Last week, Anthropic published something that should change how every security leader thinks about their stack.
Their research model, Mythos Preview, was pointed at major open-source codebases — OpenBSD, FreeBSD, FFmpeg, the Linux kernel — and told to find vulnerabilities. Not theoretical ones. Real, exploitable ones.
It found a 27-year-old bug in OpenBSD's TCP stack. A 16-year-old flaw in FFmpeg's H.264 codec. A remote code execution vulnerability in FreeBSD's NFS server that gives unauthenticated root access — and it had been sitting there for 17 years.
Then it built working exploits. ROP chains split across multiple packets. JIT heap sprays chaining four vulnerabilities with sandbox escapes. KASLR bypasses. Full privilege escalation.
Not in weeks. Not with a team. Autonomously.
Over 99% of what it found remains unpatched. Professional human reviewers agreed with its severity assessments 89% of the time exactly, 98% within one level. And Anthropic estimates thousands of additional high-severity vulnerabilities are pending responsible disclosure.
This isn't a research curiosity. It's a signal.
This Was Always Coming — but the Speed Is the Story
AI-assisted vulnerability discovery isn't new as a concept. Google's Project Zero has used ML techniques for years. Academic papers on neural fuzzing go back to 2018. What's different about Mythos is the autonomy and sophistication of the output.
The model doesn't just find crashes. It reads code, forms hypotheses about which files are most likely to contain vulnerabilities, rates them by severity, confirms its suspicions by running the actual software, and constructs multi-step exploits that chain vulnerabilities across security boundaries.
A non-security engineer with access to this model reportedly built a complete working exploit overnight.
That last detail matters more than the zero-days themselves. It means the barrier to entry for sophisticated attacks just collapsed. Offensive capability that used to require years of reverse engineering expertise is now something a model can approximate in hours.
What This Changes
Most enterprise security architectures were designed around a set of assumptions:
Assumption 1: Vulnerability discovery is slow and expensive.
It was. Professional bug bounty researchers spend weeks on a single target. Nation-state programs invest heavily in finding zero-days. That scarcity created a natural throttle on the attack surface. AI removes the throttle.
Assumption 2: Exploits require deep specialization.
Building a working exploit for a kernel vulnerability — bypassing ASLR, constructing ROP chains, escaping sandboxes — was a craft. AI compresses the expertise gap. Not to zero, but enough to change the math on who can attack what.
Assumption 3: Defense can rely on friction.
Much of enterprise security is friction-based. Patching creates a time window. Complexity makes exploitation harder. None of these disappear, but their value diminishes when the attacker is a model that can iterate through thousands of exploitation strategies without fatigue, boredom, or salary requirements.
The Static Security Problem
Most organizations have invested heavily in two categories of security tooling:
Posture management — tools that scan your environment and tell you what's misconfigured, unpatched, or exposed. Cloud security posture. Application security scanning. Vulnerability management platforms.
Response automation — tools that detect incidents and orchestrate responses. SIEM, SOAR, XDR. They watch for known patterns and execute playbooks when something trips a rule.
Both are valuable. Neither is built for what's coming.
Posture management is a snapshot. It tells you what your environment looked like when the scan ran. It doesn't know what your AI agents are doing right now — which models they're calling, what data they're accessing, whether a new tool was granted permissions that nobody approved.
Response automation is reactive. It waits for something bad to happen and then responds. In a world where an AI can discover and exploit a vulnerability in the time between two scan intervals, reactive isn't enough.
The gap is real-time. What are your systems doing right now? Who authorized it? Is the behavior within bounds?
The AI Agent Wrinkle
Organizations aren't just defending against AI-powered attacks. They're simultaneously deploying AI agents inside their own environments — agents that browse the web, call APIs, execute code, access databases, and make decisions with varying degrees of human oversight.
These agents create a new attack surface that didn't exist two years ago:
- An AI agent with database access can be manipulated through prompt injection to exfiltrate data — and the agent's access was legitimately provisioned.
- Agents calling external APIs create supply chain dependencies that most security teams don't inventory, let alone monitor.
- Multi-agent systems introduce lateral movement vectors — if Agent A can delegate to Agent B, and Agent B has elevated permissions, the chain of trust becomes an attack path.
This isn't hypothetical. It's happening in production environments today. And the tooling hasn't caught up.
Neither answers the question that matters now: what are your AI agents doing right now, in production, and who authorized them to do it?
Five Questions for Monday Morning
If you're a security leader reading this, here's a practical starting point:
1. Do you have an inventory of every AI model and agent running in your environment?
Not the ones IT provisioned. All of them. The ones engineering spun up on a Friday afternoon. The ones the marketing team signed up for with a corporate card. If you don't have a count, you don't have visibility.
2. Can you answer, in real time, what data your AI agents are accessing?
Not what they're authorized to access. What they're actually accessing, right now. Most IAM systems can tell you what permissions were granted. Very few can tell you what an autonomous agent is doing with those permissions at runtime.
3. What's your patch SLA — and does it account for AI-speed discovery?
If an AI can find and weaponize a vulnerability in hours, a 30-day patch window isn't a risk-managed timeline — it's an open door.
4. Are your AI agents governed by policy, or by trust?
Most organizations deploy AI agents with broad permissions and rely on the agent behaving as intended. That's trust, not governance. Policy means: defined boundaries, enforced at runtime, logged, auditable.
5. Who in your organization owns the AI attack surface?
Not "who owns AI strategy." Who owns the security of AI systems? In many organizations, the answer is nobody — or everybody, which amounts to the same thing.
What Comes Next
Anthropic's Mythos research is one data point in a larger shift. Google's Big Sleep project found a real vulnerability in SQLite using a similar approach. The trajectory is clear: AI will get better at finding and exploiting vulnerabilities, not worse.
The organizations that navigate this transition well won't be the ones that panic. They'll be the ones that honestly assess which of their security assumptions still hold, which ones don't, and what new capabilities they need to close the gap.
The offense just got AI. The defense is still catching up.
This post is based on publicly available research, including Anthropic's Mythos Preview cybersecurity capabilities report (April 2026), Google's Project Big Sleep, and industry analysis from NIST, CISA, and the broader security research community.