“The ‘AI Vulnerability Storm’: Building a Mythos-ready Security Program” was just issued by the Cloud Security Alliance (CSA) CISO Community, co-authored with SANS, [un]prompted, the OWASP Gen AI Security Project and several CISOs. (See direct links at bottom.)
The Strategy Brief recognizes the increased likelihood of attackers discovering new vulnerabilities, creating new exploits, and using them in complex automated attacks at scale, offers advice for dealing with the spike in risk, and offers some immediate steps to ready organizations for the next waves of threats.
Some industry experts have provided commentary below.
George McGregor, VP, Approov (mobile app security expert):
“While it’s good to raise visibility and encourage CISOs to have a “Mythos ready plan”, the CSA briefing is far from complete in terms of what that plan must contain, and doesn’t give a sense of the priorities of different steps which should be taken.
“For example, the focus on accelerating finding and patching vulnerabilities (by using AI!) may take too much time to be effective, and improved incident management is laudable but doesn’t address the immediate problem either.
“The briefing does mention reviewing identity and access management – that should be strengthened AND should include an enhanced focus on urgently putting in place additional methods to STOP vulnerabilities being exploited in the short term.
“There are appropriate and effective Zero Trust approaches which should be put in place immediately, and this should be the first priority – specifically, run-time app and device attestation can block AI agents and permit the validation of every request at APIs and defend against API vulnerability exploitation.”
Sunil Gottumukkala, CEO of Averlon:
“It’s awesome to see so many industry leaders coming together to produce this guide under time pressure. The operational framing, risk register, and board-level talking points are genuinely useful.
“However, some diagnostic questions address the wrong near-term problem. The report focuses in part on whether the organization is using AI, whether employees have coding agent access, and whether they can contribute to open source. These are legitimate AI governance questions, but they’re largely irrelevant to the impending crisis. The threat from Mythos is external. Vulnerabilities are about to land in software every organization depends on, regardless of whether that organization has embraced AI internally or banned it. The diagnostic should ask: Can you patch critical systems in near real time? Do you have the ability to assess exploitability of a given vulnerability within your organization? Do you have a complete software inventory including dependencies? Can your team sustain a surge in patching and malicious activity simultaneously? Do you have pre-authorized containment actions? Those questions determine whether an organization survives the next wave. The AI adoption questions belong later, as enabling steps for longer-term resilience, not as the opening diagnostic.
“In terms of priorities, the strategy report leads with “Point Agents at Your Code and Pipelines” and “Require AI Agent Adoption”- two steps that are premature for most organizations. The first vulnerabilities to hit won’t be in proprietary code at the onset. They’ll be in vendor software and open source components that organizations consume.
“The fifth, seventh and eighth priorities (Continuous Patching and Inventory, Reducing Attack Surface and Hardening Your Environment), and the 11th (VulnOps) directly address the incoming threat and should be considered first. AI tooling accelerates all of these, but it doesn’t replace any of them.
“The report correctly identifies AI adoption as how defenders close the gap long-term, but sequencing should reflect what CISOs need first: know what you have, patch it fast, harden what you can’t patch, and build the operational muscle to sustain that pace.”
Doc McConnell, Head of Policy, Finite State (former CISA Branch Chief, former Senior Advisor for Cybersecurity Policy, Office of Management and Budget [OMB], Executive Office of the President):
“The scenarios that Mythos enables aren’t routine. AI is a ratchet wrench for cybersecurity—it only goes in one direction: faster. It enables security teams to respond to incidents more quickly, but as the CSA report lays out, it also increases the volume and severity of those incidents.
“Sure, the basics still apply – building security into the product lifecycle, accelerating the patch cycle, making sure that cybersecurity is central to your company’s risk management and long-term strategy. What’s changed is that the traditional advice to “do the basics, but faster” is no longer sufficient. The report is right – regardless of how skilled your technical team, humans simply can’t go fast enough to keep up with AI.
“We work primarily with connected device manufacturers – companies that are building the technology that underpins critical infrastructure, manufacturing, medical devices. Mythos is particularly important for those types of devices, because malfunctions or malicious behavior can cost lives.
“Here are three things I believe companies must do.
“First, security has to move to the very beginning of the product lifecycle. If you’re waiting until a CVE drops to find out whether your product is affected, you’re already behind. Binary analysis and software composition analysis need to happen continuously from the very first stages of design and development – not as a “final check” when the features are final and the release is scheduled.
“Second, security needs to keep pace with product development, even as companies accelerate development with AI. That means a real-time SBOM, with automated reachability analysis for new vulnerabilities so that they can confidently prioritize the fixes that matter most.
“Finally, companies need to understand that even in a capable security environment, incidents will still happen. When they do, defenders need to match attacker speed. That means an automated vulnerability and incident response capability that can triage, communicate, and coordinate remediation across a product portfolio without relying on manual investigation at each step. The EU Cyber Resilience Act assumes that companies will have this kind of capability in place when its vulnerability and incident reporting requirements come into force in September of this year.
“Companies need to act on this immediately: make it the top topic at your next Board meeting. If you don’t have this capability today, partner with a company that does. I applaud Anthropic and its partners in Project Glasswing for their approach to finding and fixing vulnerabilities. But we have to assume that if Anthropic is doing this loudly and responsibly, someone else is doing it quietly – and they may not have any interest in disclosing what they find.”
Uzair Gadit, CEO, Secure.com (developer of AI-native Digital Security Teammates) :
“Mythos isn’t introducing new classes of risk, it’s compressing the time it takes to exploit them. That is a different problem entirely. The industry keeps responding with better checklists, but the issue isn’t coverage, it’s decision speed.”
“Mythos is the first credible signal that vulnerability discovery is shifting from human-paced to machine-paced. Most organizations’ defenses aren’t built for or ready for that.
“The CSA guidance is appropriate but reads like an incremental response to what is absolutely a non-incremental shift. The issues is applying steady-state security thinking to a system that is accelerating. That mismatch is where the risk sits. If your response to Mythos looks like your response to last year’s threats, you’re already behind.
“Mythos hype vs. reality: there’s likely some hype in the claims, but not in the direction in which cybersecurity’s traveling, and that distinction matters. Remember that the evidence isn’t fully public yet, so while some skepticism is justified, dismissing the threat certainly isn’t. True, some of the fear may be amplified, but it’s anchored in a real shift. This isn’t synthetic panic. FUD fills the gap when validation lags capability. That’s exactly where we are right now.”
““The constraint for defenders used to be finding issues, but now, it’s deciding what to fix, in what order, and deciding and doing it fast enough. Security teams are about to be measured on response velocity, not just coverage. Automated response with humans in the loop is about to become the minimum table stakes.”
“Security teams must stop optimizing for visibility and start optimizing for decision speed. The strongest security posture’s architecture will connect detection, prioritization, and action into a single loop.”
Noelle Murata, Chief Operating Officer, Xcape, Inc.
“The emergence of Claude Mythos is not a routine product launch; it is a phase change that renders our current human-centric defense models mathematically obsolete. While the industry is used to the steady drip of vulnerabilities, we have never faced a scenario in which an autonomous model can chain exploits and identify thousands of zero-day flaws across every major OS in minutes, including a 27-year-old OpenBSD bug that survived decades of elite manual audits. The Y2K comparison is flawed because Y2K had a fixed deadline; Mythos represents a permanent, exponential acceleration. This is not a sales ploy or hype; it is a documented leap where a model outperformed human experts on the Firefox attack surface by a factor of 90.
“For security teams, responding with routine patching is a recipe for catastrophic failure. We must get creative and move beyond symmetrical AI defense. This means adopting deceptive infrastructure – deploying AI-generated honey-tokens and dynamic network paths that shift faster than a model can map them – and shifting from periodic scanning to continuous, agent-led remediation. We are entering an era where the only way to survive the speed asymmetry of a sub-24-hour exploit cycle is to automate the defense so thoroughly that the attacker is forced to hack a moving target. This is an issue of asymmetric cyber warfare. The adversary has to be successful once, whereas the defenders must be successful every time.
“My takeaway: If your current vulnerability management strategy still involves a human clicking “Approve” on a Tuesday morning, you aren’t defending a network; you are managing a museum.”
If you want a look at this, you can sign up to download the paper here.
CSA issues “Building a Mythos-ready Security Program”
Posted in Commentary with tags CSA on April 15, 2026 by itnerd“The ‘AI Vulnerability Storm’: Building a Mythos-ready Security Program” was just issued by the Cloud Security Alliance (CSA) CISO Community, co-authored with SANS, [un]prompted, the OWASP Gen AI Security Project and several CISOs. (See direct links at bottom.)
The Strategy Brief recognizes the increased likelihood of attackers discovering new vulnerabilities, creating new exploits, and using them in complex automated attacks at scale, offers advice for dealing with the spike in risk, and offers some immediate steps to ready organizations for the next waves of threats.
Some industry experts have provided commentary below.
George McGregor, VP, Approov (mobile app security expert):
“While it’s good to raise visibility and encourage CISOs to have a “Mythos ready plan”, the CSA briefing is far from complete in terms of what that plan must contain, and doesn’t give a sense of the priorities of different steps which should be taken.
“For example, the focus on accelerating finding and patching vulnerabilities (by using AI!) may take too much time to be effective, and improved incident management is laudable but doesn’t address the immediate problem either.
“The briefing does mention reviewing identity and access management – that should be strengthened AND should include an enhanced focus on urgently putting in place additional methods to STOP vulnerabilities being exploited in the short term.
“There are appropriate and effective Zero Trust approaches which should be put in place immediately, and this should be the first priority – specifically, run-time app and device attestation can block AI agents and permit the validation of every request at APIs and defend against API vulnerability exploitation.”
Sunil Gottumukkala, CEO of Averlon:
“It’s awesome to see so many industry leaders coming together to produce this guide under time pressure. The operational framing, risk register, and board-level talking points are genuinely useful.
“However, some diagnostic questions address the wrong near-term problem. The report focuses in part on whether the organization is using AI, whether employees have coding agent access, and whether they can contribute to open source. These are legitimate AI governance questions, but they’re largely irrelevant to the impending crisis. The threat from Mythos is external. Vulnerabilities are about to land in software every organization depends on, regardless of whether that organization has embraced AI internally or banned it. The diagnostic should ask: Can you patch critical systems in near real time? Do you have the ability to assess exploitability of a given vulnerability within your organization? Do you have a complete software inventory including dependencies? Can your team sustain a surge in patching and malicious activity simultaneously? Do you have pre-authorized containment actions? Those questions determine whether an organization survives the next wave. The AI adoption questions belong later, as enabling steps for longer-term resilience, not as the opening diagnostic.
“In terms of priorities, the strategy report leads with “Point Agents at Your Code and Pipelines” and “Require AI Agent Adoption”- two steps that are premature for most organizations. The first vulnerabilities to hit won’t be in proprietary code at the onset. They’ll be in vendor software and open source components that organizations consume.
“The fifth, seventh and eighth priorities (Continuous Patching and Inventory, Reducing Attack Surface and Hardening Your Environment), and the 11th (VulnOps) directly address the incoming threat and should be considered first. AI tooling accelerates all of these, but it doesn’t replace any of them.
“The report correctly identifies AI adoption as how defenders close the gap long-term, but sequencing should reflect what CISOs need first: know what you have, patch it fast, harden what you can’t patch, and build the operational muscle to sustain that pace.”
Doc McConnell, Head of Policy, Finite State (former CISA Branch Chief, former Senior Advisor for Cybersecurity Policy, Office of Management and Budget [OMB], Executive Office of the President):
“The scenarios that Mythos enables aren’t routine. AI is a ratchet wrench for cybersecurity—it only goes in one direction: faster. It enables security teams to respond to incidents more quickly, but as the CSA report lays out, it also increases the volume and severity of those incidents.
“Sure, the basics still apply – building security into the product lifecycle, accelerating the patch cycle, making sure that cybersecurity is central to your company’s risk management and long-term strategy. What’s changed is that the traditional advice to “do the basics, but faster” is no longer sufficient. The report is right – regardless of how skilled your technical team, humans simply can’t go fast enough to keep up with AI.
“We work primarily with connected device manufacturers – companies that are building the technology that underpins critical infrastructure, manufacturing, medical devices. Mythos is particularly important for those types of devices, because malfunctions or malicious behavior can cost lives.
“Here are three things I believe companies must do.
“First, security has to move to the very beginning of the product lifecycle. If you’re waiting until a CVE drops to find out whether your product is affected, you’re already behind. Binary analysis and software composition analysis need to happen continuously from the very first stages of design and development – not as a “final check” when the features are final and the release is scheduled.
“Second, security needs to keep pace with product development, even as companies accelerate development with AI. That means a real-time SBOM, with automated reachability analysis for new vulnerabilities so that they can confidently prioritize the fixes that matter most.
“Finally, companies need to understand that even in a capable security environment, incidents will still happen. When they do, defenders need to match attacker speed. That means an automated vulnerability and incident response capability that can triage, communicate, and coordinate remediation across a product portfolio without relying on manual investigation at each step. The EU Cyber Resilience Act assumes that companies will have this kind of capability in place when its vulnerability and incident reporting requirements come into force in September of this year.
“Companies need to act on this immediately: make it the top topic at your next Board meeting. If you don’t have this capability today, partner with a company that does. I applaud Anthropic and its partners in Project Glasswing for their approach to finding and fixing vulnerabilities. But we have to assume that if Anthropic is doing this loudly and responsibly, someone else is doing it quietly – and they may not have any interest in disclosing what they find.”
Uzair Gadit, CEO, Secure.com (developer of AI-native Digital Security Teammates) :
“Mythos isn’t introducing new classes of risk, it’s compressing the time it takes to exploit them. That is a different problem entirely. The industry keeps responding with better checklists, but the issue isn’t coverage, it’s decision speed.”
“Mythos is the first credible signal that vulnerability discovery is shifting from human-paced to machine-paced. Most organizations’ defenses aren’t built for or ready for that.
“The CSA guidance is appropriate but reads like an incremental response to what is absolutely a non-incremental shift. The issues is applying steady-state security thinking to a system that is accelerating. That mismatch is where the risk sits. If your response to Mythos looks like your response to last year’s threats, you’re already behind.
“Mythos hype vs. reality: there’s likely some hype in the claims, but not in the direction in which cybersecurity’s traveling, and that distinction matters. Remember that the evidence isn’t fully public yet, so while some skepticism is justified, dismissing the threat certainly isn’t. True, some of the fear may be amplified, but it’s anchored in a real shift. This isn’t synthetic panic. FUD fills the gap when validation lags capability. That’s exactly where we are right now.”
““The constraint for defenders used to be finding issues, but now, it’s deciding what to fix, in what order, and deciding and doing it fast enough. Security teams are about to be measured on response velocity, not just coverage. Automated response with humans in the loop is about to become the minimum table stakes.”
“Security teams must stop optimizing for visibility and start optimizing for decision speed. The strongest security posture’s architecture will connect detection, prioritization, and action into a single loop.”
Noelle Murata, Chief Operating Officer, Xcape, Inc.
“The emergence of Claude Mythos is not a routine product launch; it is a phase change that renders our current human-centric defense models mathematically obsolete. While the industry is used to the steady drip of vulnerabilities, we have never faced a scenario in which an autonomous model can chain exploits and identify thousands of zero-day flaws across every major OS in minutes, including a 27-year-old OpenBSD bug that survived decades of elite manual audits. The Y2K comparison is flawed because Y2K had a fixed deadline; Mythos represents a permanent, exponential acceleration. This is not a sales ploy or hype; it is a documented leap where a model outperformed human experts on the Firefox attack surface by a factor of 90.
“For security teams, responding with routine patching is a recipe for catastrophic failure. We must get creative and move beyond symmetrical AI defense. This means adopting deceptive infrastructure – deploying AI-generated honey-tokens and dynamic network paths that shift faster than a model can map them – and shifting from periodic scanning to continuous, agent-led remediation. We are entering an era where the only way to survive the speed asymmetry of a sub-24-hour exploit cycle is to automate the defense so thoroughly that the attacker is forced to hack a moving target. This is an issue of asymmetric cyber warfare. The adversary has to be successful once, whereas the defenders must be successful every time.
“My takeaway: If your current vulnerability management strategy still involves a human clicking “Approve” on a Tuesday morning, you aren’t defending a network; you are managing a museum.”
If you want a look at this, you can sign up to download the paper here.
Leave a comment »