If your social media feeds are similar to mine, you’ve likely been inundated with sky-is-falling posts reacting to the “game changing” Mythos and Glasswing projects.
Despite all the hot takes, it does appear that there is a broad consensus, and it is downright strange: “Everybody look here, pay attention, absolutely nothing just happened.”
Mythos discovers software vulnerabilities.
Mythos discovers software vulnerabilities. As many have pointed out, it is highly unlikely that anyone claiming it “changes the game forever” has actually seen it, and yet it is no secret that cybersecurity researchers are already using modern computing power to aid in the discovery of software flaws and to replicate the actions of human hackers.
We explored this dynamic in greater depth on a Hackers On The Rocks episode with Wooson Song of TeamAtlanta, whose team earned a multimillion-dollar prize for deploying AI that proved more effective operationally than competing systems.
Glasswing, an emerging business line built around Mythos, will coordinate vulnerability disclosures with affected manufacturers, enabling them to issue patches in a structured and timely manner.
Casey Ellis - The attacker has always held the advantage. Mythos suggests that the gap may widen, which is unsettling, but it does not fundamentally change the position defenders operate within.
RSnake - 340,000+ CVEs have not been sufficient; the argument is that AI will simply accelerate the discovery of more.
Jake Williams - Compute remains expensive, and the cost structure prevents this technology from being accessible at a level most organizations can realistically adopt.
Marc Andreessen — Accessibility is constrained not only by price, but by the limited availability of compute itself, which restricts the ability to deploy these systems at meaningful scale.
Jeroen Van Hautte - Even if scalability improves, it may not matter; the rate at which AI is being used to generate new, and often vulnerable, code is expanding the attack surface faster than it can be secured.
Thomas Ballin - The real signal is not that Mythos found a bug, but what it took to do so: a successful $50 run built on top of $19,950 in failed attempts, without a clear understanding of what to search for.
Marcus Hutchins - Even with that clarity, economic misalignment remains; there is little incentive to invest in vulnerability discovery without a reliable path to financial return.
So where does that leave us? Sight unseen, there is little debate that the technology works. And yet, if you accept the perspectives above, it does not meaningfully alter the position defenders find themselves in. The implications are real, but the posture remains unchanged.
The more useful question, then, is what to do about it.
On April 14, nearly two dozen contributors issued a call to the corporate community to begin moving toward a “Mythos-ready” security posture.
A lot of soul searching.
Really? The sky is falling, there’s a new paradigm, software “nation state hackers in a box” is here, and they proposed nothing!?!?!
Yep. That’s the plan. To be clear, the actual call to action is quite strong. You can read it here:https://labs.cloudsecurityalliance.org/mythos-ciso/
The authors bring credible experience in building security programs, securing Board alignment, and ensuring execution. They provide concrete artifacts for getting started, and the document is thoughtful, practical, and thorough in its approach.
That said, and to their credit, they avoid leading with Fear, Uncertainty, and Doubt. Their position is straightforward: if the necessary internal conversations to establish a strong security plan have not yet taken place, the Mythos and Glasswing narrative can serve as a forcing function to initiate them. If a program already exists, this moment provides a natural opportunity to reassess and refine it.
Because everything is moving faster.
“AI lowers the cost and skill floor for discovering and exploiting vulnerabilities faster than organizations can patch them. Current patch cycles, response processes, and risk metrics were not built for this environment.”
#True.
Probably
Nothing, and that is the frustrating part.
Security programs can no longer rely on vendor patches. Offensive AI is identifying vulnerabilities faster than manufacturers can remediate them, and this gap is even more pronounced in open-source ecosystems.
They can no longer be anchored to CVE identifiers. The system does not scale, attackers are increasingly leveraging zero-day exploits, and the expansion of low-code and no-code platforms is growing the attack surface faster than it can be cataloged.
They can no longer be driven by static asset maps. As employees are encouraged to adopt AI and operate as “civilian builders,” environments fragment into shadow IT, cloud-hosted infrastructure, and third-party data dependencies, adding layers of complexity to what was already an outdated concept of a network perimeter.
Ouch.
And it is worth acknowledging one more shift. If conventional wisdom has long held that people are the weakest link, then the effective headcount is about to increase dramatically with the introduction of agentic AI.
Not with Glasswing. The immediate question is who the customer actually is. The likely path is a partnership with organizations like Google, Apple, Facebook, and Microsoft. These are not environments lacking in talent, nor are they without AI already embedded in their CI/CD pipelines. Adoption at that level will be straightforward, because these organizations already invest heavily in security and have the infrastructure to absorb it.
That is not where the challenge lies.
The real beneficiaries are the organizations that have historically underinvested in security, the step-down manufacturers and operators that lack both maturity and discipline. But those are also the organizations least equipped to adopt something like Mythos, and least likely to invest in it in the first place, let alone operationalize its output.
When I set out to build Desired Effect, the goal was to give defenders the ability to fight a fair fight.
Attackers win because they operate with a monopoly on emerging vulnerability data. They compensate researchers who uncover flaws, and now, in a Mythos-driven environment, they can also invest in tools that scale that discovery.
As the experts above have noted, it is this paradigm, not the magnitude of the asymmetry, that sustains their advantage.
AI may widen the gap. It may make that gap more visible. But the gap itself is not new, and it is not going away. Until the community delivers a true paradigm shift, defenders remain on a fundamentally unstable footing.
The real concern is that attackers are doubling down on their existing advantage in vulnerability research. If the response is to continue ignoring the vulnerability research community, the outcome does not change. The disadvantage persists.
The value of the Mythos and Glasswing narrative is not in what it introduces, but in what it enables. It creates space for a new generation of firms focused on reducing the operational utility of vulnerability data, imposing real costs on attackers, and bringing an offensive mindset into a conversation that has historically been reactive, moving beyond the familiar cycle of heightened attention followed by little meaningful change.
