AI is accelerating vulnerability discovery, but the real challenge is how organizations prioritize and act on risk at scale.
Anthropic’s Claude Mythos Preview is getting a lot of attention, and it should.
Early results suggest it can surface high-severity vulnerabilities across widely used systems and open source software at machine speed and scale, including issues in widely deployed open source libraries and core infrastructure components.
While that is meaningful, it reflects an evolution of something that security teams already deal with, and it does not capture the more important issue at hand.
Security teams are not struggling because they cannot find issues. They are already dealing with more findings than they can realistically address, and backlogs are the norm. What they need is a better way to manage and prioritize them at scale.
Those conditions become harder to manage as AI accelerates vulnerability discovery. The pressure builds faster, and it accumulates.
Speed Introduces Urgency
As the volume and velocity of findings increase, teams are pushed into real-time decisions about what to fix first, what to isolate, and what risk the business is willing to accept for a period of time. Legacy operating models were not built to handle this volume and pace.
As the focus shifts from identifying vulnerabilities to managing and prioritizing them, the challenge becomes less about finding issues and more about what to do with them in real time. This is where cyber resilience becomes real in practice. It is about maintaining critical business operations, and making real-time decisions about what to prioritize given that not everything can be fixed at once.
Which systems matter most for revenue generation and/or business operations?
Which services must stay online for customer services and employee productivity?
Which vulnerabilities create meaningful business risk?
This ties in to how we see the role of security operations and the CISO evolve. Reducing risk and improving security posture remain core expectations, but corporate boards and executives increasingly want CISOs to focus on uptime, financial exposure, customer experience, and regulatory compliance.
What Mythos Signals
Finding issues faster creates more work downstream. It increases both the volume of decisions and the speed at which they need to be made. Technologies like virtual patching and other compensating controls help reduce exposure and buy time, but still depend on prioritization, coordination, and execution across teams.
This “see, prioritize, act” motion trips up many teams. Most organizations already struggle to move from insight to deciding what matters most and coordinating action across teams. Vulnerability backlogs, fragmented ownership, and unclear dependencies slow things down.
Mythos stands to exacerbate this problem, providing more visibility into risk without the ability to act on it at the same pace. As the speed of discovery increases, that gap becomes more visible.
What Needs to Change
Closing this gap requires more than better visibility.
As the focus shifts from identifying vulnerabilities to acting on them, organizations need a clearer way to prioritize risk in a business context. That means understanding which systems matter most, who owns them, and what the downstream impact of failure looks like.
And this is not ultimately a security decision. CISOs need input from LOB managers, risk managers, and executives who are accountable for these outcomes.
Tighter coordination across teams is also required. Security, IT, application, and business stakeholders all play a role in how issues are addressed, and delays often come from handoffs rather than lack of insight. Coordination between security and IT tools and workflows is especially key, as security finds vulnerabilities but IT operations fixes them.
Finally, execution has to keep pace. Whether that is through automation, predefined response paths, or compensating controls, teams need a way to act quickly without starting from scratch each time. In particular, organizations need to explore whether and where they need intelligent, automated workflows and remediation to address new AI vulnerability discovery capabilities like Mythos.
These challenges are not new. What is changing is how often and how quickly these decisions have to be made.
