional window between vulnerability discovery and exploitation, forcing organizations to rethink patch management, prioritization, and resilience at machine speed.  

Both sides of the broader Mythos debate contain important truths. 

The significance of Mythos is not necessarily that AI has suddenly become a superhuman hacker. The more important shift is that AI is beginning to compress the economics of vulnerability research itself.  

Tasks that once required highly specialized expertise, extensive manual effort, and significant time investment may increasingly become scalable through automation and AI-assisted workflows. 

Even if that transformation unfolds gradually, it represents a meaningful change in the operating environment for defenders, software vendors, regulators, and boards of directors alike. 

Recent guidance from the Cloud Security Alliance and a coalition of experts from SANS, OWASP, Google, Cloudflare, former CISA leadership, and others offers perhaps the clearest framing yet. Their conclusion is not that organizations should panic, but that they should begin building what they describe as a “Mythos-ready” security program.  

That distinction matters because it moves the conversation away from hype and toward operational resilience. 

AI Is Accelerating Existing Risk, Not Inventing New Risk 

One of the most persistent misconceptions surrounding AI security is the belief that organizations are suddenly facing an entirely new category of cyber risk. In reality, AI amplifies risks security leaders have been managing for years: 

  • Cybersecurity risk  

  • Operational risk  

  • Supply chain risk  

  • Third-party risk  

  • Privacy risk  

  • Compliance risk  

  • Reputational risk  

What AI changes is the tempo. 

Many assumptions underlying traditional cybersecurity programs are rapidly becoming outdated. Patch cycles, vulnerability prioritization models, incident response timelines, and even threat intelligence workflows were designed for a world where human limitations constrained the pace of offensive operations. AI changes that equation by reducing friction. 

Attackers can move faster. Researchers can analyze larger attack surfaces. Exploit development becomes increasingly automated. Meanwhile, defenders remain constrained by operational realities: testing requirements, maintenance windows, staffing shortages, change management processes, and the simple fact that patching production systems still carries business risk.  

This asymmetry is what leaders should focus on. 

The Most Important Debate Is About Economics 

The Mythos discussion has often been framed as a debate over capability. Did AI discover vulnerabilities humans could not? Did it uncover flaws that had somehow escaped decades of scrutiny? That framing oversimplifies the issue. 

Security researchers have recently challenged some of the more sensational interpretations by pointing out that just because a vulnerability survives for years does not necessarily mean nobody was capable of finding them. In many cases, the software simply lacked sufficient economic incentive for sustained expert review. Smaller open-source projects, niche systems, and low-commercial-interest platforms often receive little dedicated vulnerability research because the market never supported it. 

This observation is critically important.  

The cybersecurity industry has always been shaped by economic imbalance. There are far more systems requiring review than there are highly skilled vulnerability researchers capable of auditing them. AI does not magically eliminate that problem overnight, but it may significantly alter the economics around it. 

The Real Shift Leaders Should Be Paying Attention To 

The significance of AI is not that it instantly performs superhuman cybersecurity research. It is that it may gradually make highly specialized security analysis more scalable, more accessible, and eventually far less expensive. 

The broader and more immediate concern is that the cost and capability floor to exploit discovery is dropping, while the time between disclosure and weaponization continues compressing toward zero. 

Whether that acceleration happens over years or quarters, the strategic implication remains the same: organizations should expect more vulnerabilities to be discovered, more quickly, by a broader range of actors. 

The Real Threat May Be Operational Overload 

One of the strongest aspects of this shift is that it avoids turning AI security into science fiction. Instead, it should turn the focus towards operational consequences organizations are likely to face first. 

Some may view the coming challenge as an “AI vulnerability storm,” a scenario where security teams become overwhelmed by simultaneous disclosures, remediation demands, supply chain weaknesses, and machine-speed attack timelines.  

For most enterprises, that is a legitimate and realistic concern. Especially because organizations are already struggling with: 

  • Asset visibility  

  • Patch management  

  • Technical debt  

  • Vulnerability prioritization  

  • Third-party dependencies  

  • Security staffing shortages  

  • Detection engineering maturity  

  • Analyst burnout  

AI does not create those problems. It amplifies them. 

Organizations cannot simply “outwork” machine-speed threats. Cybersecurity teams are already operating near capacity. Asking exhausted staff to manually absorb exponentially increasing workloads is not a strategy. It is a path toward operational failure. 

The future of cyber defense will not be defined by who buys the most AI tools. It will be defined by which organizations build the operational resilience necessary to function under significantly higher velocity and pressure. 

What a Mythos-Ready Security Program Actually Looks Like 

Forward looking plans for readiness should prioritize operational reality rather than abstract AI philosophy. The central thesis is straightforward: organizations must modernize how cybersecurity functions operate before AI-driven acceleration overwhelms existing processes. 

That modernization begins with speed. 

Build Vulnerability Operations, Not Just Vulnerability Management 

Traditional vulnerability management programs were designed around periodic assessments, scheduled remediation cycles, and human-paced prioritization. That model is increasingly insufficient. 

Organizations should begin evolving toward “VulnOps,” or continuous vulnerability operations. This approach treats vulnerability discovery, triage, validation, remediation, and verification as continuous operational workflows rather than periodic compliance exercises. 

For most organizations, this represents an important mindset shift. The future is less about achieving perfect prevention and more about reducing exposure windows as quickly as possible. 

Treat AI Agents as a New Privileged Identity Layer 

Another truth we must recognize is that AI agents themselves are becoming a new attack surface. Across enterprises, AI systems are rapidly gaining access to source code repositories, APIs, cloud environments, CI/CD pipelines, internal documentation, and sensitive data. Many of these systems are being deployed faster than governance and security controls can mature around them. 

This creates a dangerous dynamic. Organizations are effectively introducing highly privileged automated entities into their environments while relying on security frameworks that were never designed to govern them. 

IT leaders should understand this clearly: AI agents are rapidly becoming a new privileged identity class inside the enterprise. They require the same rigor applied to human administrators, service accounts, and critical infrastructure systems. 

Double Down on Cybersecurity Fundamentals 

Ironically, the rise of AI makes foundational cybersecurity controls more important, not less. Segmentation, phishing-resistant MFA, egress filtering, Zero Trust architectures, and defense-in-depth become even more valuable as exploit discovery accelerates.  

In a machine-speed threat environment, resilience matters more than perfection. Organizations that can quickly contain blast radius, isolate systems, revoke access, and maintain operational continuity will outperform organizations chasing theoretical silver bullets. 

Modernize Governance and Risk Metrics 

Leaders must also challenge themselves to rethink how cyber risk is measured. Many organizations still evaluate exposure using assumptions that no longer align with current threat realities.  

That has significant implications for governance. 

Leaders should ask management teams to revisit: 

  • Patch SLAs  

  • Incident response assumptions  

  • Vendor risk models  

  • Recovery expectations  

  • Materiality thresholds  

  • Staffing models  

  • Operational resilience metrics  

The future of cybersecurity governance will depend less on static compliance reporting and more on continuous operational readiness. 

The Human Side of the AI Transition 

Perhaps the most overlooked part of this discussion is the human element. These shifts present major strains around workforce pressure, burnout, and the cultural effects of AI acceleration.  

Cybersecurity teams are being asked to absorb extraordinary levels of change simultaneously. They must defend against increasingly automated threats while also integrating AI into their own workflows, learning new technologies, modernizing operations, and adapting to shifting expectations around speed and scale. 

This transition is not purely technical. It is organizational and human. 

The firms that navigate this successfully will not simply deploy AI-enabled security tooling. They will build cultures capable of adapting alongside the technology itself. That means investing in operational clarity, training, resilience, and sustainable workflows, not just automation platforms. 

What Leaders and Board Should Be Asking Now 

The most effective leaders and boards are no longer asking whether AI is “real” or “overhyped.” Those debates are irrelevant. 

Instead, leaders and boards should focus on operational questions: 

  • Where are AI agents operating in our environment today?  

  • Which systems create the highest concentration of AI-related risk?  

  • How quickly can we detect and contain AI-enabled attacks?  

  • Which third parties introduce the greatest AI exposure?  

  • Are our current cyber metrics still aligned to reality?  

  • What operational bottlenecks would fail first during a large-scale vulnerability surge?  

Those are governance questions. And increasingly, they are business continuity questions as well. 

Final Thought 

The cybersecurity industry has a habit of oscillating between denial and panic whenever transformative technologies emerge. Neither response is particularly useful. 

AI is not magic. It will not instantly replace human expertise or render traditional cybersecurity obsolete. But dismissing its long-term impact would be equally shortsighted. 

The more important reality is that AI is steadily changing the economics and velocity of cybersecurity operations. Vulnerability discovery is accelerating. Exploit development is becoming more scalable. Attack timelines are compressing. Defensive organizations are being forced to adapt to a pace of change that legacy operating models were never designed to handle. 

The organizations that succeed in this environment will not necessarily be the ones with the most advanced AI capabilities. They will be the ones that build resilient architectures, modernize governance, operationalize speed, and create security programs capable of functioning effectively under continuous pressure. 

That is what becoming “Mythos-ready” actually means. 

And for leaders and boards, the time to start preparing for that future is now.  

To learn more about how Echelon Risk + Cyber can help with your AI governance initiatives, visit echelonriskcyber.com

About the Author: Dan Desko is the Founder, CEO, and Managing Partner of Echelon Risk + Cyber, a cybersecurity professional services firm built on the belief that security and privacy are basic human rights. Dan also hosts the Human Side of Cybersecurity podcast, featuring candid conversations with today’s top CISOs, cybersecurity leaders, and entrepreneurs.