To handle the elephant within the room, this weblog treats Anthropic’s latest Claude Mythos Preview and Undertaking Glasswing bulletins as legitimate, reliable, and regarding. Whereas many of us are dismissing a lot of what Anthropic introduced as advertising and marketing hype, Anthropic did again up its assertions with proof, as did its companions.
If that is advertising and marketing, Anthropic’s accomplished a masterful job of it. However we’ll go away that evaluation to our colleagues in B2B advertising and marketing.
The response to the bulletins included a few of the standard recommendation that’s been allotted 12 months after 12 months:
Benchmarks. Vulnerability counts. SBOMs. Associate logos. Patch quicker. Automate extra.
These are all correct and extra vital than ever. We agree, and we mentioned so. However the capabilities of Anthropic’s newest mannequin additionally signify a shift that goes past the near-term changes that groups must undertake.
Automated testing instruments scanned a 16-year-old line of code 5 million occasions and did not catch one thing Mythos recognized and exploited. The issues launched by Mythos can’t be solved the previous manner. If they may, then 12 corporations — many opponents of each other — wouldn’t have banded collectively to attempt to mitigate a few of the potential harm it might trigger if unleashed on the world.
Anthropic said that it doesn’t intend to launch Mythos Preview as usually obtainable, however it’s going to launch Mythos succesful fashions sooner or later. And its opponents — home and worldwide — will not be so prepared to pump the brakes on releasing a mannequin that prices billions of {dollars} to develop and practice.
The second- and third-order results of Mythos are fascinating and, up to now, undiscussed. Throughout domains as disparate as safety tooling, vulnerability administration, insurance coverage, and regulation, Undertaking Glasswing and Mythos will convey adjustments. Most of those gained’t present up in headlines as a result of they are going to floor as worth corrections, lacking information, and uncomfortable questions, over months and years.
This submit lays out a few of these penalties, grouped by after they’ll hit: instantly, over the following 6–18 months, and over the following 2–5 years. These observe instantly from what Glasswing and Mythos demonstrated.
First-Order Results: What Adjustments Now
These are the direct penalties of Mythos present, not adoption curves or hypothetical futures.
1. Open-source maintainers turn out to be the bottleneck
Glasswing surfaced vulnerabilities that have been 16 and 27 years previous in tasks maintained by small volunteer groups. Anthropic’s $4 million donation to open-source safety teams will get the intuition proper. Mythos turns discovery into an exponential downside. Remediation capability in open supply doesn’t scale with it. It stays human, finite, underpaid, and largely voluntary.
After Mythos, vulnerability administration stops being about discovering bugs. It turns into about figuring out, funding, and retaining the folks certified to repair them safely. With out that shift, many crucial open-source tasks danger replaying the COBOL downside: indispensable code with no sustainable upkeep mannequin.
2. Discovery now not units the value for penetration testing
Conventional penetration checks for functions, net functions, and infrastructure routinely run between $20–120K, with pricing anchored to the perceived shortage of discovery experience. Mythos Preview surfaced 1000’s of comparable vulnerabilities autonomously in weeks, with out billable hours. Discovering bugs is now not the differentiator; interpretation, prioritization, remediation steering, and authorized defensibility are.
Companies that proceed pricing pentests as if vulnerability discovery is the worth will see income erosion earlier than they substitute it with one thing defensible. The worth shifts to understanding the code base, the methods that run it, and tips on how to deploy remediations that really cut back danger.
3. Anthropic is now a very powerful associate for each safety firm
Mythos elevates Anthropic to a core dependency for a lot of cybersecurity distributors past the preliminary Undertaking Glasswing group — till the following succesful frontier mannequin comes out, at the least. The inclusion of Anthropic and its instruments will form how future capabilities are delivered, ruled, and trusted. Distributors that formalize partnerships with Anthropic, with express expectations round reliability, governance, escalation, insurability, and regulatory alignment, will acquire leverage over deployment fashions and buyer outcomes. This may translate into clearer accountability, stronger differentiation, and fewer downstream surprises. Distributors that go away the connection implicit settle for dependency with out affect, rising publicity when governance gaps floor beneath buyer or regulatory strain.
Second-Order Results: 6–18 Months Out
These emerge because the market reacts to the first-order shift. Count on repricing, consolidation, and a few quiet failures.
4. Remediation companies turn out to be the prize class
Discovery is now low cost. Remediation is the place the worth lives. Discovering issues is straightforward; fixing them is difficult. The primary companies agency to construct a Mythos native observe that interprets AI-generated findings, prioritizes them in opposition to enterprise context, and coordinates large-scale patching captures the margin penetration testing simply misplaced. This isn’t an extension of present pentesting practices; it’s a brand new working mannequin constructed round scale, sequencing, and alter management throughout actual manufacturing environments. That companies class doesn’t exist but. The window to outline it, worth it, and lock in purchaser expectations earlier than it commoditizes is roughly 18 months. Anthropic’s launch of Managed Brokers foreshadows this. Count on one thing akin to MDR — with an emphasis on the “response” a part of MDR — to return to different safety domains.
5. The CVE system begins visibly failing
Mythos Preview discovered 1000’s of zero-days in weeks inside a single setting. Scale that throughout consortium members and broader availability, and CVE quantity will overwhelm triage infrastructure utterly. The failure gained’t look dramatic. It would present up as months-long enrichment backlogs whereas vulnerability instruments proceed prioritizing danger on more and more incomplete information. As this compounds, the marginal worth of discovering the following vulnerability collapses. Every extra zero-day doesn’t enhance danger posture if it can’t be validated, contextualized, and acted on contained in the window the place exploitation issues.
6. Nation-state cyber technique shifts from hoarding to racing
Nation states have spent many years compiling their very own shops of zero-days to burn when it issues most. These stockpiles and the many years of sources and work used to gather them are about to be ineffective. Stockpiling zero-days depends on discovering issues which can be tough for others to seek out, and with Mythos, that’s now over. Mythos forces their palms. Count on nation states which have stockpiled zero-days to make use of them to exfiltrate information and/or set up footholds into the setting for use at a later date.
7. Cyber insurance coverage will reprice shortly
Cyber insurance coverage premiums entered 2026 at flat to declining charges, pushed by refined underwriting, extra capability, and aggressive strain. Mythos breaks the invention assumptions embedded in insurer loss fashions. Within the brief time period, insurers will possible confirm safety posture by way of Mythos companions relatively than proudly owning the software themselves, which comes later by way of provider, dealer, and insurtech M&A.
Count on exclusions that explicitly goal AI-discovered vulnerabilities that aren’t remediated inside outlined timeframes, triggered by the primary high-profile post-Mythos loss. Insurers haven’t stress-tested portfolios in opposition to Mythos-driven vulnerability discovery. After they do incorporate Mythos verification into insureds’ management profiles, repricing might be abrupt, not gradual.
8. Regulators lock Glasswing in because the reference case
The EU AI Act, NIST AI RMF, and SEC cyber guidelines have been written earlier than autonomous zero-day discovery at this scale existed publicly. Mythos successfully resets requirements for “cheap care” and provides regulators a brand new anchor for “excessive functionality” AI. For CISOs, this creates a compliance hole as conventional patching turns into more and more inadequate. Moreover, Mythos Preview nearly definitely qualifies as “excessive danger” beneath the EU AI Act as a result of its potential use circumstances in crucial infrastructure and its function as a security element.
CISOs working within the EU might want to bridge the hole between conventional and AI-speed vulnerability discovery earlier than compliance groups ask questions they’re not ready to reply. CISOs within the US ought to anticipate an acceleration of AI regulation because of this and replace their cyber disclosures to deal with autonomous zero-day discovery as a foreseeable risk.
Third-Order Results: Structural Adjustments In 2–5 Years
These reshape markets and careers. You gained’t see them but, however they’re already baked in.
9. AI-assisted safety governance turns into its personal compliance subject
Regulators and insurers would require documented human oversight (“human within the loop” audit trails) between AI discovery and motion. The artifact appears like: AI discovering, human evaluate and validation, authorization, execution. This creates a brand new audit and evaluation market round AI-assisted safety governance that extends past most organizations’ governance applications. Distributors within the GRC and AI governance classes are offering restricted functionality, however true AI-assisted safety governance requires built-in tooling throughout safety tech stacks that largely doesn’t exist right this moment.
The distributors that construct documentation, workflow, and oversight tooling earlier than mandates formalize it’s going to personal the class, and people mandates usually tend to arrive first by way of insurance coverage underwriting necessities.
10. Safety careers pivot away from discovery
Unearthing vulnerabilities and reverse-engineering malware cease being in-demand abilities as AI autonomously surfaces 1000’s of credible, high-severity exposures throughout each main system. The brand new crucial abilities are judgment-based and embrace validating AI findings, red-teaming AI-generated patches earlier than they’re rolled out, and making accountable selections about when to behave beneath extreme time strain. Universities, certification issuers, and lots of cybersecurity abilities and coaching platforms are nonetheless constructing finders, not deciders.
Organizations that retrain quickest and retrain for this new profile — one that’s targeted on area experience utilized as structured reasoning beneath strain — will workers the following technology of safety operations appropriately.
What CISOs And Distributors Ought to Do Now
For CISOs, the rapid work nonetheless issues, greater than it did earlier than: patch cadence, legacy code evaluate, vendor benchmarking.
The tougher work begins subsequent: 1) Reread cyber insurance coverage exclusions by way of an AI-accelerated disclosure lens; 2) establish which instruments rely on Nationwide Vulnerability Database enrichment and construct various information paths; 3) stress-test detection in opposition to attackers able to in a single day exploit improvement; and 4) upskill your practitioners and groups on AI output validation and judgment calls beneath strain.
For distributors, the query is easy. Does your worth proposition survive when frontier mannequin entry turns into odd? In case your worth is derived from discovering and never fixing, your corporation mannequin has an expiration date.
Join With Us
Forrester purchasers with questions associated to this may join with us by way of an inquiry or steering session.
