“The ‘AI Vulnerability Storm’: Building a Mythos-ready Security Program” was just issued by the Cloud Security Alliance (CSA) CISO Community, co-authored with SANS, [un]prompted, the OWASP Gen AI Security Project and several CISOs. (See direct links at bottom.)
The Strategy Brief recognizes the increased likelihood of attackers discovering new vulnerabilities, creating new exploits, and using them in complex automated attacks at scale, offers advice for dealing with the spike in risk, and offers some immediate steps to ready organizations for the next waves of threats.
Some industry experts have provided commentary below.
George McGregor, VP, Approov (mobile app security expert):
“While it’s good to raise visibility and encourage CISOs to have a “Mythos ready plan”, the CSA briefing is far from complete in terms of what that plan must contain, and doesn’t give a sense of the priorities of different steps which should be taken.
“For example, the focus on accelerating finding and patching vulnerabilities (by using AI!) may take too much time to be effective, and improved incident management is laudable but doesn’t address the immediate problem either.
“The briefing does mention reviewing identity and access management – that should be strengthened AND should include an enhanced focus on urgently putting in place additional methods to STOP vulnerabilities being exploited in the short term.
“There are appropriate and effective Zero Trust approaches which should be put in place immediately, and this should be the first priority – specifically, run-time app and device attestation can block AI agents and permit the validation of every request at APIs and defend against API vulnerability exploitation.”
Sunil Gottumukkala, CEO of Averlon:
“It’s awesome to see so many industry leaders coming together to produce this guide under time pressure. The operational framing, risk register, and board-level talking points are genuinely useful.
“However, some diagnostic questions address the wrong near-term problem. The report focuses in part on whether the organization is using AI, whether employees have coding agent access, and whether they can contribute to open source. These are legitimate AI governance questions, but they’re largely irrelevant to the impending crisis. The threat from Mythos is external. Vulnerabilities are about to land in software every organization depends on, regardless of whether that organization has embraced AI internally or banned it. The diagnostic should ask: Can you patch critical systems in near real time? Do you have the ability to assess exploitability of a given vulnerability within your organization? Do you have a complete software inventory including dependencies? Can your team sustain a surge in patching and malicious activity simultaneously? Do you have pre-authorized containment actions? Those questions determine whether an organization survives the next wave. The AI adoption questions belong later, as enabling steps for longer-term resilience, not as the opening diagnostic.
“In terms of priorities, the strategy report leads with “Point Agents at Your Code and Pipelines” and “Require AI Agent Adoption”- two steps that are premature for most organizations. The first vulnerabilities to hit won’t be in proprietary code at the onset. They’ll be in vendor software and open source components that organizations consume.
“The fifth, seventh and eighth priorities (Continuous Patching and Inventory, Reducing Attack Surface and Hardening Your Environment), and the 11th (VulnOps) directly address the incoming threat and should be considered first. AI tooling accelerates all of these, but it doesn’t replace any of them.
“The report correctly identifies AI adoption as how defenders close the gap long-term, but sequencing should reflect what CISOs need first: know what you have, patch it fast, harden what you can’t patch, and build the operational muscle to sustain that pace.”
Doc McConnell, Head of Policy, Finite State (former CISA Branch Chief, former Senior Advisor for Cybersecurity Policy, Office of Management and Budget [OMB], Executive Office of the President):
“The scenarios that Mythos enables aren’t routine. AI is a ratchet wrench for cybersecurity—it only goes in one direction: faster. It enables security teams to respond to incidents more quickly, but as the CSA report lays out, it also increases the volume and severity of those incidents.
“Sure, the basics still apply – building security into the product lifecycle, accelerating the patch cycle, making sure that cybersecurity is central to your company’s risk management and long-term strategy. What’s changed is that the traditional advice to “do the basics, but faster” is no longer sufficient. The report is right – regardless of how skilled your technical team, humans simply can’t go fast enough to keep up with AI.
“We work primarily with connected device manufacturers – companies that are building the technology that underpins critical infrastructure, manufacturing, medical devices. Mythos is particularly important for those types of devices, because malfunctions or malicious behavior can cost lives.
“Here are three things I believe companies must do.
“First, security has to move to the very beginning of the product lifecycle. If you’re waiting until a CVE drops to find out whether your product is affected, you’re already behind. Binary analysis and software composition analysis need to happen continuously from the very first stages of design and development – not as a “final check” when the features are final and the release is scheduled.
“Second, security needs to keep pace with product development, even as companies accelerate development with AI. That means a real-time SBOM, with automated reachability analysis for new vulnerabilities so that they can confidently prioritize the fixes that matter most.
“Finally, companies need to understand that even in a capable security environment, incidents will still happen. When they do, defenders need to match attacker speed. That means an automated vulnerability and incident response capability that can triage, communicate, and coordinate remediation across a product portfolio without relying on manual investigation at each step. The EU Cyber Resilience Act assumes that companies will have this kind of capability in place when its vulnerability and incident reporting requirements come into force in September of this year.
“Companies need to act on this immediately: make it the top topic at your next Board meeting. If you don’t have this capability today, partner with a company that does. I applaud Anthropic and its partners in Project Glasswing for their approach to finding and fixing vulnerabilities. But we have to assume that if Anthropic is doing this loudly and responsibly, someone else is doing it quietly – and they may not have any interest in disclosing what they find.”
Uzair Gadit, CEO, Secure.com (developer of AI-native Digital Security Teammates) :
“Mythos isn’t introducing new classes of risk, it’s compressing the time it takes to exploit them. That is a different problem entirely. The industry keeps responding with better checklists, but the issue isn’t coverage, it’s decision speed.”
“Mythos is the first credible signal that vulnerability discovery is shifting from human-paced to machine-paced. Most organizations’ defenses aren’t built for or ready for that.
“The CSA guidance is appropriate but reads like an incremental response to what is absolutely a non-incremental shift. The issues is applying steady-state security thinking to a system that is accelerating. That mismatch is where the risk sits. If your response to Mythos looks like your response to last year’s threats, you’re already behind.
“Mythos hype vs. reality: there’s likely some hype in the claims, but not in the direction in which cybersecurity’s traveling, and that distinction matters. Remember that the evidence isn’t fully public yet, so while some skepticism is justified, dismissing the threat certainly isn’t. True, some of the fear may be amplified, but it’s anchored in a real shift. This isn’t synthetic panic. FUD fills the gap when validation lags capability. That’s exactly where we are right now.”
““The constraint for defenders used to be finding issues, but now, it’s deciding what to fix, in what order, and deciding and doing it fast enough. Security teams are about to be measured on response velocity, not just coverage. Automated response with humans in the loop is about to become the minimum table stakes.”
“Security teams must stop optimizing for visibility and start optimizing for decision speed. The strongest security posture’s architecture will connect detection, prioritization, and action into a single loop.”
Noelle Murata, Chief Operating Officer, Xcape, Inc.
“The emergence of Claude Mythos is not a routine product launch; it is a phase change that renders our current human-centric defense models mathematically obsolete. While the industry is used to the steady drip of vulnerabilities, we have never faced a scenario in which an autonomous model can chain exploits and identify thousands of zero-day flaws across every major OS in minutes, including a 27-year-old OpenBSD bug that survived decades of elite manual audits. The Y2K comparison is flawed because Y2K had a fixed deadline; Mythos represents a permanent, exponential acceleration. This is not a sales ploy or hype; it is a documented leap where a model outperformed human experts on the Firefox attack surface by a factor of 90.
“For security teams, responding with routine patching is a recipe for catastrophic failure. We must get creative and move beyond symmetrical AI defense. This means adopting deceptive infrastructure – deploying AI-generated honey-tokens and dynamic network paths that shift faster than a model can map them – and shifting from periodic scanning to continuous, agent-led remediation. We are entering an era where the only way to survive the speed asymmetry of a sub-24-hour exploit cycle is to automate the defense so thoroughly that the attacker is forced to hack a moving target. This is an issue of asymmetric cyber warfare. The adversary has to be successful once, whereas the defenders must be successful every time.
“My takeaway: If your current vulnerability management strategy still involves a human clicking “Approve” on a Tuesday morning, you aren’t defending a network; you are managing a museum.”
If you want a look at this, you can sign up to download the paper here.
Certinia Launches Veda
Posted in Commentary with tags Certinia on April 15, 2026 by itnerdCertinia, today announced the launch of Veda: an enterprise-grade intelligent operations engine built to transform services organizations from reactive, manual workflows to autonomous professional services.
As Certinia’s suite of AI specialist agents and intelligent actions, Veda delivers rules-bound, trusted and ROI-focused autonomous workflows, combining Certinia’s decades of institutional memory with advanced AI reasoning. Built alongside Certinia’sleading Professional Services (PS), Customer Success (CS), and Financial Management (FM) Cloud solutions, Veda’s flexibility allows it to be accessed through, and seamlessly integrated into, existing business workflows to drive immediate and measurable value.
A Modern AI Engine for a Transforming Industry
Professional services firms are struggling to achieve AI adoption and ROI with generic AI tools, models, and point solutions just as the industry hits a structural inflection point, driven by a mandate to move beyond AI curiosity toward strictly defined, tangible use cases. Services organizations also face mounting pressure to shrink the quote-to-revenue cycle and shift from billable-hour models toward outcome-based pricing, creating demand for a new class of infrastructure that fragmented, legacy systems were never built to support.
Veda answers this need with production-ready AI solutions grounded in Certinia’s deep domain expertise, eliminating the manual tax on teams to deliver measurable, evidence-based growth. As the AI engine powering Certinia’s portfolio, Veda orchestrates a hybrid operational model where specialist AI agents bring reasoning, judgment, and execution to services operations, working alongside human experts so they can focus on the strategic work and decisions that move the business forward — together redefining the unit economics of profitable service management.
Where generic AI platforms rely on a single generalist model, Veda is purpose-built and domain-specific. At its core is the industry’s only suite of specialist AI agents, each grounded and permissioned for a distinct functional domain, making it the only intelligent services operations engine in the PSA category built specifically for the complexity of services delivery and management. These agents operate across two integrated layers: generative intelligence that surfaces insights and synthesizes complex data into clear narratives, and specialist AI agents that execute tasks, orchestrate workflows, and drive outcomes end-to-end.
Veda in Action
The Veda suite of AI specialist agents and intelligent actions delivers proven and demonstrable ROI for each core team across the complete services lifecycle. Where Certinia’s core solutions already set a high bar for operational performance, Veda acts as the force multiplier that maximizes tangible value across the entire business.
With intelligence embedded across the services journey, Veda ensures insights are never siloed within a single department. Users interact with Veda through natural language, and the system routes each request to the appropriate specialist agent to execute the task, meeting users where they work, whether inside Certinia or in collaboration tools such as Slack and Microsoft Teams.
Veda’s agent suite covers the full breadth of services operations, from estimation and resourcing to delivery, financials, customer success, health monitoring, and customer lifecycle orchestration. Together, they give firms the context and execution capability to move faster, operate with greater precision, and scale with confidence.
Built for Enterprise Scale and Value
AI adoption moves at the pace of trust. Veda combines the power of advanced AI reasoning with domain-specific context and intelligence, grounded in Certinia’s decades of institutional memory and services-specific ontology, to deliver autonomous operations and outcomes that are deterministic, rules-bound, and auditable — trusted AI built for the complexity of real services organizations.
Beyond its generative and agentic capabilities, Veda is engineered to solve traditional barriers to AI adoption through an architecture that prioritizes flexibility and long-term value. A single Veda subscription ensures universal access to Certinia’s entire evolving AI suite, giving teams access to Certinia’s latest AI capabilities through a transparent consumption model that pairs per-user fees with usage-based scaling, ensuring a predictable path to ROI that aligns directly with actual business output.
Veda is available today to organizations ready to transition from reactive delivery to autonomous operations. To see Veda in action inside real services workflows, join Certinia for a live webinar on Wednesday, April 22 at 10:45 AM EDT. Register here or visit Certinia.com for more information.
Leave a comment »