Claude Mythos forces the dialog on defensive AI
Whereas we’ve seen quite a lot of hype about AI in cyber safety, Anthropic’s Claude Mythos has abruptly and considerably modified the foundations of offensive safety. The arrival of Anthropic’s Claude Mythos on 7 April 2026 created a paradigm shift within the economics of a cyber assault. AI has quickly modified the cyber safety panorama – and quicker than most threat fashions assume. The window between discovery and weaponisation has collapsed, with time to exploitation dropping from 2.3 years in 2018 to twenty hours in the present day.
AI is making vulnerability discovery, exploit technology, and assault orchestration quicker and cheaper. Instruments like Mythos present that AI can establish important zero-days, generate working exploits, and orchestrate assaults at a velocity and scale that conventional safety processes had been by no means designed and constructed to deal with.
Nonetheless, some issues have been exaggerated and never all the things has modified in a single day. The basics stay important. Mythos is a structural acceleration, not a magic new class of threat. The fundamentals similar to id, segmentation, MFA, patch self-discipline, zero-trust, secrets and techniques rotation, and egress filtering have change into much more necessary, not much less.
AI has lowered the associated fee and talent barrier for locating and exploiting vulnerabilities quicker than organisations can patch them. Whereas defenders should handle each publicity throughout code, infrastructure, id, suppliers, and brokers across the clock, the attacker solely wants to search out one route into the organisation. So, in the present day not less than, attackers have the benefit. It’s now time for defenders to show the identical instruments inward to search out and fortify any weaknesses first.
So, how can CISOs adapt shortly sufficient?
The primary level of name is code assessment and vulnerability discovery. Organisations ought to instantly level AI brokers at their most crucial codebases, then transfer towards giant language mannequin (LLM)-driven assessment inside steady integration and growth (CI/CD) pipelines. Every bit of code, whether or not written by people or generated by AI ought to undergo automated safety assessment earlier than it’s merged.
Many organisations nonetheless deal with AI as a productiveness software somewhat than a change within the risk mannequin. The error that many are making is assuming previous patch home windows, previous incident timelines, and previous threat assumptions nonetheless maintain. Organisations are additionally underestimating AI brokers as a brand new assault floor. Prompts, instruments, retrieval pipelines, escalation logic, and agent permissions all want controls earlier than brokers ought to be permitted to enter manufacturing.
The most important change CIOs and CISOs have to make in how they strategy cyber safety is to replace their working mannequin from human-speed safety to AI-speed resilience. This can contain mandating accountable AI adoption throughout safety features, embedding AI assessment into software program supply, defending brokers as first-class property, rehearsing simultaneous high-severity incidents, updating board reporting and threat fashions, and hardening the basics at once.
AI is rising the velocity and quantity of software program growth, so safety should transfer earlier and quicker. Safety assessment can now not be a guide gate on the finish of growth. It must be embedded into the pipeline, with AI brokers reviewing code repeatedly and all code – whether or not human- or AI-generated – assessed earlier than merge.
Nowadays, AI is making it each simpler and tougher to search out and repair vulnerabilities. However the reality is that the danger is rising quicker than most organisations’ means to reply. AI makes it simpler for defenders to find their very own weaknesses, but it surely additionally makes it simpler for adversaries to search out and weaponise them. AI should be used defensively now, getting ready for a flood of patches, and constructing response capabilities that may function at scale.
Being Mythos-ready means limiting blast radius, discovering vulnerabilities earlier than adversaries do, constructing scalable responses, and empowering groups with AI brokers now.
John Bruce is CISO at Quorum Cyber, an Edinburgh-based managed safety companies supplier (MSSP).
