Mythos Found the Bugs. Who Is Watching the Network?

Anthropic's Claude Mythos Preview has found thousands of zero-day vulnerabilities across every major operating system and every major web browser. It uncovered a 27-year-old flaw in OpenBSD. It chained four vulnerabilities into a working browser exploit that escaped both renderer and OS sandboxes. It did this with a prompt that essentially said: please find a security vulnerability in this program.

That is genuinely impressive. As someone who has spent a career in cybersecurity, I do not say that lightly. The ability to scan massive codebases and surface flaws that survived decades of human review represents a real capability shift. Project Glasswing, the initiative that puts this capability in the hands of major software vendors to harden their products, is a net positive for everyone who depends on that software. Which is everyone.

But I have seen this moment before. Not with AI, but with every major advance in vulnerability discovery. Fuzzing. Static analysis. Bug bounty programs. Formal verification. Each one was going to make software fundamentally safer. Each one did make software meaningfully safer. And each time, the security industry briefly believed we were approaching the end of the vulnerability problem.

We were not. We are not now.

The vulnerability fallacy

There is a persistent belief in cybersecurity that if we could just find and fix all the bugs, the problem would be solved. Mythos accelerates that dream dramatically. But the dream itself has a structural flaw: attackers do not need software vulnerabilities to compromise most organizations.

Eighty-two percent of intrusions are now malware-free. Attackers use stolen credentials, legitimate remote access tools, and living-off-the-land techniques that exploit trust relationships rather than code defects. They move laterally using the same protocols your administrators use. They escalate privilege through misconfiguration, not memory corruption. They persist through identity, not implants.

A perfectly patched environment is still vulnerable to a phishing email that harvests a valid credential. It is still vulnerable to a compromised contractor with legitimate VPN access. It is still vulnerable to an insider who knows where the sensitive data lives.

Mythos solves one important problem extremely well: finding flaws in source code. The problem most SOCs face every night is different. It is not that the software has bugs. It is that someone is already inside, using legitimate tools, and the detection stack cannot tell the difference between an administrator and an intruder.

Two different games

Source code security and network defense operate on fundamentally different assumptions.

Code-level security is about eliminating defects before deployment. It is preventive. It works on artifacts you control: your codebase, your dependencies, your build pipeline. AI models like Mythos will transform this work, and the volume of CVEs that flows downstream will increase substantially. Every organization running affected software will have more patches to apply, faster. That is progress, and it creates real work for security teams.

Network defense is about detecting and responding to adversaries who are already past the perimeter. It is operational. It works on behavior you observe: authentication patterns, lateral movement, privilege escalation, data access. The attacker is not exploiting a buffer overflow. They are using your own infrastructure against you. No amount of source code scanning addresses that problem because the attacker is not in the code. They are in the environment.

These are complementary disciplines, not substitutes. Fixing vulnerabilities reduces the attack surface. Detecting intrusions reduces the impact of the attacks that get through. Both matter. Neither alone is sufficient.

What AI actually changes for defenders

We use AI at CyberTrap. Our temporal AI correlates attacker behavior across time, identities, and assets to form analyst-ready cases. AI is central to how we turn raw SIEM data into high-confidence decisions. I am not skeptical of AI in security. I am skeptical of the idea that any single AI capability closes the problem.

Mythos finds vulnerabilities that humans missed for 27 years. That is extraordinary. But the AI models that will matter most for SOC teams are the ones that answer a different question: is someone hostile inside my network right now, and what are they doing?

That question cannot be answered by scanning source code. It requires observing behavior in a live environment, correlating events across time, and validating intent through mechanisms that produce certainty rather than probability. AI will help solve that problem too. But we are not there yet. Not fully. Simple answers like "the AI will handle it" are not enough when the reality is that most SOCs still cannot distinguish a compromised credential from a legitimate login.

The patch window problem

There is a practical dimension that deserves attention. Mythos will generate a large volume of new CVEs. Every vulnerability it discovers in Linux, Chrome, Windows, or a widely used library creates a patch that every organization running that software needs to apply.

The average enterprise already struggles with patch velocity. The gap between disclosure and patch application is measured in weeks or months, not hours. During that window, every published CVE is also a roadmap for attackers. AI-discovered vulnerabilities that enter the public record faster than organizations can remediate them create a temporary increase in exposure, not a decrease.

This is not a criticism of Mythos or Glasswing. It is a recognition that discovery without remediation velocity creates its own risk. The organizations that benefit most from this wave will be the ones that can patch at machine speed. The rest will need detection capabilities that do not depend on every system being perfectly patched, because they will not be.

The asymmetry gets worse

There is a harder question that the industry needs to confront. Mythos-class capabilities will not stay exclusively in the hands of defenders. Anthropic has restricted access to Mythos Preview and applied harmlessness training that reportedly reduced offensive task completion to near zero. That is responsible. But the capability trajectory is clear. Other models are improving along the same axes. The techniques are understood. It is a matter of time before adversaries have access to AI that finds exploitable vulnerabilities at comparable speed.

When that happens, the structural asymmetry between attackers and defenders gets significantly worse.

The asymmetry is already severe. An attacker needs to find one way in. One vulnerable service, one compromised credential, one misconfigured cloud resource. They can focus their entire effort on a narrow point of the attack surface. A defender has to protect everything. Every endpoint, every identity, every network path, every application, every integration, every third-party dependency. The attacker chooses the time, the target, and the technique. The defender has to be right everywhere, all the time.

AI-powered vulnerability discovery amplifies the attacker's advantage at the point where they are already strongest: finding the single weakness in a vast surface. An attacker with Mythos-class capability does not need to scan the entire internet randomly. They can target a specific organization's stack, find the flaw that applies to their environment, and develop a working exploit before the vendor has issued a patch. That is not hypothetical. That is the logical consequence of the capability Anthropic has demonstrated, applied by someone without safety constraints.

This does not make Mythos a mistake. It makes network-level defense more urgent. If the cost of finding an exploitable vulnerability drops toward zero, the value of detecting exploitation in progress goes up proportionally. The worse the asymmetry gets at the perimeter, the more critical it becomes to have confirmation of attacker intent inside the network itself.

What this means practically

If you run a SOC, three things are true simultaneously after Mythos.

First, your vulnerability management workload is about to increase. More CVEs, more patches, faster disclosure cycles. Budget and staff accordingly. This is real operational impact.

Second, your detection and response capability matters more, not less. As vulnerability discovery accelerates, the window between disclosure and exploitation compresses. Attackers will weaponize AI-found vulnerabilities faster than most organizations can patch them. The SOC needs to catch what gets through during that window, and that requires behavioral detection, not just signature updates.

Third, the attacks that already bypass your stack today, the credential abuse, the lateral movement, the slow-and-low intrusions that hide in your logs for months, are not addressed by better source code scanning at all. Those attacks exploit trust, not code. They require a fundamentally different detection architecture.

Fourth, the defender's disadvantage is about to grow. When AI-powered vulnerability discovery becomes available to adversaries, and it will, the cost of finding an entry point drops while the cost of defending every point stays the same. The organizations that survive that shift will be the ones that stopped relying on prevention alone and invested in detecting what gets through.

Progress, not the destination

Mythos is a genuine milestone. Anthropic has built something that shifts the economics of vulnerability research in favor of defenders, at least temporarily. Combined with Glasswing and the commitment from Apple, Google, Microsoft, Amazon, and Nvidia, this could meaningfully reduce the defect density of the software the world depends on.

But safer source code is one layer of a much deeper problem. The network is still there. The identities are still there. The attackers who do not need a zero-day because a stolen password works just fine are still there.

We have been finding and fixing vulnerabilities for decades. Every generation of tooling made software better. None of them made security operations unnecessary. AI will accelerate the fixing. It will not eliminate the need for watching.

The organizations that treat Mythos as a reason to invest more in vulnerability management are right. The organizations that treat it as a reason to invest less in detection and response will learn the same lesson the industry has learned every time a new prevention technology appeared: attackers adapt, and the network does not defend itself.