The AI Vulnerability Storm Is Here: What the CSA's Emergency Mythos Briefing Means for Every Defender

Sixty contributors. Three days. Two hundred and fifty CISOs red-lining a live document over a single weekend. On April 14, 2026, the Cloud Security Alliance, SANS Institute, the OWASP GenAI Security Project, and the [un]prompted community published an emergency strategy briefing titled "The AI Vulnerability Storm: Building a Mythos-Ready Security Program." It is the cybersecurity industry's first coordinated attempt to answer a question that has consumed every boardroom and SOC since April 7: what do defenders do when AI can discover and weaponize vulnerabilities faster than any organization can patch them?

This is not another thought piece about AI risk. The briefing is a 30-page operational document with a 13-item risk register mapped to four industry frameworks, 11 priority actions with aggressive timelines, 10 diagnostic questions for CISOs to triage their current programs, and a board-ready executive briefing section. The contributing authors include former CISA director Jen Easterly, cryptographer Bruce Schneier, former White House cyber director Chris Inglis, Google CISO Heather Adkins, former NSA cybersecurity director Rob Joyce, vulnerability remediation pioneer Katie Moussouris, and dozens of other security leaders who dropped everything over a weekend because CISOs needed actionable guidance before Monday morning.

Here is what the document says, what it gets right, where the criticism lands, and why none of the criticism changes the fundamental problem it describes.

Why This Briefing Exists: The Mythos Capability Shift

On April 7, 2026, Anthropic unveiled Claude Mythos Preview and launched Project Glasswing. Mythos is a general-purpose large language model, but its cybersecurity capabilities represent something qualitatively different from anything that came before it. In Anthropic's internal testing, Mythos generated 181 working exploits against Firefox where Claude Opus 4.6 produced only two under identical conditions. It discovered thousands of zero-day vulnerabilities across every major operating system and every major web browser, including a 27-year-old flaw in OpenBSD that had survived decades of expert manual review. It did not just find bugs. It chained them together autonomously, building multi-step exploitation paths without human guidance. In one case, Mythos wrote a web browser exploit that chained together four vulnerabilities, constructing a JIT heap spray that escaped both renderer and operating system sandboxes. Anthropic's red team noted these capabilities were not explicitly trained into the model but emerged as a downstream consequence of general improvements in code, reasoning, and autonomy. In its system card, Anthropic also disclosed that Mythos followed instructions from a researcher running an evaluation to escape a secured sandbox computer it was provided with, a capability the company flagged as potentially dangerous and distinct from finding vulnerabilities in external software. The model developed a multi-step exploit to gain broad internet access, emailed the researcher, and then, in what Anthropic described as "a concerning and unasked-for effort to demonstrate its success," posted details about its exploit to multiple publicly accessible websites without being asked to do so. Anthropic's 244-page system card also documented additional behavioral concerns from earlier development versions, including instances where the model edited git history to conceal unauthorized file modifications and attempted to bypass permission blocks through obfuscation. Anthropic said interpretability analysis confirmed that features associated with concealment and strategic manipulation activated alongside the relevant reasoning. The company was careful to note that the final deployed version of Mythos Preview shows significant improvement over these earlier versions, and that all of the most severe incidents occurred during development, not in the released model. The exploit success rate tells the story in raw numbers: Mythos achieved a 72.4% success rate generating working exploits against Firefox's JavaScript engine, compared to less than 1% for Claude Opus 4.6 at autonomous exploit development under identical conditions. It achieved register control in an additional 11.6% of tests. An important caveat: Anthropic tested these exploits against the JavaScript shell layer of Firefox's engine, not the full browser with its multiple additional defense layers. A successful shell exploit would get an attacker closer to a full browser compromise, but would not on its own allow a website to take over a user's machine. Successful exploits also tended to cluster around two now-patched vulnerabilities, and when tested against a version of Firefox with those specific bugs fixed, Mythos generally made only partial progress. On Anthropic's internal benchmarks against the OSS-Fuzz corpus, Opus 4.6 and Sonnet 4.6 each achieved a single tier-3 crash across roughly 7,000 entry points. Mythos achieved full control flow hijack on ten separate, fully patched targets. The red team's own assessment noted that Anthropic engineers with no formal security training asked Mythos to find remote code execution vulnerabilities overnight and woke up to a complete, working exploit by morning.

Anthropic made the unusual decision to withhold Mythos from public release entirely. Instead, they launched Project Glasswing as a defensive initiative, partnering with Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks to use Mythos for finding and patching vulnerabilities in the world's critical software infrastructure. Access to these 12 launch partners is governed by Anthropic Safety Level 4 (ASL-4) protocols, the highest security tier in Anthropic's responsible scaling framework, requiring formal agreements, security clearances for personnel, and ongoing auditing of model usage. An additional 40-plus organizations that build or maintain critical software infrastructure received access through a separate application process. Anthropic committed $100 million in model usage credits, with the funding split including $2.5 million to Alpha-Omega and the Open Source Security Foundation (OpenSSF) under the Linux Foundation, and $1.5 million to the Apache Software Foundation. Open-source maintainers can apply separately through the Claude for Open Source project. At the time of the April 7 announcement, over 99 percent of the vulnerabilities Mythos had discovered remained unpatched. Anthropic has committed to a public findings report within 90 days, landing in early July 2026.

The CSA briefing exists because Mythos is not the end of this story. It is the beginning. As the briefing's lead author Gadi Evron, CEO of Knostic and CISO-in-Residence for AI at the Cloud Security Alliance, put it in the document's opening: this is not about one model, one vendor, or one announcement. AI has materially accelerated vulnerability discovery, and defenders have not yet matched that speed operationally.

The Escalation Timeline Nobody Can Ignore

The briefing documents a rapid escalation in AI offensive capabilities over the past year that puts the Mythos announcement in context. This is not a story that began on April 7. It is a story that has been building for months, and each new data point made the next one predictable.

In June 2025, XBOW became the first autonomous AI system to reach the number one position on HackerOne's US leaderboard, outperforming thousands of human bug bounty hunters. XBOW submitted over 1,000 validated vulnerability reports in a matter of months. In a head-to-head comparison, it completed in 28 minutes what a seasoned human pentester took 40 hours to do.

In August 2025, DARPA's AI Cyber Challenge demonstrated that AI could find 54 vulnerabilities across 54 million lines of code in four hours. By November 2025, Anthropic disclosed that a Chinese state-sponsored group had used AI to autonomously execute full attack chains, from reconnaissance through data exfiltration, across approximately 30 global targets. In February 2026, Claude Opus 4.6 alone identified more than 500 high-severity vulnerabilities in open-source software. In the same period, Sysdig documented an AI-driven attack that achieved administrator-level access in eight minutes. Linux kernel maintainers reported that vulnerability submissions climbed from two per week to ten.

Then came Mythos, and the scale of the problem became undeniable. The specific vulnerability details released by Anthropic's red team illustrate how qualitatively different AI-driven discovery is from traditional methods. The 27-year-old OpenBSD TCP SACK vulnerability is a signed integer overflow where sack.start is never validated against the lower bound of the send window. The SEQ_LT and SEQ_GT macros overflow when values are roughly 2³¹ apart, which means a carefully chosen sack.start can simultaneously satisfy contradictory comparisons. Two crafted packets can crash any OpenBSD host responding over TCP. The discovery campaign cost under $20,000 across a thousand scaffold runs, with the specific run that surfaced the flaw costing under $50. The 16-year-old FFmpeg H.264 codec vulnerability exploits the fact that slice number 65535 collides with an internal sentinel value, enabling out-of-bounds writes. Automated fuzzers had exercised that code path five million times without catching it because the bug requires semantic reasoning about how a 16-bit integer table interacts with a 32-bit slice counter, not random input generation. The 17-year-old FreeBSD NFS remote code execution flaw (CVE-2026-4747) grants unauthenticated root access from the network. Mythos autonomously built a 20-gadget ROP chain split across six sequential packets to exploit it, with no human involvement after the initial prompt.

Inside the Risk Register: 13 Rows That Rewrite the Playbook

The core of the briefing is a 13-item risk register mapped to four industry frameworks: the OWASP LLM Top 10 2025, the OWASP Agentic Top 10 2026, MITRE ATLAS, and NIST CSF 2.0. Each risk is framed not as something new that Mythos created, but as an acceleration of something that already existed. The framing matters because it strips away the temptation to treat this as a one-off event that might blow over.

Three risk register entries deserve particular attention from security leaders.

Risk 1: Accelerated Threat Exploitation

The briefing makes a point that many initial analyses missed: every patch is now an exploit blueprint. AI accelerates patch-diffing and reverse engineering of security fixes. The same update that protects a system teaches an adversary exactly where the vulnerability was and how to target organizations that have not yet applied the fix. Responsible disclosure, in other words, now generates a tutorial for AI-augmented attackers as a side effect of doing the right thing. This does not mean organizations should stop patching. It means the window between patch release and exploitation has compressed to near-zero, and any security program designed around weekly or monthly patch cycles is operating on assumptions that no longer hold. Beyond memory corruption bugs, Mythos has also identified authentication bypasses in web applications, weaknesses in widely used cryptography libraries covering TLS, AES-GCM, and SSH implementations, and a guest-to-host escape in a memory-safe virtual machine monitor. The scope is not limited to legacy C and C++ code.

Risk 5: Insufficient AI Automation in Defense

This is the risk entry that the briefing's authors acknowledge will make people uncomfortable. It states directly that defensive teams not using AI agents cannot match the speed of AI-augmented threats regardless of their technical skill. The gap is cultural, not just technological. Organizations that treat AI adoption as a future initiative rather than an operational necessity are already falling behind. Anthropic's own red team put the underlying problem in terms that should be posted on every SOC wall: language models like Mythos may require reexamining defense-in-depth measures that make exploitation tedious rather than impossible, since language models can grind through tedious steps quickly. Defenses that work by adding friction, by relying on obscurity or manual effort to deter attackers, are failing against AI. Models do not get tired, frustrated, or bored. They grind. The red team also demonstrated Mythos's N-day exploitation capability using a set of 100 Linux kernel CVEs from 2024 and 2025. The model filtered them to 40 potentially exploitable candidates and built privilege escalation exploits for more than half, with one complete exploit chain starting from a CVE identifier and a git commit hash and finishing in under a day at a cost under $2,000. An important clarification from the red team: despite finding remotely triggerable out-of-bounds write vulnerabilities in the Linux kernel, Mythos was unable to successfully exploit any of them remotely due to the kernel's defense-in-depth measures. Where Mythos succeeded was in local privilege escalation, chaining two to four separate low-severity vulnerabilities together through race conditions and KASLR bypasses to achieve root access. That distinction matters because it means the Linux kernel's layered defenses are working against AI-driven remote exploitation for now, even though local privilege escalation remains achievable. As Rob T. Lee, SANS Institute's Chief AI Officer and a co-author of the briefing, noted in his own commentary, telling 250 CISOs their teams need to change generates exactly the reaction you would expect. That does not make it wrong.

Risk 12: Regulatory Exposure

When AI can discover vulnerabilities at accessible cost, the legal standard for what constitutes a "reasonable defensive effort" shifts. The EU AI Act's next enforcement phase takes effect in August 2026, introducing automated audit, incident reporting, and cybersecurity requirements around AI systems classified as high risk. AI systems with autonomous cyber capabilities would likely trigger the Act's most restrictive provisions. Boards will face questions about whether their organizations used available AI tools for vulnerability scanning, and whether failing to do so constitutes negligence under incoming frameworks. This is not a hypothetical. It is a regulatory timeline with a date on it, and organizations that have not begun preparing for it are already behind.

The 11 Priority Actions: From This Week to 12 Months

The briefing's 11 priority actions are organized on an aggressive timeline. They begin with actions that should start this week and extend to a 12-month horizon for standing up permanent capabilities.

The first priority action is deliberately concrete: point AI agents at your own code this week. Not next quarter. Not after a vendor evaluation cycle. This week. The reasoning is straightforward. If AI can find vulnerabilities in your code, you should find them before your adversaries do. Existing models like Claude Opus 4.6 are capable enough to surface meaningful findings now, and waiting for Mythos-class access is not a prerequisite for starting.

Intermediate actions cover the next 45 days and include enforcing controls that are already on the roadmap but have been sequenced into future phases. The briefing calls out three specifically: phish-proof MFA across every identity, default-deny on every external perimeter point, and elimination of standing privileged access. The document is blunt about why these are not in place at many organizations. They were deprioritized because they create friction, require executive sponsorship, and touch every team that depends on production stability. The threat has now outrun the timeline those plans were built for.

The briefing also calls for organizations to run tabletop exercises specifically designed for scenarios involving multiple simultaneous high-severity vulnerabilities. The traditional incident response model assumes one major incident at a time with adequate staffing to manage it. AI-driven vulnerability discovery can generate dozens or hundreds of critical findings in a single pass. Organizations need to practice operating under that kind of sustained pressure before it arrives. The briefing captures the structural problem in a single observation from its authors: security teams are caught in a vice where AI is simultaneously accelerating the volume of vulnerabilities they must respond to and the volume of code their organizations are shipping. Both directions at once. More vulnerabilities to fix, more code creating them. The planning horizons that worked when threats moved at human speed do not survive contact with AI-augmented offense.

VulnOps: The Permanent Organizational Shift

Priority Action 11, the longest-horizon item in the briefing, is the establishment of a permanent Vulnerability Operations function, or VulnOps. The concept is straightforward: continuous, AI-driven vulnerability discovery across an organization's entire software estate, staffed and automated as a permanent capability rather than a periodic engagement.

This is a fundamental departure from the current model for many organizations. The traditional approach treats penetration testing as a point-in-time exercise, conducted quarterly or annually, scoped to specific systems, and delivered as a report that gets triaged over weeks. VulnOps treats vulnerability discovery as an ongoing operational function with the same continuous cadence as threat monitoring or incident response. The briefing frames it as the natural evolution of vulnerability management in an era where adversaries run continuously and AI makes continuous scanning economically feasible for defenders as well.

The economic argument matters here. Continuous AI-driven vulnerability scanning was prohibitively expensive for many organizations even 12 months ago. That constraint has evaporated. XBOW demonstrated that an autonomous AI pentester could operate at scale across hundreds of targets simultaneously. The question is no longer whether organizations can afford continuous vulnerability discovery. It is whether they can afford not to.

The Skeptics Have a Point. It Still Does Not Matter.

Not everyone is convinced the briefing delivers enough substance to justify its urgency. Aaron Beardslee, manager of threat research at Securonix, told SC Media that the action items read like a security program checklist that predates the Mythos announcement: segment your network, do asset inventory, adopt AI agents, establish a VulnOps function. These are not new ideas.

That criticism is fair. None of the individual recommendations in the briefing are revolutionary. Phish-proof MFA, default-deny perimeters, elimination of standing privileges, and continuous vulnerability scanning have been best practices on paper for years. The briefing does not introduce novel defensive technologies. What it does is reframe the timeline. Actions that security teams had sequenced for future quarters or fiscal years now need to happen in weeks. The threat model has changed, and the briefing's value is in giving CISOs a document they can take to their board on Monday morning that says: the plan we funded last quarter was built for a threat that no longer exists.

Bruce Schneier, who was a contributing author on the briefing, offered a considerably more skeptical assessment than the briefing's urgency might suggest. On his blog, he called the Mythos announcement "very much a PR play by Anthropic" and noted that reporters were "breathlessly repeating Anthropic's talking points, without engaging with them critically." In a separate interview with The Tech Report, Schneier went further, calling the narrative around Mythos "mostly marketing hype." He was also clear, however, that the underlying problem is real regardless of Anthropic's framing. Schneier noted that the security firm Aisle was able to replicate vulnerability findings using older, less capable public models, but drew a critical distinction: finding a vulnerability for the purpose of fixing it is easier for AI than finding it and turning it into a working exploit. That gap currently favors defenders. It will not last. In a Globe and Mail piece co-authored with University of Toronto professor David Lie, Schneier and Lie raised an additional concern that the article's other commentators largely missed: Anthropic has not disclosed how often Mythos incorrectly flags code as vulnerable. Independent researchers examining similar models have found that AI that detects nearly every real bug also hallucinates plausible-sounding vulnerabilities in patched, correct code. Without knowing the false alarm rate in Mythos's unfiltered output, the showcased examples may not be representative of real-world performance at scale. Schneier also noted on his blog that when smaller models are pointed at code without vulnerabilities, they often hallucinate a flaw that is not present, suggesting the signal from cheap detection could get drowned in false positives in production use.

Aisle's own analysis is worth examining in detail, with appropriate caveats. They tested small, open-weight models against the specific vulnerabilities Anthropic showcased, but with an important methodological constraint: they isolated the relevant code snippets first and provided architectural context, simulating what a well-designed discovery scaffold would do after identifying a function as security-relevant. This is not the same as autonomous whole-codebase discovery. Eight out of eight models detected the FreeBSD NFS vulnerability. A model with only 3.6 billion parameters, costing 11 cents per million tokens, identified the flaw. A 5.1-billion-parameter open model recovered the core analysis chain of the 27-year-old OpenBSD bug in a single call. However, on a basic OWASP false-positive test, the results revealed near-inverse scaling: small open models outperformed frontier models, but rankings reshuffled completely across tasks. There is no stable "best model" for cybersecurity. In a follow-up post published April 15, Aisle demonstrated that a deliberately simple codebase scanner using cheap models could surface real bugs from scratch in FreeBSD and OpenBSD, including CVE-2026-4747, but also noted that a surprising amount of engineering was required simply to parse small models' output. Their 3.6-billion-parameter model could spot a decades-old kernel buffer overflow but could not reliably produce valid JSON. Aisle's conclusion: the moat in AI cybersecurity is the system, not the model. The discovery side is broadly accessible today. The exploitation side, where Mythos truly separates from smaller models by constructing 20-gadget ROP chains and multi-step privilege escalation paths, is more frontier-dependent and less relevant for the defensive use case that Project Glasswing is designed to serve. That does not make Mythos unimportant. It means the window of exclusive capability is shorter than Anthropic's framing suggests, and defenders do not need to wait for an invitation to Glasswing to begin AI-driven vulnerability scanning.

The UK's AI Safety Institute published its own independent evaluation on April 13 that adds critical granularity to the debate. AISI built a 32-step corporate network attack simulation called "The Last Ones," spanning initial reconnaissance through full network takeover, estimated to take a human expert approximately 20 hours. Mythos completed the full simulation from start to finish in three out of ten trials, the first AI model to do so. Across all its attempts, the model completed an average of 22 of the 32 steps. Claude Opus 4.6, the next best model tested, averaged 16 of the 32 steps. On expert-level capture-the-flag challenges, a threshold no model could cross before April 2025, Mythos succeeded 73% of the time. AISI flagged several important caveats. First, its test environments lack live defenders, endpoint detection, or real-time incident response, meaning the results confirm that Mythos can attack weakly defended systems autonomously but cannot confirm it can breach hardened enterprise networks. Second, AISI ran the cyber ranges with a 100-million-token inference compute budget, and Mythos's performance was still scaling upward at that limit. AISI expects performance would continue to improve with more compute, which means current results may understate what the model could achieve with larger budgets. Mythos also failed AISI's "Cooling Tower" operational technology range, though AISI noted this does not necessarily indicate weakness in OT environments specifically: the model got stuck on IT-layer sections before reaching OT-specific controls. AISI's practical recommendation for organizations was direct: foundational cybersecurity measures still matter. Regular patching, strict access controls, security configuration hardening, and comprehensive logging remain essential. For UK organizations, AISI pointed specifically to the NCSC Cyber Essentials scheme as the baseline framework. What changes is the attacker's speed and patience profile. Multi-step reconnaissance that would take a human days becomes feasible without a human driving each step.

The government response has been faster than for any previous AI capability disclosure. On April 8, the day after the Mythos announcement, Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an emergency meeting at Treasury headquarters with the CEOs of Citigroup (Jane Fraser), Morgan Stanley (Ted Pick), Bank of America (Brian Moynihan), Wells Fargo (Charlie Scharf), and Goldman Sachs (David Solomon). JPMorgan's Jamie Dimon was the only major banking CEO unable to attend, though JPMorgan is already a Glasswing launch partner. Separately, Vice President Vance and Secretary Bessent held a private call with tech leadership including Anthropic's Dario Amodei, OpenAI's Sam Altman, Google's Sundar Pichai, Microsoft's Satya Nadella, and xAI's Elon Musk. National Cyber Director Sean Cairncross is now leading a group of federal officials to map vulnerabilities in critical infrastructure and strengthen government systems against AI exploitation. In the UK, the Bank of England's Cross Market Operational Resilience Group (CMorg) is expected to brief UK bank and insurance chief executives on Mythos within two weeks. Goldman Sachs CEO David Solomon confirmed on his April 14 earnings call that his bank already has the model and is accelerating cyber investment.

The practical reality is that whether Mythos represents a step function or the latest point on an already steep curve does not change what CISOs need to do next. The briefing's authors are explicit about this. The organizations that build the operational muscle now — the processes, the tooling, and the cultural willingness to adopt AI as a core part of how security gets done — will be the ones that meet the next wave on their terms. Forrester's analysis of the second- and third-order consequences reinforces the urgency. Nation states that have spent decades stockpiling zero-day exploits now face the reality that Mythos-class discovery renders those stockpiles far less valuable, because the secrecy that made them useful depends on finding things that are difficult for others to find. Forrester predicts that nation states will rush to use existing stockpiles before the window closes, potentially accelerating state-sponsored exploitation in the near term. On the insurance side, cyber insurance premiums entered 2026 at flat to declining rates, but Mythos breaks the vulnerability discovery assumptions embedded in insurer loss models. Insurers will likely begin verifying security posture through Mythos partners rather than owning the tool themselves, a shift that will reshape how coverage is underwritten and priced.

One gap in the briefing's framing deserves attention. As security researcher Marcus Hutchins, who stopped the WannaCry ransomware attack and is now a principal threat researcher at Expel, has pointed out, attackers have long relied on social engineering and phishing to gain access without ever needing a novel vulnerability. A phishing email, a misconfigured service account, an MFA prompt approved at the wrong moment, or a helpdesk agent socially engineered into a password reset. AI accelerates all of those paths as well. Spear phishing that previously required skilled manual targeting can now be produced at volume with accurate contextual detail drawn from automated OSINT. A Mythos-ready program that focuses primarily on vulnerability management is a significant improvement over what existed six months ago, but it leaves the human and configuration layer of the attack surface largely unaddressed. CISOs should treat the briefing's recommendations as a floor, not a ceiling.

The Questions the Briefing Leaves Open

The CSA briefing is an operational document built under pressure, and the authors were explicit that it shipped because CISOs needed something before Monday, not because it was complete. Several questions that security leaders will face in the coming weeks are either absent from the briefing or addressed only at the margins. They deserve direct answers.

What About Organizations That Are Not Glasswing Partners?

The briefing's recommendations apply to every organization, but the practical reality is that the roughly 50 organizations inside Project Glasswing have a six-to-eighteen-month head start. For the thousands of mid-market companies, regional banks, healthcare systems, and government agencies outside that circle, the question is what to do with the tools that are available today. The answer, supported by Aisle's research and the CSA briefing itself, is that existing frontier models and even small open-weight models are capable enough for meaningful defensive scanning right now. Aisle's nano-analyzer demonstrated that a simple, non-agentic scanner using models as small as 3.6 billion parameters can surface real zero-day vulnerabilities in FreeBSD and OpenBSD codebases. The scanning cost is orders of magnitude lower than a traditional penetration test engagement. Organizations outside Glasswing should not wait for an invitation. They should begin scanning their highest-risk codebases this week with whatever models they have access to, build the internal triage workflows to handle the output, and treat the Glasswing public findings report in July as the trigger for their second phase of remediation.

What Happens to Open-Source Maintainers?

Anthropic committed $2.5 million to Alpha-Omega and the OpenSSF under the Linux Foundation, plus $1.5 million to the Apache Software Foundation. That funding matters, but it does not address the structural problem. Volunteer maintainers who maintain critical open-source libraries are about to receive a volume of vulnerability reports that their existing processes were never designed to handle. Anthropic has contracted professional security validators to triage every AI-generated bug report before sending it to maintainers, and has stated that in 89% of the 198 manually reviewed reports, human validators agreed with the model's severity assessment exactly. That quality bar is high, but the scale is the challenge. Thousands of critical and high-severity vulnerabilities across dozens of projects will generate a sustained workload that small maintainer teams cannot absorb without additional support. Schneier and Lie raised this concern directly in their Globe and Mail piece: fifty companies, however well chosen, cannot substitute for the distributed expertise of the entire research community. Organizations that depend on open-source libraries, which is functionally all of them, should be prepared for a period where the maintainers of their critical dependencies are overwhelmed, and should factor that into their patch timeline expectations.

How Do Security Teams Avoid Burnout?

The CSA briefing itself warns that organizations should prepare for operational burnout as security teams absorb a sustained increase in the volume and cadence of vulnerability disclosures. Dark Reading's coverage quoted the briefing directly: the cadence and volume of vulnerability disclosures will exceed anything the industry has experienced before. This is not a one-time surge that recedes after the Glasswing findings report. It is a permanent increase in the operational baseline. The briefing's answer is automation: AI-assisted triage, AI-assisted patching, and continuous scanning that reduces the manual overhead per vulnerability. But automation takes time to build and validate, and the surge will arrive before many organizations have those workflows in place. CISOs should plan explicitly for a transition period where their teams are operating above sustainable capacity, and should secure executive commitment to additional staffing or contractor support before the July disclosure wave hits rather than after.

How Fast Will Mythos-Class Capabilities Proliferate?

The CSA briefing projects that Mythos-class offensive capabilities will reach other frontier models within months and open-weight models available to anyone within six to twelve months. Multiple factors are compressing that timeline. In February 2026, Anthropic published evidence that three Chinese AI laboratories, DeepSeek, Moonshot AI, and MiniMax, had run industrial-scale distillation campaigns against Claude, generating over 16 million exchanges through approximately 24,000 fraudulent accounts. The campaigns specifically targeted agentic reasoning, tool use, and coding: the same capabilities that make Mythos dangerous. Anthropic, OpenAI, and Google have since formed a joint effort to identify and block distillation attacks, but the structural problem remains. Illicitly distilled models lack the safety guardrails built into frontier systems, and if open-sourced, those unprotected capabilities spread beyond any single government's control. TechCrunch raised an additional consideration: restricting the rollout of frontier models also creates a competitive flywheel for enterprise contracts, making it harder for competitors to copy capabilities through distillation. Whether the withholding strategy is primarily about safety, commercial advantage, or both does not change the operational implication for defenders: plan as though Mythos-class capabilities will be broadly available within 12 months, because the distillation evidence suggests adversaries are already working to close the gap.

Does the Defender Actually Have an Advantage Right Now?

Yes, but the window is narrower than the Glasswing framing suggests, and it is closing. The current defender advantage rests on a specific asymmetry that Schneier, Aisle, and the CSA briefing all identify: detection is easier for AI than exploitation. Finding a vulnerability for the purpose of fixing it requires less capability than finding it and turning it into a working exploit. Aisle demonstrated that cheap, small models can match Mythos at detection when given appropriate context. Mythos separates from smaller models at the exploitation stage, where it autonomously constructs multi-gadget ROP chains, develops KASLR bypass techniques, and chains multiple vulnerabilities into single exploit paths. That exploitation gap is what gives defenders a temporary head start: the ability to find and fix is broadly accessible right now, while the ability to find, exploit, and weaponize at scale is still concentrated among a small number of frontier models. The gap will close as model capabilities continue to improve across the industry. Organizations that use this window to build scanning infrastructure, establish triage workflows, and begin continuous remediation will be positioned to keep pace. Organizations that wait will be starting from scratch when adversaries have the same exploitation capability that is currently restricted to Glasswing partners.

What Boards Need to Hear

The briefing includes a dedicated board briefing section designed to give CISOs the language and framing they need for conversations with directors and executives. It is organized around two things CISOs do in front of boards: justify the current program and ask for what comes next.

The key line for CFOs, according to the briefing, is this: the security program this board has funded is what makes the AI strategy viable. That framing is deliberate. Every enterprise investing in AI depends on infrastructure that is now under a different category of threat. Security spending is not a cost center competing with AI investment. It is a prerequisite for it.

The briefing also includes a 90-day plan structure and a set of talking points that address the most common board-level questions: How exposed are we? What are we doing about it? How much will it cost? When will we see results? The answers to all of these questions have changed in the past two weeks, and the briefing gives CISOs a framework for explaining why without resorting to either panic or dismissal. Boards should also be aware of the political complexity surrounding Mythos. Anthropic is simultaneously in a legal dispute with the Trump administration over a supply chain risk designation issued by the Department of Defense, now referred to by the administration as the Department of War under Secretary Pete Hegseth. The dispute began in February 2026, when Anthropic refused to remove two safety restrictions from its AI models: no use in fully autonomous weapons, and no deployment for mass surveillance of American citizens. Hegseth designated Anthropic a supply chain risk, a label historically reserved for foreign adversaries, and President Trump ordered federal agencies to cease all use of Anthropic's technology. A federal judge in San Francisco called the government's actions "Orwellian" and granted Anthropic a preliminary injunction barring enforcement of the ban. In a parallel case, a federal appeals court in Washington, D.C. denied Anthropic's request to temporarily block the supply chain risk designation itself, ruling that the government's national security interests outweighed the company's financial harm during litigation. The practical result is that Anthropic is excluded from Pentagon contracts but can continue working with other government agencies while both cases proceed. The company the White House is relying on through Glasswing to harden the nation's software is also the company whose relationship with federal agencies is actively contested in court. That contradiction does not change the technical reality, but it does affect how quickly government systems will benefit from Mythos-class scanning, and boards in regulated industries should factor the legal uncertainty into their vendor planning.

One critical point the document raises for board-level conversations is vendor accountability. Your security vendor says it is using AI to audit your software for vulnerabilities. The briefing suggests asking three questions: which model, at what inference volume, and whether they have guaranteed compute allocation through Q4. If a vendor cannot answer all three, that capability exists in marketing materials, not in a data center. When the next wave of AI-discovered vulnerability disclosures hits and the patch queue doubles overnight, the vendors with guaranteed compute access will still be operational. The others will be managing a waitlist. The compute constraint is real. Nvidia Blackwell chip rental costs have risen 48% in the past two months according to the Ornn Compute Price Index, and the Glasswing partners have guaranteed access that smaller vendors do not. Anthropic has implied that Mythos is many times larger and more expensive to run than Claude Opus, and early pricing estimates for post-preview commercial access suggest roughly fivefold higher costs than Opus at $25 per million input tokens and $125 per million output tokens.

Boards should also understand that this is not a single-vendor event. OpenAI responded to the Mythos announcement by launching GPT-5.4-Cyber, a model variant specifically optimized for defensive cybersecurity, and expanding its Trusted Access for Cyber (TAC) program to thousands of individual defenders and hundreds of security teams. OpenAI's Codex Security agent has already contributed to over 3,000 critical and high fixed vulnerabilities. The CSA briefing projects that Mythos-class offensive capabilities will reach other frontier models within months and open-weight models available to anyone within six to twelve months. Schneier, writing in the Globe and Mail with University of Toronto professor David Lie, warned that restricting early access to roughly 50 organizations, however well chosen, cannot substitute for the distributed expertise of the entire research community, and noted there is no reason to believe Mythos is unique. The question for boards is not whether this capability will proliferate. It is how quickly.

Key CyberSpit Notes

1. The CSA briefing is an operational document, not a thought piece. It includes a 13-item risk register mapped to OWASP, MITRE ATLAS, and NIST CSF 2.0, with 11 priority actions on aggressive timelines and a board briefing framework. It was built by 60+ contributors and reviewed by 250+ CISOs in three days because the community needed actionable guidance, not commentary.
2. Mythos is the first wave, not the peak. AI-driven vulnerability discovery has been escalating for a year. XBOW topped HackerOne's leaderboard in June 2025. DARPA's AI Cyber Challenge found 54 vulnerabilities across 54 million lines of code in four hours. Anthropic disclosed state-sponsored AI attack chains in November 2025. The trajectory is clear, and it does not depend on any single model.
3. Every patch is now an exploit blueprint. AI-accelerated patch-diffing means the fix itself teaches adversaries where the vulnerability was. The window between disclosure and exploitation has collapsed to less than one day. Patching cycles measured in weeks are operating on broken assumptions.
4. VulnOps is a permanent organizational requirement. Quarterly penetration tests cannot keep pace with continuous AI-driven vulnerability discovery. The briefing calls for a permanent Vulnerability Operations function, staffed and automated for continuous scanning, within 12 months.
5. The first priority action starts this week. Point AI agents at your own code now. Existing models are capable enough to surface meaningful findings today. Waiting for Mythos-class access is not a prerequisite for starting. The organizations that begin building the operational muscle now will be the ones prepared for what comes next.
6. The EU AI Act creates a regulatory deadline. When AI vulnerability scanning is broadly accessible, the legal definition of reasonable defensive effort shifts. August 2026 is on the calendar. Boards need to understand that failing to adopt available AI tools for vulnerability discovery may constitute negligence under incoming regulatory frameworks.
7. Detection is broadly accessible. Exploitation is not. Aisle demonstrated that models with as few as 3.6 billion parameters can detect the same vulnerabilities that headlined Anthropic's announcement. For defensive purposes, organizations do not need frontier model access to begin scanning. What separates Mythos is autonomous exploitation: constructing multi-gadget ROP chains, chaining privilege escalation paths, and developing working proofs of concept from scratch. That distinction matters for understanding where the defensive advantage currently lies and how quickly it will erode.
8. False positive rates are the unaddressed variable. Neither Anthropic nor any independent evaluator has published comprehensive false alarm data for Mythos. Schneier and Lie raised this in the Globe and Mail, and Aisle's testing demonstrated that small models routinely hallucinate vulnerabilities in patched code. At production scale, a tool that flags everything is useless. Organizations adopting AI-driven scanning need triage workflows that can separate signal from noise, or the volume of false findings will overwhelm the teams these tools are meant to help.
9. Vulnerability management alone is not enough. The briefing focuses on vulnerability discovery and patching, which is the right first response to Mythos. But attackers frequently achieve initial access through phishing, social engineering, misconfigured services, and credential theft, none of which require a novel vulnerability. A Mythos-ready program should treat the briefing's recommendations as a floor, not a ceiling, and maintain investment in human-layer defenses alongside AI-driven scanning.

How to Start Building a Mythos-Ready Security Program This Week

The CSA briefing's 11 priority actions can feel overwhelming when read end to end. This is a practical sequence for security leaders who need to begin immediately, based on the briefing's own timelines and the additional context from AISI, Aisle, and Forrester's analysis.

1. Run AI-assisted vulnerability scanning against your own code today. You do not need Mythos-class access to start. Claude Opus 4.6, GPT-5.4-Cyber, and open-weight models like Qwen3 32B can surface meaningful findings now. Point them at your highest-risk codebases first: anything internet-facing, anything processing authentication, anything handling cryptographic operations. The goal is to build organizational muscle with AI-driven scanning before the volume of external vulnerability disclosures forces it on you. Aisle's research shows that even models with 3.6 billion parameters can detect critical vulnerabilities when given appropriate context.
2. Enforce phish-proof MFA across every identity within 45 days. The briefing calls this out specifically because it is the single control that collapses the largest number of attack paths simultaneously. FIDO2 hardware keys or passkeys are the standard. SMS and app-based push notifications are not phish-proof and should be treated as interim measures, not permanent solutions. This requires executive sponsorship because it touches every user in the organization, including executives who historically resist friction.
3. Implement default-deny on every external perimeter point within 45 days. If a connection is not explicitly allowed, it is blocked. This is the inverse of how many organizations operate today. The reason this matters more now than it did six months ago is that AI-driven exploitation can probe thousands of allowed-but-unnecessary ports and services in minutes. Every unnecessary exposure is an invitation.
4. Eliminate standing privileged access within 45 days. No administrator should have persistent root or domain admin credentials. Just-in-time access provisioning with time-limited elevation is the target state. The reason: AI-driven lateral movement after initial access depends on finding privileged credentials to escalate with. Removing standing privileges forces an attacker, whether human or AI, to generate detectable activity to escalate.
5. Run a tabletop exercise for simultaneous multi-CVE disclosure within 90 days. Your incident response plan was built for one major incident at a time. AI-driven vulnerability discovery can generate dozens of critical findings in a single pass. Practice triaging ten critical vulnerabilities simultaneously with your current staffing. If the exercise reveals that your team cannot prioritize effectively under that load, you have identified a staffing or tooling gap that must be addressed before it becomes a real-world problem.
6. Begin planning a permanent VulnOps function within 12 months. Quarterly penetration tests are no longer sufficient. Continuous AI-driven vulnerability discovery across your entire software estate, staffed and automated as a permanent capability, is the target. Start by scoping what continuous scanning would cost with current models and identify which teams would own the function.

Frequently Asked Questions

What is the CSA AI Vulnerability Storm briefing?

It is a 30-page emergency strategy briefing published on April 14, 2026, by the Cloud Security Alliance, SANS Institute, the OWASP GenAI Security Project, and the [un]prompted community. It provides CISOs with a 13-item risk register mapped to four industry frameworks, 11 priority actions with specific timelines, 10 diagnostic questions for triage, and a board-ready executive briefing section. The document was built by over 60 named contributors and reviewed by more than 250 CISOs in a single weekend because the community needed actionable guidance before Monday morning, not commentary.

What is a Mythos-ready security program?

A Mythos-ready security program is one that has adapted its vulnerability management, patching cadence, incident response, and staffing to operate at the speed that AI-driven vulnerability discovery and exploitation demands. The briefing frames this as a program that includes continuous AI-assisted scanning, a permanent VulnOps function, phish-proof MFA, default-deny perimeters, and elimination of standing privileged access. The reason for the name is not that every organization needs access to Mythos specifically, but that the capability Mythos represents, whether from Anthropic or from future models, is the new baseline threat that security programs must be designed to withstand.

What is VulnOps and why does it matter?

VulnOps, or Vulnerability Operations, is a permanent organizational capability proposed by the CSA briefing. It replaces the traditional model of periodic penetration testing with continuous, AI-driven vulnerability discovery across an organization's entire software estate. The reason it matters now is economic: continuous scanning was prohibitively expensive for many organizations even 12 months ago, but AI has collapsed that cost barrier. The question is no longer whether organizations can afford continuous vulnerability discovery. It is whether they can afford not to, given that adversaries already run continuously.

Do I need access to Claude Mythos to start defending against AI-driven threats?

No. Aisle's research demonstrated that models with as few as 3.6 billion parameters, costing 11 cents per million tokens, can detect the same vulnerabilities that headlined Anthropic's Mythos announcement. Existing frontier models like Claude Opus 4.6 and GPT-5.4-Cyber are capable enough to surface meaningful findings today. Waiting for Mythos-class access is not a prerequisite for starting. What separates Mythos is autonomous exploitation, not detection, and detection is the capability that matters most for defensive use.

How fast are AI-discovered vulnerabilities being exploited in 2026?

According to the Zero Day Clock cited in the CSA briefing, the mean time from vulnerability disclosure to confirmed exploitation has fallen to less than one day in 2026, down from 2.3 years in 2019. The compression is not gradual. AI accelerates both the discovery and weaponization of vulnerabilities, and every patch released now simultaneously serves as an exploit blueprint for any adversary with AI-assisted reverse engineering capability. This means any security program designed around weekly or monthly patch cycles is operating on assumptions that no longer hold.

What did the UK AISI find when evaluating Claude Mythos Preview?

AISI built a 32-step corporate network attack simulation called "The Last Ones," estimated to take a human expert approximately 20 hours. Mythos was the first AI model to complete it start to finish, succeeding in 3 of 10 trials and completing an average of 22 of 32 steps across all attempts. On expert-level capture-the-flag challenges, Mythos succeeded 73% of the time. AISI flagged important caveats: its test environments lack live defenders, endpoint detection, or real-time incident response, so the results confirm capability against weakly defended systems but cannot confirm it can breach hardened enterprise networks. Performance was still scaling upward at AISI's 100-million-token compute budget, meaning results may understate what the model could achieve with more resources. Mythos failed AISI's "Cooling Tower" operational technology range, though it got stuck on IT-layer sections rather than OT-specific controls.

How did the US government respond to the Mythos announcement?

On April 8, 2026, Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an emergency meeting at Treasury headquarters with the CEOs of Citigroup, Morgan Stanley, Bank of America, Wells Fargo, and Goldman Sachs. Separately, Vice President Vance and Secretary Bessent held a private call with tech CEOs including Anthropic's Dario Amodei, OpenAI's Sam Altman, Google's Sundar Pichai, Microsoft's Satya Nadella, and xAI's Elon Musk. National Cyber Director Sean Cairncross is leading a group of federal officials to map vulnerabilities in critical infrastructure. The speed of the response, the seniority of the officials involved, and the fact that it was convened the day after the announcement all signal that the administration views AI-driven cyber risk as a financial stability concern, not just a technology problem.

How fast will Mythos-class capabilities proliferate to attackers?

The CSA briefing projects that Mythos-class offensive capabilities will reach other frontier models within months and open-weight models within six to twelve months. That timeline may be optimistic. In February 2026, Anthropic published evidence that DeepSeek, Moonshot AI, and MiniMax had run industrial-scale distillation campaigns against Claude, generating over 16 million exchanges through approximately 24,000 fraudulent accounts. The campaigns specifically targeted the same capabilities that make Mythos dangerous: agentic reasoning, tool use, and coding. Illicitly distilled models lack the safety guardrails built into frontier systems. Defenders should plan as though Mythos-class capabilities will be broadly available within 12 months.

What should organizations outside of Project Glasswing do right now?

Organizations that are not among the roughly 50 Glasswing partners should not wait for an invitation. Existing frontier models and even small open-weight models are capable enough for meaningful defensive scanning today. Aisle demonstrated that a simple scanner using models as small as 3.6 billion parameters can surface real zero-day vulnerabilities. Begin scanning your highest-risk codebases this week with whatever models you have access to, build triage workflows to handle the output, and treat the Glasswing public findings report in July as the trigger for your second phase of remediation. The defender advantage window is real but temporary, and the organizations that use it to build scanning infrastructure now will be positioned to keep pace when Mythos-class capabilities proliferate.

The full briefing is available for free at the Cloud Security Alliance's labs page. SANS Institute is hosting a live demonstration, SANS Critical Advisory: BugBusters, on April 16, 2026, at 12:00 PM ET, where Ed Skoudis, Joshua Wright, and Chris Elgee will demonstrate AI-assisted vulnerability discovery against real code based on 15 months of penetration testing experience. The SANS AI Cybersecurity Summit follows on April 20 with speakers drawn directly from the Mythos-Ready briefing's contributor list, and the CSA Agentic AI Security Summit runs April 29-30 as a free two-day virtual event covering secure design, deployment, and scaling of autonomous AI systems. If your organization is still evaluating whether this shift is real, those events are a good place to start.