Follow the Research: Cybersecurity in a Post-Mythos World
I’ve spent the last several weeks deep in the research on Claude Mythos, Project Glasswing, and what the security community is saying about what comes next. The most honest, well-sourced voices in cybersecurity are all circling the same uncomfortable question. What now?
This piece is my attempt to synthesize what I found. My goal is to give you enough grounding in the evidence that you can think through the implications yourself, and enough links that you can go further on your own. Practical recommendations will follow in separate articles. This one is about understanding the problem clearly first.
This is a long one because there’s a lot to cover, so hang in there. Turn on that screen reader and let’s do this.
About Mythos
On April 7, 2026, Anthropic announced Claude Mythos (Preview) alongside Project Glasswing, described as possibly the largest multi-party vulnerability coordination effort in history [1]. The reaction was immediate and unusually broad, reaching boardrooms, legislative offices, and national security agencies within days.
By May 1, six national cybersecurity agencies had issued the first-ever joint guidance specifically on agentic AI security: CISA, the NSA, Australia’s ASD ACSC, the Canadian Centre for Cyber Security, New Zealand’s NCSC, and the UK’s NCSC all signed on to “Careful Adoption of Agentic AI Services” [2]. When six governments move that fast on something, it’s worth paying attention to why.
So what did Mythos actually demonstrate? Three things, specifically.
Discovery velocity changed. Mythos generated 181 working Firefox exploits under conditions where Claude Opus 4.6 succeeded only twice [3]. It autonomously identified a 27-year-old vulnerability in OpenBSD, a 16-year-old flaw in FFmpeg that had survived five million automated test runs, and a remote code execution vulnerability in FreeBSD. These weren’t edge cases found under ideal conditions. The Anthropic red team technical disclosure is worth reading in full.
The skill floor collapsed. A 3.6 billion parameter model costing $0.11 per million tokens can now detect complex bug classes [4]. Mythos-class capability isn’t confined to Anthropic or well-resourced state actors. AISLE’s “jagged frontier” analysis shows that many of the vulnerability classes Mythos identifies can be reproduced by small, inexpensive open-weight models [5]. The controlled access Glasswing established is time-limited.
Chained exploitation became accessible. Mythos identifies vulnerabilities composed of multiple primitives chained together -- scenarios requiring multiple memory corruption bugs combined into a single exploit path -- in a single prompt, without scaffolding [3]. Prior to this, chained exploitation required patient, skilled adversaries with time to burn. That constraint no longer applies.
The autonomous exploitation rate trajectory tells the story clearly: GPT-5 achieved 18% in September 2025, Claude Sonnet 4.5 achieved 22% the same month, GPT-5.4 hit 90% by March 2026, and Claude Opus 4.6 hit 98% by February 2026 [4]. That is not a gradual progression. That is a cliff.
The Problem Mythos Exposed, Not Created
The CSA CISO Community briefing, co-authored by Gadi Evron, Robert T. Lee of SANS, and contributions from Jen Easterly, Bruce Schneier, Heather Adkins, Phil Venables, and roughly seventy CISO reviewers, frames the situation this way: Current patch cycles, response processes, and risk metrics are not ready for AI-driven discovery and exploitation of vulnerabilities [1]. Mythos exposed a structural failure that was already present.
The evidence for that pre-existing failure is substantial.
The National Vulnerability Database enriched a record 42,000 CVEs in 2025. CVE submissions increased by 263% in the same period [4]. FIRST forecasts up to 100,000 new CVEs in 2026. On April 15, 2026, NIST formally acknowledged the math wasn’t working by shifting to a risk-based enrichment model, immediately moving 29,000 backlogged CVEs to “Not Scheduled” status. The system built to track vulnerabilities at scale has thrown in the towel.
Chris Hughes of Resilient Cyber presented a structural equation at the CSA Agentic AI Security Summit [4]: 14 billion GitHub commits projected for 2026, multiplied by a 2.74x AI bug rate, divided by a 4-hour exploit window. He calls the result “the Vulnpocalypse.” It’s a pointed way of describing something that is, unfortunately, just math.
The Zero Day Clock, launched in March 2026 by Sergej Epp and others, tracks median time from vulnerability disclosure to confirmed exploitation using 3,529 CVE-exploit pairs [6]. The trend line is unambiguous: 771 days in 2018, 10.8 months in 2021, 4 hours in 2024. IBM’s analysis of the Mythos moment concludes that, for the first time, response is now the binding constraint, not discovery [7].
The entire market category of risk-based vulnerability management (EPSS, CISA KEV, CTEM) exists because the security industry implicitly acknowledged decades ago that complete patching was unachievable. Mythos makes that acknowledgment explicit and urgent.
What Glasswing Doesn’t Solve
Project Glasswing is, as described, likely the largest coordinated vulnerability disclosure effort in history. But, let’s be clear about what it is and what it isn’t.
Glasswing is a discovery and hardening initiative applied to code. It patches software in the systems of participating vendors. As of late April 2026, VulnCheck found only one CVE directly credited to Glasswing in the public record: CVE-2026-4747 [8]. Chris Hughes’ conclusion: fewer than 1% of vulnerabilities found by Mythos have been patched [8]. Picus Security arrives at the same place independently. Glasswing solved the finding problem, but nobody solved the fixing problem [9].
Beyond the remediation gap, there are three layers Glasswing simply doesn’t touch.
The human layer. Social engineering attacks require no CVE, no exploit, and no vulnerability scanner. In 2023, MGM Resorts lost approximately $100 million when attackers who did not exploit a single technical vulnerability called the help desk, impersonated an employee, and convinced an agent to reset credentials [10]. That same year, a 3CX employee installed a trojanized software package on a personal computer, initiating the first confirmed cascading supply chain compromise [11]. No amount of code hardening addresses this. As code from participating vendors gets cleaner, the path of least resistance shifts toward the humans and trust chains underneath.
The coverage gap. The CSA briefing warns that the world’s exploitable attack surface is vastly larger than what any curated partner ecosystem can cover [1]. The 40 vendors in the Glasswing early access program represent a fraction of the software dependencies running in any medium or large organization. Everyone outside that consortium remains fully exposed.
The agentic ecosystem itself. This is the one I think is getting the least attention. Disesdi Shoshana Cox, AI Policy Lead at the OWASP AI Exchange and a practitioner I’ve been following closely, explains that most organizations deploying AI agents lack proper access controls, experimentation logging, data and inference monitoring, and AI-specific threat models [12]. The result is two sets of systems effectively unguarded. Classical infrastructure and AI infrastructure are both now exploitable, and connected.
Where the Research Points
I want to be careful here not to turn a research synthesis into a vendor recommendations list. The practical “where to focus” articles are coming separately. But the research does point clearly in certain directions, and it would be intellectually dishonest not to say so.
Gartner named agentic AI oversight the number-one cybersecurity trend for 2026 [13]. Their January 2026 report “How to Secure Enterprise Agentic AI Ambition” by Jeremy D’Hoinne and Dionisio Zumerle identifies Non-Human Identity security as the foundational control layer for machine actors [14]. The Five Eyes guidance makes the same call, identifying privilege risk as the first and most consequential risk category for agentic deployments [2].
I’d encourage you to read the Five Eyes guidance yourself. Six national cybersecurity agencies collectively saying “prioritize resilience, reversibility and risk containment over efficiency gains“ is a meaningful signal. That is a government-level statement that prevention-first thinking is no longer the primary frame.
OWASP’s Agentic Top 10 for 2026 [15], particularly ASI02 (Tool Misuse and Exploitation) and ASI03 (Identity and Privilege Abuse), maps the specific threat categories that matter most in this environment.
Ken Huang’s secure harness architecture and Shoshana Cox’s least capability principle, developed independently from different analytical traditions, converge on the same insight. Least privilege (giving an identity only the permissions it needs) is necessary but not sufficient when the identity in question is an AI agent operating autonomously [12][16]. The additional requirement is least capability, which is an architectural constraint on what an agent can structurally do, not merely what it is permitted to do. Permissions can be misconfigured, inherited, escalated, or exploited. Architecture is harder to bypass.
I found a lack of new strategy around backup and recovery in a post-Mythos world, and that bothers me. The established attacker playbook against backup infrastructure is equally executable by a compromised AI agent using valid credentials, indistinguishable from legitimate administrative activity [17][18][19]. Immutability needs to be architectural, not a configuration setting. And there’s a threat scenario the literature hasn’t fully addressed yet, but I think it should be. How would a backup/restoration cycle be possible if it’s not a single catastrophic event, but repeated disruption cycles triggered faster than restoration can complete? Current RPO and RTO frameworks were designed for one bad day. They don’t account for ten consecutive ones. I’m treating this as its own research project. Stay tuned.
Voices I’m Following and Recommend
The research on this topic is genuinely good. These are the people and organizations whose work I found most substantive:
Chris Hughes / Resilient Cyber - The most consistently rigorous independent analyst voice on this topic. His newsletter issues 92-96 are the best ongoing coverage of Mythos implications I’ve found.
Disesdi Shoshana Cox / Angles of Attack - Technically credible, openly skeptical of vendor hype, regulatory-forward. The only voice I found explicitly connecting Mythos to the standards and policy conversations happening in Washington right now, including the formation of MOSAIC (Multi-Organization Secure AI Coordination).
Bruce Schneier - The essential skeptic. Called Glasswing “very much a PR play by Anthropic -- and it worked.” Worth reading for the counterargument, especially because Schneier is also a contributing author on the CSA briefing. He can hold both views at once.
CETaS / Alan Turing Institute - Chris Hicks, Connor Attridge, Ardi Janjeva, and Carolyn Ashurst produced the most rigorous academic treatment of Mythos I found [20].
WEF “AI and Cyber: Empowering Defenders” - Published May 4, 2026, in collaboration with KPMG. 94% of cyber leaders identify AI as the defining force in their field. Draws on 20 real-world case studies across 84 organizations [21].
The CSA CISO Community v1.0 briefing remains the anchor document for this topic. If you read nothing else, read that.
Not the End
I started this research expecting to write about Mythos as a new threat. What I found instead is that Mythos is more like a floodlight pointed at an old one.
The security industry was built around an organizing premise. You find vulnerabilities, patch them before attackers exploit them, and that was always partially unachievable at scale. The tools that proliferated around that premise (CVSS, NVD, periodic pen tests, reactive patch management) were responses to an impossible problem, not solutions to it. Mythos didn’t make that premise impossible. It made the impossibility undeniable.
What comes after this reckoning? The research points toward a security posture organized around limiting damage rather than preventing entry. Some examples include limiting blast radius by design, identity governance for machine actors, and behavioral detection calibrated for non-human speed. I’d also like to see plans for recovery architectures that don’t assume a single bad event on a human timeline.
Those are topics I will dig into next. If you’ve found sources or research I should have included, I want to hear about it. That’s what the community is for.
-- Laura Kenner
References
[1] CSA CISO Community, SANS, [un]prompted, and OWASP Gen AI Security Project, “The ‘AI Vulnerability Storm’: Building a ‘Mythos-ready’ Security Program,” Cloud Security Alliance, v1.0, May 1, 2026. https://labs.cloudsecurityalliance.org/wp-content/uploads/2026/05/mythosreadyv1.0.pdf
[2] CISA, NSA, ASD ACSC, Canadian Centre for Cyber Security, NCSC-NZ, NCSC-UK, “Careful Adoption of Agentic AI Services,” Joint Guidance, Apr. 30, 2026. https://media.defense.gov/2026/Apr/30/2003922823/-1/-1/0/CAREFUL%20ADOPTION%20OF%20AGENTIC%20AI%20SERVICES_FINAL.PDF
[3] Anthropic Red Team, “Mythos Preview: Technical Disclosure,” Anthropic, Apr. 2026. https://red.anthropic.com/2026/mythos-preview/
[4] C. Hughes, “The Vulnpocalypse Is Here. Now What?” Presentation, CSA Agentic AI Security Summit, May 2026. [Slide deck, on file]
[5] AISLE, “AI Cybersecurity After Mythos: The Jagged Frontier,” AISLE, Apr. 2026. https://aisle.com/blog/ai-cybersecurity-after-mythos-the-jagged-frontier
[6] S. Epp et al., Zero Day Clock, Mar. 2026. https://zerodayclock.com
[7] IBM, “The Mythos Moment When Discovery Outpaces Defense,” IBM Think Insights, Apr. 2026. https://www.ibm.com/think/insights/the-mythos-moment-when-discovery-outpaces-defense
[8] C. Hughes, Resilient Cyber Newsletter, Issues #92-#96, Apr.-May 2026. https://www.resilientcyber.io
[9] Picus Security, “The Glasswing Paradox: The Thing That Can Break Everything Is Also The Thing That Fixes Everything,” Picus Security Blog, Apr. 2026. https://www.picussecurity.com/resource/blog/anthropics-project-glasswing-paradox
[10] Trusona, “Prevent the Next $100M MGM-Style Breach,” Trusona Blog, Oct. 9, 2025. https://www.trusona.com/blog/prevent-mgm-style-breach
[11] 3CX, “Security Update Thursday 20 April 2023 -- Initial Intrusion Vector Found,” 3CX Blog, Apr. 20, 2023. https://www.3cx.com/blog/news/mandiant-security-update2/
[12] D. S. Cox, “Mythos, Legends, and Outright Lies,” Angles of Attack: The AI Security Intelligence Brief, Edition 49, May 6, 2026. https://disesdi.substack.com/p/mythos-legends-and-outright-lies
[13] Gartner, Inc., “Gartner Identifies the Top Cybersecurity Trends for 2026,” Press Release, Feb. 5, 2026. https://www.gartner.com/en/newsroom/press-releases/2026-02-05-gartner-identifies-the-top-cybersecurity-trends-for-2026
[14] J. D’Hoinne and D. Zumerle, “How to Secure Enterprise Agentic AI Ambition,” Gartner Research, Jan. 5, 2026. [Gartner client access]
[15] OWASP GenAI Security Project, “OWASP Top 10 for Agentic Applications 2026,” Agentic Security Initiative, Dec. 2025. https://genai.owasp.org/initiatives/agentic-security-initiative/
[16] K. Huang, “What a Secure Harness for Agentic AI Actually Is,” Agentic AI (Substack), May 6, 2026. https://kenhuangus.substack.com/p/what-a-secure-harness-for-agentic
[17] S. Rao, “Why Ransomware Attacks Succeed Even When Backups Exist,” BleepingComputer, sponsored by Acronis, May 2026. https://www.bleepingcomputer.com/news/security/why-ransomware-attacks-succeed-even-when-backups-exist/
[18] Object First, “Object First Survey: 89% of IT Leaders Fear AI-Powered Cyberattacks Will Cost Them Their Data,” Press Release, Mar. 31, 2026. https://www.businesswire.com/news/home/20260331825488/en
[19] Veeam, cited in TechRadar, “Ransomware attackers are going after backup storage to force you to pay up,” TechRadar, 2025. https://www.techradar.com/news/ransomware-attackers-are-going-after-backup-storage-to-force-you-to-pay-up
[20] C. Hicks, C. Attridge, A. Janjeva and C. Ashurst, “Claude Mythos: What Does Anthropic’s New Model Mean for the Future of Cybersecurity?” CETaS Expert Analysis, Apr. 2026. https://cetas.turing.ac.uk/publications/claude-mythos-future-cybersecurity
[21] World Economic Forum and KPMG, “AI and Cyber: Empowering Defenders,” WEF White Paper, May 4, 2026. https://www.weforum.org/press/2026/05/new-report-shows-how-ai-gives-cybersecurity-competitive-advantage/