The “AI Vulnerability Storm”: Building a “Mythos-ready” Security Program

Authors: Gadi Evron (Knostic / CSA), Rich Mogull (CSA), Robert T. Lee (SANS Institute)
Contributing Authors: Jen Easterly, Bruce Schneier, Chris Inglis, Phil Venables, Heather Adkins, Rob Joyce, Sounil Yu, Jim Reavis, Katie Moussouris, John N. Stewart, Maxim Kovalsky, Dave Lewis, Joshua Saxe, John Yeoh, Ramy Houssaini
Published: 2026-04-12
Status: Draft — Expedited Strategy Briefing
License: CC BY-NC 4.0
Organizations: CSA CISO Community, SANS, [un]prompted, OWASP Gen AI Security Project
Download PDF (15 MB)

Executive Summary

AI, as demonstrated by Anthropic’s Mythos, has significantly increased the likelihood of attackers discovering new vulnerabilities, creating new exploits, and using them in complex automated attacks at scale. While AI also increases the speed to develop patches and reduces defects in new software, the burden on defenders, by comparison, increases due to the inherent limitations of patching. The attackers gain asymmetric benefits.

The storm of vulnerability disclosures from Project Glasswing is the first of many large waves of AI-discovered vulnerabilities that may occur in rapid sequence. The capabilities seen in Mythos will quickly become more widely available, dramatically increasing the number and frequency of complex, novel attacks organizations will face.

What to do now to deal with the current risk spike

  • Adjust risk calculations and re-orient security program resources for increasing volume of patches, decreasing time to patch, and more-persistent complex attacks.
  • Focus on the basics and harden your environment further. Segmentation, egress filtering, multifactor authentication, and defense-in-depth/breadth all increase the difficulty for attackers.

What else should start now to be ready for the next waves

  • Prioritize robust dependency management to reduce vulnerabilities in third-party and open-source components.
  • Consistently enforce automated security assessments in your development processes, including using LLM-powered agents to find vulnerabilities before the attackers.
  • Introduce AI agents to the cyber workforce across the board enabling defenders to match attackers’ speed and begin closing the gap.
  • Re-evaluate your risk tolerance to operational downtime caused by vulnerability remediation to account for shorter adversary timelines.

Document Sections

  • Executive Summary
  • Key Takeaways for the CISO
  • Introduction
  • The Mythos/AI-Ready Security Program
  • Executive and Board Briefing: the AI Risk Summary
  • Conclusions and Recommendations

Download the full PDF above for the complete 27-page strategy briefing.

← Back to Research Index