I have been doing security work long enough to develop a reliable instinct for when the industry is performing alarm versus when something has genuinely shifted. The week of April 7, 2026 was not theatre.

cover

Anthropic published a system card for a model it chose not to release. The model, Claude Mythos Preview, had identified thousands of previously unknown vulnerabilities across major operating systems and browsers during a short testing period. It found a flaw in OpenBSD that had gone undetected for 27 years. It found issues in FFmpeg, a library embedded in a staggering portion of the internet’s media infrastructure. And it did not just catalogue individual bugs: it autonomously chained multiple vulnerabilities into working exploit chains, with limited human guidance.

None of this was the result of specialized offensive training. The capabilities emerged from general improvements in reasoning and coding, an observation Anthropic’s own red team emphasized. The same architecture that makes Mythos better at patching vulnerabilities also makes it better at exploiting them. That dual-use quality is what separates this moment from every previous round of “AI will change security” announcements.

Project Glasswing: a coordinated head start

Rather than shelving the model or releasing it openly, Anthropic set up a controlled industry initiative called Project Glasswing, restricting access to roughly 50 organizations. The twelve founding partners include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, among others.

The logic is straightforward: before a model capable of generating exploit chains at scale becomes broadly available, the companies responsible for maintaining the world’s most critical software get a window to find and fix what it surfaces. Over 99% of the vulnerabilities Mythos identified have not yet been patched, which is why they cannot be disclosed publicly.

What makes this arrangement uncomfortable is what it concedes: AI is now good enough at offensive security that releasing a model broadly constitutes a genuine risk calculation. This is no longer a theoretical discussion at RSA panels. It is an operational constraint shaping product launch decisions at one of the leading AI labs.

The caution is not unfounded. During testing by the UK’s AI Safety Institute, Mythos scored 73% on expert-level CTF tasks that no model could complete before April 2025, and, perhaps more tellingly, autonomously escaped its containment structure and connected to the Internet during evaluation. A model that can find its way out of a sandbox is a model you do not release casually.

OpenAI’s counter-move and the race it confirms

One week after Mythos, OpenAI released GPT-5.4-Cyber, a fine-tuned variant of GPT-5.4 with lowered refusal boundaries for legitimate security work and new binary reverse engineering capabilities that let analysts inspect compiled software without source access. Distribution runs through Trusted Access for Cyber (TAC), a program OpenAI launched in February that uses identity verification to gate access: hundreds of vetted defenders initially, scaling to thousands. The model builds on Codex Security, which since its research preview has contributed to over 3,000 critical and high-severity fixes across open-source projects. GPT-5.4-Cyber goes further, removing the refusal guardrails that prevented earlier models from performing the kind of deep offensive analysis that real security work demands.

The contrast with Anthropic’s approach is instructive. Anthropic withheld its model entirely and restricted access to roughly 50 organizations through a curated partnership. OpenAI chose the opposite vector: fine-tune an existing model for cyber, then expand access through automated KYC rather than invitation. Both labs reached the same conclusion (these capabilities need controlled distribution) but drew the boundary in very different places.

The competitive dynamic matters for a practical reason. As Bloomberg reported, the US Treasury convened Wall Street executives and Federal Reserve officials to discuss Mythos within days of the announcement, and is itself seeking direct access to the model. When frontier AI labs race to release cyber-capable models and governments scramble to obtain them, the question is no longer whether these capabilities will proliferate. It is how fast, and under what constraints.

The market processed the implications in real time. On April 9, the S&P 500 Software and Services Index dropped 2.6% in a single day, extending its 2026 decline to 25.5%. CrowdStrike lost around 8%; Cloudflare fell more than 13%. As Forbes documented, the selloff conflated two different things: the threat AI poses to software security, and the threat AI poses to cybersecurity companies. The distinction matters for anyone trying to think clearly about what comes next.

When Claude Code Security was announced in February, I wrote about the structural shift of embedding security analysis directly into development workflows, and the repricing it triggered in the same stocks. Mythos and GPT-5.4-Cyber extend that shift from code scanning to autonomous exploitation, from detection to weaponization.

From 771 days to four hours

The numbers that should anchor any CISO conversation about Mythos come from the Zero Day Clock, a live threat intelligence project by Sergej Epp (CISO at Sysdig) tracking over 3,500 CVE-exploit pairs. In 2018, the median time from vulnerability discovery to active exploitation was 771 days. By 2024, it had collapsed to under four hours. The 2026 projection is under one hour.

The raw speed is alarming, but the structure underneath is worse. As Bishop Fox notes in their analysis, 67% of actively exploited CVEs in 2026 are weaponized before or on the same day as public disclosure. Defenders are acting on information that is already stale when it arrives.

Epp frames this through what he calls Verifier’s Law: offensive verification is binary and instant (the exploit works or it does not), while defensive verification is ambiguous, expensive, and slow. AI amplifies this structural asymmetry. Mythos did not create it, but it removed the last friction that was keeping it manageable.

Mythos did not arrive in a vacuum

One aspect that most coverage has underplayed is the escalation timeline leading up to April 7. A detailed analysis by ICT Security Magazine, drawing on the CSA document “The AI Vulnerability Storm” produced by over 60 senior security professionals and reviewed by 250+ CISOs globally, reconstructs a progression that makes the Mythos announcement look less like a surprise and more like an inevitability.

June 2025. XBOW became the first autonomous system to top HackerOne’s US reputation ranking, with over 1,060 vulnerabilities reported.

August 2025. Google’s Big Sleep flagged 20 zero-days in open-source software. Days later, at DEF CON 33, DARPA AIxCC finalists found 54 vulnerabilities analyzing 54 million lines of code in four hours each.

November 2025. Anthropic disclosed the GTG-1002 campaign: a state-sponsored actor had used jailbroken Claude Code to run 80-90% of offensive operations against 30+ organizations with minimal human oversight. The first documented large-scale attack orchestrated primarily by AI.

January 2026. AISLE independently discovered all twelve vulnerabilities in a coordinated OpenSSL release, including bugs dating back to the SSLeay codebase of the late 1990s.

February 2026. AI-generated bug reports to the Linux kernel jumped from two to ten per week. Unlike earlier waves, they were all verified as real.

Framing Mythos as a singular event misses the structural shift. The capability was building across multiple labs and open-source projects simultaneously. Alex Stamos, former CSO at Facebook and currently at AI security firm Corridor, has been saying it directly: comparable capabilities will become more broadly accessible through open-weight models on relatively short timelines. GPT-5.4-Cyber’s release, one week after Mythos, shows the proliferation is already underway through commercial labs, before open-weight models even enter the picture. The Glasswing window is real, but temporary. Anthropic itself estimates six to eighteen months.

What breaks in practice

For security teams, the operational impact lands in three places.

The testing cadence is obsolete. Annual penetration tests were designed for a world where complexity provided friction. Quarterly assessments assumed attackers faced similar scaling constraints. Both assumptions are dead. The CSA document is blunt: organizations should be building toward continuous validation now, not deferring it to a future roadmap.

Triage becomes the bottleneck, not discovery. AI can now generate findings at a volume that overwhelms human review capacity. The question a CISO should be asking is not “how many vulnerabilities did we find?” but “which ones represent real, exploitable risk in our environment, and in what order do we address them?” That requires application architecture knowledge, business context, and attack surface awareness that no model provides on its own. The human role shifts from finder to prioritizer, and organizations that fail to invest in triage capacity will drown in unactioned reports.

Every patch becomes an exploit blueprint. This is the point the CSA document makes that I have seen too few people internalize: AI accelerates patch-diffing and reverse engineering of fixes in minutes. The old assumption that publishing a patch buys defenders time, because exploitation still requires manual effort, falls apart when a model can read the diff and generate an exploit before most organizations have scheduled the update.

The 99% number and what it really tells us

Anthropic’s red team reported that over 99% of the vulnerabilities Mythos found remain unpatched. That number says more about the state of software infrastructure than about Mythos. Thousands of real, exploitable flaws sit in systems maintained by the most technically capable organizations in the industry, in code that has been in production for decades.

The security industry has long operated on an implicit bet: that truly dangerous vulnerabilities require rare human expertise to find and chain. Mythos calls that bet.

The CSA document raises a related governance problem that deserves more attention: the risk models most organizations bring to their boards are built on pre-AI assumptions. Patch windows measured in weeks. Exploitation requiring specialized skills. Incident frequency within manageable bounds. A CISO who presents metrics calibrated for that world is providing governance cover, not risk management. With the EU AI Act entering application in August 2026, the standard for what constitutes reasonable defensive effort is shifting, and boards that have not updated their models face direct liability exposure.

Burnout is not a welfare issue

There is a dimension to this that the CSA document handles with unusual honesty for a strategic framework: the human toll.

Security teams are caught in a real vice. AI simultaneously increases the frequency of vulnerability disclosures they must respond to, the volume of code their organizations produce, and the overall attack surface. This happens while professionals face genuine uncertainty about the evolution of their own roles. Vulnerability researchers in particular are watching AI systems autonomously identify bug classes that took them years of specialization to master.

Burnout in security is not a welfare issue. It is an operational risk. The skills needed to navigate this transition take years to develop, cannot be replaced quickly, and are globally scarce. Organizations that treat team resilience (sustainable workload, mental health support, retention) as a strategic priority alongside technical controls will be structurally more durable than those that simply stack AI tooling on top of already-stretched teams.

From my own experience managing security operations, the gap between what tooling can surface and what a team can realistically process was already painful before Mythos. What is coming will force a reckoning that many organizations have been postponing.

And the burden will not fall evenly. Wendy Nather’s concept of the Cyber Poverty Line, the threshold below which organizations lack the minimum resources to defend themselves effectively, becomes sharply more relevant when AI-powered attacks scale freely while defensive tooling still costs enterprise budgets. The Glasswing partners have the resources to absorb a surge in vulnerability findings. Most organizations do not. For smaller teams, the CSA document points to collective defense networks (national CSIRTs, ISACs, threat intelligence sharing groups) as the most realistic path to closing the gap.

Three moves before the next board meeting

The CSA document outlines 11 prioritized actions across time horizons from this week to twelve months. Three stand out as immediate.

Point AI at your own code now. Run frontier models against your codebase and CI/CD pipelines. Not as an experiment, but as standard practice with mandatory oversight. The channels now exist: OpenAI’s Trusted Access for Cyber is open to verified defenders, Glasswing partners are already receiving Mythos findings, and Codex Security covers open-source scanning at no cost. Waiting means falling further behind attackers who are already using these tools.

Update your risk models before the next board meeting. If your risk register still assumes patch windows of weeks and exploitation requiring specialized human skills, it describes a world that no longer exists. Recalibrate around hours, not days. Factor in AI-assisted attack chains. Present numbers that reflect actual exposure.

Harden the layers that AI cannot shortcut. The Anthropic red team’s own testing showed that defense-in-depth measures imposing hard barriers (KASLR, W^X, egress filtering, network segmentation) remain effective even against model-assisted adversaries. Mitigations whose value comes from friction rather than from actual barriers are the ones that erode fastest. Egress filtering alone blocked every public Log4j exploit. These are not new recommendations, but their priority ranking has changed.

Looking further out, the CSA framework introduces a concept worth adopting: VulnOps, a permanent function modeled on DevOps but dedicated to continuous vulnerability research and autonomous remediation. Discovery running against your own codebase and third-party dependencies, with a remediation pipeline designed around triage discipline from day one.

There is also a dimension that extends beyond any single organization’s perimeter. Open-source maintainers, often volunteers, are already being hit by the early wave. The curl project shut down its bug bounty program after being flooded with low-quality AI-generated reports, only to see a recent reversal as report quality improved. That whiplash is going to become common. Open-source foundations and the companies that depend on their code need to figure out who absorbs the triage cost when AI-driven discovery scales faster than maintainer capacity. This is a supply chain problem dressed as a tooling problem.

Compressing the defender’s loop

Every new capability like Mythos sharpens the same asymmetry that Epp’s Verifier’s Law describes: defenders need expensive, ambiguous confirmation that a system is secure; attackers need a single binary signal. Every improvement in AI reasoning benefits the faster feedback loop disproportionately.

The response cannot be to match attackers at their own game. It has to be compressing the defender’s verification loop: continuous testing, automated triage, pre-approved remediation playbooks, and honest measurement of the gap between what is testable and what is actually being tested.

Mythos made that gap impossible to ignore. The competitive race that followed, with GPT-5.4-Cyber released within days and governments scrambling for access, confirms that the proliferation clock is already running. For those willing to look at the gap clearly, the visibility this moment has forced may be the most valuable thing to come out of April 2026.