The success of Anthropic’s Mythos Preview model at finding and exploiting security vulnerabilities has driven a lot of wild speculation about the future of cybersecurity in the past couple of weeks. I’ve read a prediction that the CVE numbering system is going to fail and there was a stock selloff based on the notion that cybersecurity companies aren’t needed anymore. I think the consequences of AI enabled vulnerability research will be both less dramatic and more positive than some of these reactions suggest.

The impacts of AI on cybersecurity are complex. I like former Google Cloud CISO Phil Venable’s take here where he lays out four key facets - a tidal wave of vulnerabilities, attackers rapidly industrializing, everything can be faked, and trillions of agents exhibiting emergent properties.

Of these facets, I am least worried about the tidal wave of software vulnerabilities. In the long run, AI tools that can identify vulnerabilities will make software safer. But a world with fewer software vulnerabilities will drive more threat actors to target other kinds of weakness, including humans who are susceptible to social engineering.AI will empower those attacks in new and surprising ways, in spaces that many enterprises currently have little-to-no visibility.

Why the Alarm Bells are Ringing

There are three key trends in vulnerability discovery that are important to understand in the short term.

The first is that the time between disclosure and exploitation of vulnerabilities has dropped to almost nothing, aided in part by AI tools.
The second is that vulnerability remediation and patching remains an incredibly slow, bureaucratic process.
The third is that AI tools are increasingly good at finding bugs, leading to fears about a surge of new vulnerability disclosures that will take time to work their way through the mitigation process.

I think Katie Moussouris laid the facts out clearly with supporting charts in this blog post.

While these factors are certainly creating pressure on software development organizations as the volume of bug reports increases, both for commercial and open source projects, but I think the wave of new vulnerability disclosures from Anthropic Mythos are a problem well protected enterprises are ready for.

Unpatched Vulnerabilities are a Reality Enterprises Already Face

The time to patch vulnerabilities in production has always been slow and in many cases lagged behind exploitation. Zero day attacks are not a new problem. Over the past 25 years, organizations have adopted a set of secondary controls that work to detect and block attacks against computers running vulnerable software, including firewalls, network IPS systems, WAFs and endpoint EDR. Basically, we already have a complex system of mitigations in place to manage the problem of exploits targeting unpatched vulnerabilities.

The greatest risks to enterprises involve externally exposed services like VPNs, remote access systems, external file upload services and other software systems that are often placed at the organization’s edge. These kinds of services have been subjected to a lot of attacks in the past few years, often involving zero day vulnerabilities, and should be subject to secondary controls. But ultimately, we need the code quality of these services to be extremely high, and AI is how we will get there.

AI tools that can find vulnerabilities that humans have missed will result in safer software. For example, Mythos found a denial of service vulnerability in OpenBSD that had evaded auditors for 27 years. This is impressive, of course, but the other side of the coin is that Anthropic spent $20,000 auditing OpenBSD, and this is the most critical vulnerability they discovered.

There aren’t an unlimited number of vulnerabilities in relatively static codebases. AI tools that can search them more quickly and comprehensively than we’ve been able to before will move us to a place where we have much higher confidence in the software we’re using. Imagine if you could have the same level of confidence in nearly all of the code bases running on your network that you have today in OpenBSD. This is a brighter future that will soon be within our grasp.

AI-Amplified & Under-Defended: The Human Layer Attack Surface

Software Vulnerabilities are only a part of the overall threat to enterprise networks. According to Microsoft’s 2025 Digital Defense Report, Credential-based attacks are nearly 5 times more common than vulnerability exploitation as an initial access vector.

A couple of weeks ago I gave a talk at Cyphercon in Milwaukee on the problem of attacks against the credential lifecycle. Some of the most significant cybersecurity incidents that have occurred in the past 5 years have involved attacks on access control, such as session hijacking, social engineering credential resets, and attackers getting onboarded as fake IT workers. None of these attacks involves exploiting software bugs - they target architectural vulnerabilities in the way that we control and manage access to our infrastructure, and they target humans who are susceptible to being deceived.

If there are fewer software vulnerabilities to exploit in the future, attackers will focus more of their efforts on these kinds of tactics that will still work effectively. This takes me back to Phil Venable’s four facets. The proliferation of AI agents on corporate networks is creating all kinds of new architectural vulnerabilities that we are only beginning to appreciate. Attackers are able to use AI tools to develop attack automation, and that automation won’t just involve exploiting vulnerabilities in software, but also vulnerabilities that exist at the human layer, because people can no longer believe the things that we see and hear through the screen.

When it comes to AI and cybersecurity, these are the things that keep me up at night. Attackers already target the digital interactions between employees, customers, and partners. AI makes these attacks faster, cheaper, and more difficult for humans to detect, and most enterprises lack controls with visibility into this vector.