| | | |

The Vulnerability Reckoning. What Mythos tells us about the Security landscape we have built.

ByMatt Mason

We have always known the bugs were there.

Not the ones we found and patched, the ones nobody had found yet. The ones sitting quietly in code that was written before some of your security team were born, running in systems that have never been seriously tested, doing their job reliably enough that nobody thought to question what else they might be doing.

This week Anthropic confirmed what some of us in security have quietly understood for some time. Their Claude Mythos model, currently available only to a small group of partner organisations through Project Glasswing, found a 27 year old vulnerability in OpenBSD. A 16 year old flaw in FFmpeg. Zero day vulnerabilities in every major operating system and every major browser. Bugs that survived decades of human review and millions of automated security tests, found autonomously, exploited in hours.

Anthropic deserves credit for saying publicly that this could cause serious damage in the wrong hands. Most organisations in their position would not have said it. The fact that they did says something important about how seriously they are taking the implications.

But this is not really a story about an AI model. It is a story about the security landscape we have collectively built, and the assumptions we have been making about it.

We have always been running on borrowed time.

The security industry has a complicated relationship with the truth about vulnerability. We talk about risk management, acceptable risk and residual risk, and those are legitimate concepts, but underneath all of that framing is a simpler reality. We have always known that software contains bugs we have not yet found. We have always known that some of those bugs are serious. We have always assumed that finding them required a level of expertise and effort that provided a practical barrier to exploitation.

Mythos does not create a new category of problem. It removes a barrier that we have all been quietly relying on, for a very long time.

The window between a vulnerability being discovered and being exploited has been collapsing for years. AI accelerates that collapse dramatically. Where a skilled penetration tester might take weeks to develop a working exploit, Mythos has been doing it in hours. That is not an incremental improvement. That is a structural change in the threat landscape.

This is the second wake up call. The first has not been answered.

The Quantum decryption of TLS sessions is coming. The timeline is moving faster than most organisations are comfortable admitting, and there is a specific reason to be concerned right now rather than in some abstract future. TLS traffic is being captured today, at scale, by state actors who cannot decrypt it now but intend to when the capability arrives. If that traffic contains something important, credentials, personal data, sensitive communications, the fact that it was encrypted when it was captured will not protect it when it is decrypted in two or three years.

Most organisations are not thinking about this. Most have not started the work of identifying which of their systems are most exposed or planning the migration to post quantum cryptography. It is too abstract, too distant, too technical to make it onto a board agenda when there are budget pressures and operational priorities competing for attention.

Now add Mythos class capabilities into that picture. Two industry defining threats to enterprise security, both known about, both being addressed too slowly, both converging on a landscape where most organisations do not have complete visibility of their own IT estate.

The organisations that will weather this are the ones that know what they have.

We have been here before. Heartbleed. Log4Shell. Spectre and Meltdown. Each one was going to be the end of enterprise security as we knew it. We patched, we adapted, we got on with it. We are all still here.

That track record is not a reason for complacency. It is a reason for perspective. The response to each of those events worked, where it worked, because organisations knew what they were running. They could identify affected systems, prioritise by risk, and patch in a sequence that made sense. The ones that struggled were the ones that did not know their estate well enough to respond with confidence.

When Mythos capability tools reach the wrong hands, and they will, the same dynamic will play out at a scale and speed we have not experienced before. The organisations that are able to respond effectively will be the ones that already know every device, every application, every version running in their environment. Not approximately. Not based on a six month old audit. Actually know what’s running now.

The ones that do not will be firefighting in the dark.

Clarity comes before confidence. Confidence enables capability.

There is a principle that underpins every effective security function I have seen in over twenty years of doing this work. You cannot be confident about your security posture if you are not clear about what you are protecting. And you cannot respond with capability if you do not have the confidence that comes from genuine clarity.

These are not abstract concepts. They are the practical foundation of everything else.

Clarity means knowing your IT estate. Every endpoint, every application, every version, every configuration. Not as a point in time snapshot but as a continuously updated picture of what is actually there.

Confidence means being able to make decisions based on that picture. When a critical vulnerability is disclosed, knowing within minutes which systems are affected, what the exposure looks like, and what needs to happen first.

Capability means having the processes, the tools, and the people to act on that confidence at speed. Isolation, patching, recovery, communication, all of it dependent on the first two being in place.

Most organisations have some version of capability. Many have partial confidence. Too few have genuine clarity. And in a world where the time between vulnerability discovery and exploitation is measured in hours rather than weeks, that gap is no longer acceptable.

What comes next.

Anthropic has been honest about the implications of Mythos. The rest of the industry needs to be equally honest about the state of preparedness in the organisations they serve.

This is not a problem that resolves itself. It is not a problem that a new tool or a new policy or a new awareness campaign will fix on its own. It requires organisations to do the unglamorous foundational work of actually knowing what they have, before the next Mythos lands in the wrong hands and the clock starts ticking.

If this resonates with you, follow Auravere on LinkedIn and keep an eye on what we are building. The timing has never felt more relevant.

Similar Posts