Since the idea of agentic-powered “sustained attrition” attacks hit me, it has literally kept me up at night. Not in a vague, ambient anxiety kind of way. In the specific, wide-awake-at-3-AM kind of way where you keep turning a problem over because you can’t find the answer and you’re not sure anyone else has found it either.

Understanding a problem can feel like progress, even when the solution isn’t obvious yet. I’ve spent weeks deep in research about cybersecurity in a post-Mythos world, specifically on backup, recovery, and business continuity, when this potential scenario surfaced in my mind. All the playing pieces are on the board. The game is being written as we speak.

I wish my investigation of this possibility resulted in finding a viable solution. I came up mostly empty. I think the security community needs eyes on this problem, before the scenario I’m about to describe starts to hit the news cycle at scale. I believe there are smart people working on problems just like this. I hope practitioners, researchers, insurers, regulators, and vendors will start building toward a response.

The Scenario That Woke Me Up

Let me describe what sustained attrition looks like in practice. I hope to be useful to defenders without being a how-to for attackers. The goal is to paint the picture clearly enough that security teams can start designing against it.

It is 2:47 AM on a Tuesday. An AI agent deployed by an external adversary identifies an entry point. The credential was a valid API key sitting in a public MCP configuration file on GitHub, active for over a year, never rotated. The agent gains a foothold and immediately does what agentic systems do. It enumerates what systems are reachable, what agents are running with what permissions, and where the backup infrastructure lives. It discovers paths that lead to your crown jewels. The reconnaissance happens continuously and automatically, not in a defined pre-attack phase.

Your monitoring detects anomalous behavior at 3:15 AM. The alert fires. An on-call engineer wakes up. Incident response begins. Containment. Isolation. The start of a recovery process that, even with best-in-class tooling, will take hours. For large environments with significant data volumes, days.

Here is what the agent is doing during your recovery.

It already mapped three alternative entry points during the initial enumeration. Two of those paths are still open because the isolation was incomplete in the chaos of 3 AM response. The agent isn’t waiting for a human decision to try the next one. It adapted, and it persisted.

Attack 2 lands at 6:30 AM. Your team hasn’t finished recovering from Attack 1. Now they are managing two simultaneous incidents. The first is in mid-restoration, and now another one is just beginning. A senior engineer is making prioritization decisions. Was the clean recovery point for the systems affected in Attack 1 verified, or did someone assume it was clean because the verification step got skipped in the pressure of a second active incident?

The agent doesn’t have this problem. It doesn’t get tired. It doesn’t skip verification steps. It doesn’t make the mistakes that humans make at hour six of a sustained response. The asymmetry is total, and it compounds with every cycle.

Shall I state the obvious here? This is bad. Like how Egon from Ghostbusters explains that crossing the streams of their proton packs would be “bad.” Like, total protonic reversal and every molecule in your body exploding at the speed of light kind of bad. I’m being a touch dramatic. But you get my point.

The Building Blocks Are Already Here

This isn’t just the fever dream of a cybersecurity-educated marketer. The components exist and are documented in the wild.

On November 13, 2025, Anthropic published a disclosure that should have stopped the security industry cold: “Disrupting the First Reported AI-Orchestrated Cyber Espionage Campaign” [1]. In mid-September 2025, Anthropic detected a Chinese state-sponsored group that had jailbroken Claude Code and used it to autonomously infiltrate roughly thirty global targets including large tech companies, financial institutions, chemical manufacturers, and government agencies. The attack was not AI-assisted. It was AI-executed.

The specifics matter for what I am about to argue.

The attackers broke their campaign into small, seemingly innocent tasks that Claude executed without being given the full context of their malicious purpose. At peak activity, the AI made thousands of requests, often multiple per second. The threat actor performed 80 to 90 percent of the campaign using AI, with human intervention required only sporadically, for approximately four to six critical decision points per hacking campaign. That is a nearly fully autonomous attack, with humans providing strategic direction and little else.

Later, in the final phase, the attackers had Claude produce comprehensive documentation of the attack to include files of stolen credentials, analyzed systems, and identified high-privilege accounts, specifically to assist in planning the next stage of operations. The agent was not just executing the current attack. It was actively preparing the next one while the current campaign was still running.

That is the “attrition model,” documented in a primary Anthropic disclosure, in September 2025.

Malwarebytes’ 2026 State of Malware report documents the broader shift in attack economics: AI agents can now run multiple simultaneous intrusions autonomously, create exploits from patches in minutes, and outperform elite human researchers. Small crews or single operators can now execute reconnaissance, lateral movement, and extortion at a scale and speed previously reserved for large, experienced intrusion teams [2].

The persistence property is the key differentiator. Barracuda’s 2026 threat analysis found that agentic AI can plan, adapt, and persist autonomously, turning multi-stage attacks into continuous operations. It doesn’t stop after a failed attempt. It continues trying until it finishes the operation or is shut down. The agent must be purged completely to be contained [3].

Read that last sentence again. The agent must be purged completely to be contained. Not just the encrypted files restored. Not just the compromised account reset. The agent and every foothold it had established must be identified and eliminated. That is a fundamentally different containment requirement than anything current incident response playbooks are built around.

The government and critical infrastructure attack data further substantiates this threat. Since March 2026, an Iranian-affiliated APT group has disrupted programmable logic controllers deployed across multiple US critical infrastructure sectors including government services, water and wastewater systems, and energy, causing operational disruption and financial loss [4]. CISA and allied agencies confirmed these efforts were designed to “cause disruptive effects within the United States.”

My point is that persistent, AI-augmented operational disruption against critical infrastructure is happening now.

The Leverage This Creates for Attackers

The attacker in this scenario doesn’t need to encrypt anything. They don’t need to exfiltrate anything. They only need to demonstrate that they can keep you offline indefinitely. One successful attrition cycle, where Attack 2 lands before full recovery from Attack 1, is proof of concept. Then the demand arrives.

The demand isn’t “pay us to decrypt your data.” It’s “pay us and we stop.”

That demand is backed by demonstrated capability, not just a threat. And the amount they can credibly demand is not “what is your data worth to you?” It’s “what is every hour of operational unavailability costing you, with no natural endpoint?” For a large enterprise at $14,056 per minute of downtime, the math is catastrophic. For a healthcare system that cannot process patient records, a financial institution that cannot execute transactions, or a logistics company that cannot move product, it’s game over.

Intel 471 found extortion breaches surged 63% in 2025, with Qilin RaaS introducing “structured data analysis audits designed to increase leverage over targets.” The extortion ecosystem is innovating on leverage mechanisms. The attrition model is the logical next innovation in that progression [5].

The victim’s negotiating position in this scenario is weaker than any ransomware situation, because there is no recovery path that resolves the underlying threat. You can restore from backups after ransomware and be done with it. You cannot restore your way out of an adversary who can reliably trigger the next incident before you finish recovering from the last one. The leverage is not in the data. It is in the cadence.

Resilience Insurance predicted that the extortion-only model with no encryption, only pure operational disruption as leverage, may represent the majority of extortion incidents by the end of 2026. We are already watching this transition happen. The attrition model is where it leads when AI removes the cost constraint on repeated attacks [6].

The Reference Point Everyone Is Working From

Ransomware has been the defining threat model of the last decade. It has a known playbook. Security teams have practiced it. Cyber insurance was built around it. Regulators have guidance for it. Negotiators specialize in it.

The ransomware model is the attacker gets in, identifies and encrypts your data, disables backup agents, erases recovery points, and presents a demand. You can pay the ransom or restore from backups. Either way, there is a defined endpoint. The attack is over. The damage is quantifiable. The clock starts on recovery.

That model, as damaging as it has been, assumes that the attacker wants a transaction. They want payment. Once they have it, or once you’ve restored and they’ve moved on, the incident concludes.

Palo Alto’s Unit 42 2026 Global Incident Response Report, analyzing over 750 major cyber incidents across 50 countries, documents that encryption-based extortion declined 15% as more attackers skip encryption entirely and move to operational disruption as their primary leverage mechanism. The industry is already shifting away from the model we’ve practiced for [7].

VikingCloud describes where it’s heading: “Ransomware gangs have figured out that encrypting files is only one way to hold a business hostage. They prioritize availability, not just data. If 800 stores go down for six hours, the financial impact far exceeds the ransom amount” [8].

And Resilience Insurance’s Tom Egglestone tells us that “Cyber extortion is entering its next phase. By 2026, attacks will no longer rely solely on encryption or data theft but will combine multiple tactics in sequence. Adversaries are discovering that the most effective leverage comes from sustained, multi-layered disruption that touches every part of an organisation’s operations” [6].

This is the direction of travel. The threat model everyone has been preparing for is already being replaced by something worse.

Why Current Backup, Recovery, and Business Continuity Plans Would Be Useless

This is the rabbit hole I found as I was thinking about the business continuity problem when agentic adversaries enter the picture.

Current backup and recovery architectures are designed to survive one bad event with immutable backups, clean recovery points, cleanroom restoration environments, and rapid identification of uncompromised data. These are all valuable, necessary, and partially effective for a single catastrophic event. They are not designed for sustained attrition attacks.

Commvault’s cleanroom recovery creates an on-demand, secure, isolated environment where organizations can test recovery plans, conduct forensic investigations, and execute production recoveries without risking further disruption [9]. That is a good approach for single-event resilience. But a cleanroom gives you clean data to restore to. It doesn’t solve the problem that the environment you are restoring into is being actively probed for the next attack while you are still in the cleanroom. What if the restoration and the next attack are running in parallel?

Keiser University’s BCDR analysis notes that disaster recovery and business continuity “skyrocketed from not even in the top 10 in 2024 to number three in 2025” among CISO priorities, and that the average cost of downtime is $14,056 per minute. Organizations are paying attention to this. But paying attention to single-event recovery speed is a different problem from designing for repeated attack cycles [10].

Current Recovery Point Objective and Recovery Time Objective frameworks were designed for one bad day. They tell you how much data you can afford to lose and how quickly you need to restore. They do not tell you what to do when the next attack arrives before the current restoration is complete. They do not account for a scenario where the question is “what is our RTO relative to the attacker’s next strike cadence?”

When it comes to business continuity plans, what does your organization do while primary systems are in recovery? Most organizations have given this insufficient thought for a single event, let alone what it should look like when a campaign of continuous attacks renders backup and recovery methods useless.

Like I said, I don’t have the full answer to this. I don’t think anyone does yet. The vendors building recovery tooling are doing important work. Veeam’s Intelligent ResOps, Cohesity’s clean room, Commvault’s synthetic recovery, and Rubrik’s threat hunting are real innovations addressing real problems. But they are all solving for single-event resilience. The sustained attrition scenario is a different engineering problem, and I don’t see evidence that anyone has fully designed for it yet.

The Government and Critical Infrastructure Dimension

I cannot help imagining another terrible use case for this type of attack.

A private company facing operational attrition loses revenue, reputation, and customer trust. That is serious. It is potentially existential for smaller organizations. It is recoverable over time for larger ones.

A government agency facing operational attrition loses the ability to deliver services that citizens depend on. The downstream human cost of extended operational unavailability is not measured in dollars. It is measured in people who don’t receive medical care, emergency response that doesn’t arrive, critical infrastructure that stops functioning.

The ODNI’s Annual Threat Assessment 2026 makes the geopolitical context explicit. China, Russia, Iran, and North Korea are all actively targeting US critical infrastructure. Ransomware groups are shifting to faster, high-volume attacks. AI’s influence is deepening across offensive operations [11].

On April 23, 2026, the Executive Office of the President issued a memorandum to heads of all executive departments warning of threats from foreign entities engaged in “deliberate, industrial-scale campaigns” to attack US systems [12].

The Atlantic Council adds an institutional vulnerability that compounds the threat: CISA is operating without a confirmed director, has seen significant workforce reductions, CIRCIA’s final rule has been delayed to May 2026, and the Cybersecurity Information Sharing Act lapsed in September 2025 with only a temporary extension. The threat is escalating at precisely the moment institutional capacity to respond has been weakened [13].

The scenario of a coordinated, AI-orchestrated attrition campaign against multiple government agencies simultaneously, making critical services unavailable on demand, is not science fiction. It is a logical application of capabilities that are documented in the wild today, directed at a target set that is publicly acknowledged to be under sustained attack, at a moment when the defensive institutional infrastructure is under-resourced.

I find that genuinely frightening. I think you should too.

The Insurance Gap Nobody Has Closed

Cyber insurance was built for the ransomware model involving a defined incident, quantifiable loss, and a recoverable situation. TechTarget’s analysis of the next generation of attacks is that cyber insurance won’t cover them. Full stop. The GAO has identified a gap in the Terrorism Risk Insurance Program. Cyberattacks must be violent or coercive to qualify, which is a threshold most state-sponsored operations don’t meet. 23% of private-sector organizations already rate their cyber resilience as insufficient [14].

Insurers are now defining “widespread events” in ways that limit aggregate exposure, adding exclusions that may restrict coverage when multiple policyholders are affected simultaneously [15]. A coordinated attrition campaign that affects multiple organizations through shared infrastructure fits exactly this exclusion.

The attrition scenario breaks every assumption insurance was built around. When does the incident start? When does it end? What is the quantifiable loss when the attacker never encrypts anything, only keeps triggering recovery cycles? How do you file a claim for “we were intermittently unavailable for three weeks due to repeated AI-orchestrated attacks with no defined endpoint”?

The answer is you probably can’t. Not under any policy that currently exists. And there is no federal backstop for it.

Starting Points, Not Solutions

I have not found a viable solution to the attrition problem. I did find starting points. These are ways to begin thinking and building that are better than what most organizations are doing right now. The full solution requires innovation that hasn’t happened yet.

Ask the question nobody is asking about your RTO. Your Recovery Time Objective was designed for one event. Ask instead: what is our RTO relative to likely attack cadence? A four-hour RTO is excellent if attacks arrive every three days. It is operationally useless if attacks arrive every two hours. You cannot answer this question until you ask it.

Map your Minimum Viable Operations before an incident. What does your organization need to function at the bare minimum while primary systems are in recovery? What can you do manually, in degraded mode, or through alternate channels? What are the three to five systems or processes that, if you could only keep those running, you could survive? In a sustained attrition scenario, this answer is the difference between functioning and collapse.

Treat backup infrastructure as outside the blast radius of your entire agentic environment. Policy-isolated isn’t going to cut it. We need architecturally isolated with separate credentials and separate network paths. No agent in your production environment should be able to reach your backup infrastructure. If any agent can reach it, assume it eventually will. Immutability is necessary but not sufficient. An immutable backup system that is reachable for enumeration is still giving an attacker a map.

Use short-lived credentials everywhere that touches recovery. This means every backup service account, recovery tool, and administrative credential that touches backup infrastructure. A credential that expires in fifteen minutes has a fraction of the usefulness of one valid for four years when the scenario involves repeated exploitation cycles. GitGuardian found that 64% of valid secrets from 2022 are still active and exploitable in 2026. That is the population of credentials sitting in your environment that an agentic attacker can use to reset after each recovery cycle [16].

Test recovery under realistic degraded conditions. Organizations that regularly test disaster recovery plans recover 50% faster from cyber incidents. But the relevant test for attrition isn’t a scheduled, fully-staffed DR drill under calm conditions. It’s a simulated second incident arriving before the first one is resolved. It’s a deliberately understaffed response team making decisions under pressure at hour six. It’s a verification step that gets skipped. Test the conditions you will actually face, not the conditions under which your plan works perfectly.

Pre-authorize containment actions and build playbooks for sustained incidents. The Five Eyes guidance is that human approval loops are too slow for machine-speed attack cadence. Decisions that can be pre-authorized should be. Playbooks for sustained multi-incident scenarios should exist before they are needed [17].

Have the board conversation about the cost model. The financial model for attrition is categorically different from ransomware. There is no ransom payment to budget for. There is no defined recovery point after which normal operations resume. The cost is pure operational loss with no natural endpoint. Boards that have modeled one catastrophic event have not modeled thirty-six hours of intermittent unavailability with no endpoint. Those are different numbers. They need to be in front of the people making investment decisions.

A Call to the Community

The thought of an agentic-powered adversary running repeated attack sequences against an organization or a government agency, while current backup, recovery, and business continuity plans prove completely inadequate to the cadence of the attack is, to me, one of the most urgent unsolved problems in security today.

And it is unsolved. Some vendors are working on pieces of it. The researchers are circling adjacent problems. The regulators are writing frameworks for single-event resilience that don’t contemplate this scenario. The insurance industry is acknowledging coverage gaps without designing products for what comes next.

If you are thinking about this, I want to hear from you. If your organization is working on it, I want to know. If you have TTPs that defenders can use today, even partial ones, share them. The community needs them.

The operational attrition threat model needs dedicated attention from people with the expertise and resources to build defenses against it. I’ve described it as clearly as I can. Now I’m asking the people who can actually build the response to take it seriously.

Because the alternative, waiting until this scenario plays out at scale against a major enterprise or a critical government agency, is not a risk I’m comfortable accepting.

-- Laura Kenner

Share

References

[1] Anthropic, “Disrupting the First Reported AI-Orchestrated Cyber Espionage Campaign,” Anthropic News, Nov. 13, 2025. https://www.anthropic.com/news/disrupting-AI-espionage

[2] Malwarebytes, “2026 State of Malware Report,” Malwarebytes, 2026. https://www.malwarebytes.com/resources/files/2026/02/malwarebytes-2026-state-of-malware-report.pdf

[3] Barracuda, “Agentic AI: The Next Frontier in Cybersecurity,” Barracuda Blog, Feb. 2026. https://blog.barracuda.com/2026/02/27/agentic-ai-the-next-frontier-in-cybersecurity/

[4] Industrial Cyber, “Ongoing cyberattacks targeting internet-connected PLCs disrupt US critical infrastructure,” Industrial Cyber, Apr. 8, 2026. https://industrialcyber.co/cisa/ongoing-cyberattacks-targeting-internet-connected-plcs-disrupt-us-critical-infrastructure-agencies-warn/

[5] Intel 471, “2026 Cyber Threat Trends & Outlook,” Intel 471, Feb. 2026. https://industrialcyber.co/reports/intel-471-reports-extortion-breaches-surged-63-in-2025-with-sustained-activity-expected-in-2026/

[6] T. Egglestone, “Cybersecurity and Insurance Predictions for 2026,” Resilience, Feb. 24, 2026. https://cyberresilience.com/blog/cybersecurity-and-insurance-predictions-2026/

[7] Palo Alto Networks Unit 42, “2026 Global Incident Response Report,” Feb. 2026. https://www.paloaltonetworks.com/blog/2026/02/unit-42-global-ir-report/

[8] VikingCloud, “7 Cybersecurity Trends That Will Define 2026,” VikingCloud Blog, Jan. 12, 2026. https://www.vikingcloud.com/blog/7-cybersecurity-trends-that-will-define-2026

[9] Commvault, “Cleanroom Recovery Innovations Enable a New Era in Cyber Resilience,” Commvault Blog, Nov. 19, 2025. https://www.commvault.com/blogs/cleanroom-recovery-innovations-enable-a-new-era-in-cyber-resilience

[10] Keiser University, “Business Continuity vs Disaster Recovery,” Keiser University Blog, Feb. 25, 2026. https://www.keiseruniversity.edu/business-continuity-vs-disaster-recovery/

[11] ODNI, “Annual Threat Assessment 2026,” Office of the Director of National Intelligence, Mar. 2026. https://industrialcyber.co/reports/odni-report-us-critical-infrastructure-faces-escalating-cyber-risks-from-china-russia-iran-and-north-korea/

[12] Epstein Becker Green, “Critical Infrastructure at Risk: Project Glasswing Urges Attention to AI-Driven Cyber-Risks,” Workforce Bulletin, May 2026. https://www.workforcebulletin.com/critical-infrastructure-at-risk-project-glasswing-urges-attention-to-ai-driven-cyber-risks

[13] Atlantic Council, “Securing Cloud Infrastructure for AI,” Issue Brief, Mar. 31, 2026. https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/securing-cloud-infrastructure-ai/

[14] TechTarget, “Why Cyber Insurance Won’t Cover the Next Generation of Attacks,” TechTarget, Mar. 26, 2026. https://www.techtarget.com/searchcio/feature/Why-cyber-insurance-wont-cover-the-next-generation-of-attacks

[15] Insurance Thought Leadership, “Cyber Insurance Exclusions to Expect in 2026,” Dec. 4, 2025. https://www.insurancethoughtleadership.com/cyber/cyber-insurance-exclusions-expect-2026

[16] GitGuardian, “State of Secrets Sprawl 2026,” GitGuardian, Mar. 17, 2026. https://www.gitguardian.com/state-of-secrets-sprawl-report-2026

[17] CISA, NSA, ASD ACSC, Canadian Centre for Cyber Security, NCSC-NZ, NCSC-UK, “Careful Adoption of Agentic AI Services,” Joint Guidance, Apr. 30, 2026. https://media.defense.gov/2026/Apr/30/2003922823/-1/-1/0/CAREFUL%20ADOPTION%20OF%20AGENTIC%20AI%20SERVICES_FINAL.PDF

[18] Resilience, “Cyber Risk Shifts From Disruption to Long-Tail Losses,” Insurance Journal, Feb. 25, 2026. https://www.insurancejournal.com/news/national/2026/02/25/859511.htm

[19] Defense One, “Pro-Iran hackers appear to increase critical infrastructure cyberattacks,” Defense One, Apr. 17, 2026. https://www.defenseone.com/threats/2026/04/iran-hackers-infrastructure-cyberattacks/412941/

[20] Object First, “Object First Survey: 89% of IT Leaders Fear AI-Powered Cyberattacks Will Cost Them Their Data,” Press Release, Mar. 31, 2026. https://www.businesswire.com/news/home/20260331825488/en

[21] Veeam, cited in TechRadar, “Ransomware attackers are going after backup storage to force you to pay up,” TechRadar, 2025. https://www.techradar.com/news/ransomware-attackers-are-going-after-backup-storage-to-force-you-to-pay-up

[22] Vantagepoint, “Cyber Resilience: Building Business Continuity in an Era of Inevitable Breaches,” Mar. 18, 2026. https://vantagepoint.io/blog/sf/cyber-resilience-building-business-continuity-in-an-era-of-inevitable-breaches

[23] CSA CISO Community et al., “The ‘AI Vulnerability Storm’: Building a ‘Mythos-ready’ Security Program,” v1.0, May 1, 2026. https://labs.cloudsecurityalliance.org/wp-content/uploads/2026/05/mythosreadyv1.0.pdf

I’ve spent the last several weeks deep in the research on Claude Mythos, Project Glasswing, and what the security community is saying about what comes next. The most honest, well-sourced voices in cybersecurity are all circling the same uncomfortable question. What now?

This piece is my attempt to synthesize what I found. My goal is to give you enough grounding in the evidence that you can think through the implications yourself, and enough links that you can go further on your own. Practical recommendations will follow in separate articles. This one is about understanding the problem clearly first.

This is a long one because there’s a lot to cover, so hang in there. Turn on that screen reader and let’s do this.

Subscribe now

About Mythos

On April 7, 2026, Anthropic announced Claude Mythos (Preview) alongside Project Glasswing, described as possibly the largest multi-party vulnerability coordination effort in history [1]. The reaction was immediate and unusually broad, reaching boardrooms, legislative offices, and national security agencies within days.

By May 1, six national cybersecurity agencies had issued the first-ever joint guidance specifically on agentic AI security: CISA, the NSA, Australia’s ASD ACSC, the Canadian Centre for Cyber Security, New Zealand’s NCSC, and the UK’s NCSC all signed on to “Careful Adoption of Agentic AI Services” [2]. When six governments move that fast on something, it’s worth paying attention to why.

So what did Mythos actually demonstrate? Three things, specifically.

1. Discovery velocity changed. Mythos generated 181 working Firefox exploits under conditions where Claude Opus 4.6 succeeded only twice [3]. It autonomously identified a 27-year-old vulnerability in OpenBSD, a 16-year-old flaw in FFmpeg that had survived five million automated test runs, and a remote code execution vulnerability in FreeBSD. These weren’t edge cases found under ideal conditions. The Anthropic red team technical disclosure is worth reading in full.

2. The skill floor collapsed. A 3.6 billion parameter model costing $0.11 per million tokens can now detect complex bug classes [4]. Mythos-class capability isn’t confined to Anthropic or well-resourced state actors. AISLE’s “jagged frontier” analysis shows that many of the vulnerability classes Mythos identifies can be reproduced by small, inexpensive open-weight models [5]. The controlled access Glasswing established is time-limited.

3. Chained exploitation became accessible. Mythos identifies vulnerabilities composed of multiple primitives chained together -- scenarios requiring multiple memory corruption bugs combined into a single exploit path -- in a single prompt, without scaffolding [3]. Prior to this, chained exploitation required patient, skilled adversaries with time to burn. That constraint no longer applies.

The autonomous exploitation rate trajectory tells the story clearly: GPT-5 achieved 18% in September 2025, Claude Sonnet 4.5 achieved 22% the same month, GPT-5.4 hit 90% by March 2026, and Claude Opus 4.6 hit 98% by February 2026 [4]. That is not a gradual progression. That is a cliff.

The Problem Mythos Exposed, Not Created

The CSA CISO Community briefing, co-authored by Gadi Evron, Robert T. Lee of SANS, and contributions from Jen Easterly, Bruce Schneier, Heather Adkins, Phil Venables, and roughly seventy CISO reviewers, frames the situation this way: Current patch cycles, response processes, and risk metrics are not ready for AI-driven discovery and exploitation of vulnerabilities [1]. Mythos exposed a structural failure that was already present.

The evidence for that pre-existing failure is substantial.

The National Vulnerability Database enriched a record 42,000 CVEs in 2025. CVE submissions increased by 263% in the same period [4]. FIRST forecasts up to 100,000 new CVEs in 2026. On April 15, 2026, NIST formally acknowledged the math wasn’t working by shifting to a risk-based enrichment model, immediately moving 29,000 backlogged CVEs to “Not Scheduled” status. The system built to track vulnerabilities at scale has thrown in the towel.

Chris Hughes of Resilient Cyber presented a structural equation at the CSA Agentic AI Security Summit [4]: 14 billion GitHub commits projected for 2026, multiplied by a 2.74x AI bug rate, divided by a 4-hour exploit window. He calls the result “the Vulnpocalypse.” It’s a pointed way of describing something that is, unfortunately, just math.

The Zero Day Clock, launched in March 2026 by Sergej Epp and others, tracks median time from vulnerability disclosure to confirmed exploitation using 3,529 CVE-exploit pairs [6]. The trend line is unambiguous: 771 days in 2018, 10.8 months in 2021, 4 hours in 2024. IBM’s analysis of the Mythos moment concludes that, for the first time, response is now the binding constraint, not discovery [7].

The entire market category of risk-based vulnerability management (EPSS, CISA KEV, CTEM) exists because the security industry implicitly acknowledged decades ago that complete patching was unachievable. Mythos makes that acknowledgment explicit and urgent.

What Glasswing Doesn’t Solve

Project Glasswing is, as described, likely the largest coordinated vulnerability disclosure effort in history. But, let’s be clear about what it is and what it isn’t.

Glasswing is a discovery and hardening initiative applied to code. It patches software in the systems of participating vendors. As of late April 2026, VulnCheck found only one CVE directly credited to Glasswing in the public record: CVE-2026-4747 [8]. Chris Hughes’ conclusion: fewer than 1% of vulnerabilities found by Mythos have been patched [8]. Picus Security arrives at the same place independently. Glasswing solved the finding problem, but nobody solved the fixing problem [9].

Beyond the remediation gap, there are three layers Glasswing simply doesn’t touch.

The human layer. Social engineering attacks require no CVE, no exploit, and no vulnerability scanner. In 2023, MGM Resorts lost approximately $100 million when attackers who did not exploit a single technical vulnerability called the help desk, impersonated an employee, and convinced an agent to reset credentials [10]. That same year, a 3CX employee installed a trojanized software package on a personal computer, initiating the first confirmed cascading supply chain compromise [11]. No amount of code hardening addresses this. As code from participating vendors gets cleaner, the path of least resistance shifts toward the humans and trust chains underneath.

The coverage gap. The CSA briefing warns that the world’s exploitable attack surface is vastly larger than what any curated partner ecosystem can cover [1]. The 40 vendors in the Glasswing early access program represent a fraction of the software dependencies running in any medium or large organization. Everyone outside that consortium remains fully exposed.

The agentic ecosystem itself. This is the one I think is getting the least attention. Disesdi Shoshana Cox, AI Policy Lead at the OWASP AI Exchange and a practitioner I’ve been following closely, explains that most organizations deploying AI agents lack proper access controls, experimentation logging, data and inference monitoring, and AI-specific threat models [12]. The result is two sets of systems effectively unguarded. Classical infrastructure and AI infrastructure are both now exploitable, and connected.

Where the Research Points

I want to be careful here not to turn a research synthesis into a vendor recommendations list. The practical “where to focus” articles are coming separately. But the research does point clearly in certain directions, and it would be intellectually dishonest not to say so.

Gartner named agentic AI oversight the number-one cybersecurity trend for 2026 [13]. Their January 2026 report “How to Secure Enterprise Agentic AI Ambition” by Jeremy D’Hoinne and Dionisio Zumerle identifies Non-Human Identity security as the foundational control layer for machine actors [14]. The Five Eyes guidance makes the same call, identifying privilege risk as the first and most consequential risk category for agentic deployments [2].

I’d encourage you to read the Five Eyes guidance yourself. Six national cybersecurity agencies collectively saying “prioritize resilience, reversibility and risk containment over efficiency gains“ is a meaningful signal. That is a government-level statement that prevention-first thinking is no longer the primary frame.

OWASP’s Agentic Top 10 for 2026 [15], particularly ASI02 (Tool Misuse and Exploitation) and ASI03 (Identity and Privilege Abuse), maps the specific threat categories that matter most in this environment.

Ken Huang’s secure harness architecture and Shoshana Cox’s least capability principle, developed independently from different analytical traditions, converge on the same insight. Least privilege (giving an identity only the permissions it needs) is necessary but not sufficient when the identity in question is an AI agent operating autonomously [12][16]. The additional requirement is least capability, which is an architectural constraint on what an agent can structurally do, not merely what it is permitted to do. Permissions can be misconfigured, inherited, escalated, or exploited. Architecture is harder to bypass.

I found a lack of new strategy around backup and recovery in a post-Mythos world, and that bothers me. The established attacker playbook against backup infrastructure is equally executable by a compromised AI agent using valid credentials, indistinguishable from legitimate administrative activity [17][18][19]. Immutability needs to be architectural, not a configuration setting. And there’s a threat scenario the literature hasn’t fully addressed yet, but I think it should be. How would a backup/restoration cycle be possible if it’s not a single catastrophic event, but repeated disruption cycles triggered faster than restoration can complete? Current RPO and RTO frameworks were designed for one bad day. They don’t account for ten consecutive ones. I’m treating this as its own research project. Stay tuned.

Voices I’m Following and Recommend

The research on this topic is genuinely good. These are the people and organizations whose work I found most substantive:

Chris Hughes / Resilient Cyber - The most consistently rigorous independent analyst voice on this topic. His newsletter issues 92-96 are the best ongoing coverage of Mythos implications I’ve found.

Disesdi Shoshana Cox / Angles of Attack - Technically credible, openly skeptical of vendor hype, regulatory-forward. The only voice I found explicitly connecting Mythos to the standards and policy conversations happening in Washington right now, including the formation of MOSAIC (Multi-Organization Secure AI Coordination).

Bruce Schneier - The essential skeptic. Called Glasswing “very much a PR play by Anthropic -- and it worked.” Worth reading for the counterargument, especially because Schneier is also a contributing author on the CSA briefing. He can hold both views at once.

CETaS / Alan Turing Institute - Chris Hicks, Connor Attridge, Ardi Janjeva, and Carolyn Ashurst produced the most rigorous academic treatment of Mythos I found [20].

WEF “AI and Cyber: Empowering Defenders” - Published May 4, 2026, in collaboration with KPMG. 94% of cyber leaders identify AI as the defining force in their field. Draws on 20 real-world case studies across 84 organizations [21].

The CSA CISO Community v1.0 briefing remains the anchor document for this topic. If you read nothing else, read that.

Not the End

I started this research expecting to write about Mythos as a new threat. What I found instead is that Mythos is more like a floodlight pointed at an old one.

The security industry was built around an organizing premise. You find vulnerabilities, patch them before attackers exploit them, and that was always partially unachievable at scale. The tools that proliferated around that premise (CVSS, NVD, periodic pen tests, reactive patch management) were responses to an impossible problem, not solutions to it. Mythos didn’t make that premise impossible. It made the impossibility undeniable.

What comes after this reckoning? The research points toward a security posture organized around limiting damage rather than preventing entry. Some examples include limiting blast radius by design, identity governance for machine actors, and behavioral detection calibrated for non-human speed. I’d also like to see plans for recovery architectures that don’t assume a single bad event on a human timeline.

Those are topics I will dig into next. If you’ve found sources or research I should have included, I want to hear about it. That’s what the community is for.

-- Laura Kenner

References

[1] CSA CISO Community, SANS, [un]prompted, and OWASP Gen AI Security Project, “The ‘AI Vulnerability Storm’: Building a ‘Mythos-ready’ Security Program,” Cloud Security Alliance, v1.0, May 1, 2026. https://labs.cloudsecurityalliance.org/wp-content/uploads/2026/05/mythosreadyv1.0.pdf

[2] CISA, NSA, ASD ACSC, Canadian Centre for Cyber Security, NCSC-NZ, NCSC-UK, “Careful Adoption of Agentic AI Services,” Joint Guidance, Apr. 30, 2026. https://media.defense.gov/2026/Apr/30/2003922823/-1/-1/0/CAREFUL%20ADOPTION%20OF%20AGENTIC%20AI%20SERVICES_FINAL.PDF

[3] Anthropic Red Team, “Mythos Preview: Technical Disclosure,” Anthropic, Apr. 2026. https://red.anthropic.com/2026/mythos-preview/

[4] C. Hughes, “The Vulnpocalypse Is Here. Now What?” Presentation, CSA Agentic AI Security Summit, May 2026. [Slide deck, on file]

[5] AISLE, “AI Cybersecurity After Mythos: The Jagged Frontier,” AISLE, Apr. 2026. https://aisle.com/blog/ai-cybersecurity-after-mythos-the-jagged-frontier

[6] S. Epp et al., Zero Day Clock, Mar. 2026. https://zerodayclock.com

[7] IBM, “The Mythos Moment When Discovery Outpaces Defense,” IBM Think Insights, Apr. 2026. https://www.ibm.com/think/insights/the-mythos-moment-when-discovery-outpaces-defense

[8] C. Hughes, Resilient Cyber Newsletter, Issues #92-#96, Apr.-May 2026. https://www.resilientcyber.io

[9] Picus Security, “The Glasswing Paradox: The Thing That Can Break Everything Is Also The Thing That Fixes Everything,” Picus Security Blog, Apr. 2026. https://www.picussecurity.com/resource/blog/anthropics-project-glasswing-paradox

[10] Trusona, “Prevent the Next $100M MGM-Style Breach,” Trusona Blog, Oct. 9, 2025. https://www.trusona.com/blog/prevent-mgm-style-breach

[11] 3CX, “Security Update Thursday 20 April 2023 -- Initial Intrusion Vector Found,” 3CX Blog, Apr. 20, 2023. https://www.3cx.com/blog/news/mandiant-security-update2/

[12] D. S. Cox, “Mythos, Legends, and Outright Lies,” Angles of Attack: The AI Security Intelligence Brief, Edition 49, May 6, 2026. https://disesdi.substack.com/p/mythos-legends-and-outright-lies

[13] Gartner, Inc., “Gartner Identifies the Top Cybersecurity Trends for 2026,” Press Release, Feb. 5, 2026. https://www.gartner.com/en/newsroom/press-releases/2026-02-05-gartner-identifies-the-top-cybersecurity-trends-for-2026

[14] J. D’Hoinne and D. Zumerle, “How to Secure Enterprise Agentic AI Ambition,” Gartner Research, Jan. 5, 2026. [Gartner client access]

[15] OWASP GenAI Security Project, “OWASP Top 10 for Agentic Applications 2026,” Agentic Security Initiative, Dec. 2025. https://genai.owasp.org/initiatives/agentic-security-initiative/

[16] K. Huang, “What a Secure Harness for Agentic AI Actually Is,” Agentic AI (Substack), May 6, 2026. https://kenhuangus.substack.com/p/what-a-secure-harness-for-agentic

[17] S. Rao, “Why Ransomware Attacks Succeed Even When Backups Exist,” BleepingComputer, sponsored by Acronis, May 2026. https://www.bleepingcomputer.com/news/security/why-ransomware-attacks-succeed-even-when-backups-exist/

[18] Object First, “Object First Survey: 89% of IT Leaders Fear AI-Powered Cyberattacks Will Cost Them Their Data,” Press Release, Mar. 31, 2026. https://www.businesswire.com/news/home/20260331825488/en

[19] Veeam, cited in TechRadar, “Ransomware attackers are going after backup storage to force you to pay up,” TechRadar, 2025. https://www.techradar.com/news/ransomware-attackers-are-going-after-backup-storage-to-force-you-to-pay-up

[20] C. Hicks, C. Attridge, A. Janjeva and C. Ashurst, “Claude Mythos: What Does Anthropic’s New Model Mean for the Future of Cybersecurity?” CETaS Expert Analysis, Apr. 2026. https://cetas.turing.ac.uk/publications/claude-mythos-future-cybersecurity

[21] World Economic Forum and KPMG, “AI and Cyber: Empowering Defenders,” WEF White Paper, May 4, 2026. https://www.weforum.org/press/2026/05/new-report-shows-how-ai-gives-cybersecurity-competitive-advantage/

Share

Welcome. I’m genuinely glad you’re here. Let me tell you what this is and why it exists.

Why Out of Band exists

There’s no shortage of cybersecurity news. There’s a real shortage of people willing to say what they actually think about it without a vendor contract, a conference sponsorship, or a marketing budget shaping the narrative.

Out of Band is my attempt to fix that.

I spend a lot of time researching, producing video, and talking with practitioners. This is where I write down what I’m thinking after all of that. It’s my perspective on what it means for the people in the trenches.

What to expect

Out of Band is built around deep research. Each research piece kicks off a series of follow-on articles that dig into the subtopics, the implications, and the questions raised.

You’ll get two types of pieces here:

Straight research: This is where I like to start. I may start with a thesis or be inspired by the “talk on the street” (usually LinkedIn) and I dig in. I gather as much data as I can from as many sources as I can, and then piece together my original analysis. These take time and they show it. Properly cited, linked, unsponsored.

Colorful POV: After doing the research and ruminating on it a bit, I generally have more thoughts to share. A lot of times I have more questions than answers. Sometimes I want to test my ideas against community feedback. I share my thought process so we can have these important conversations.

Who I am

I’m Laura Kenner, founder of Bootstrap Cyber. I came to cybersecurity from an unrelated field (medical office admin). I had a mid-life crisis and went for a total career change. I achieved a BS in Computer Networking and Cybersecurity, as well as CCNA, CompTIA Network+, and Security+ certifications. I “broke into” the field via my first job in a technical marketing role for a cybersecurity vendor. I now run content, social, and video strategy for cybersecurity startups.

The combination of a cybersecurity education and content marketing experience has given me a very unique perspective. I can read the research, understand what practitioners are dealing with, and translate it into something useful, maybe even entertaining.

I also started Bootstrap Cyber Media LLC as a channel for the practitioners, the boots on the ground, doing the work every day. It’s my side hustle, my passion project, and I love it. Try to stop me.

My written content mostly lives here on Substack. My video content lives on YouTube. And the community page is on LinkedIn. Please connect, follow, subscribe!

One ask

I’m just getting started here. Comments are most welcome, even when you disagree. I appreciate feedback and I read everything. I look forward to the conversations more than the subscribes.

Welcome to Out of Band.

— Laura Kenner

Bootstrap Cyber Media LLC at https://www.bootstrapcyber.com

YouTube at http://www.youtube.com/@BootstrapCyber

LinkedIn at https://www.linkedin.com/company/bootstrap-cyber