AI isn’t the threat. It’s the acceleration layer for cyber risk

The real danger with frontier AI models like Mythos being unleashed – with all its potential to find latent weaknesses – isn’t that it creates new and unforeseen threats. It’s that it accelerates the speed of the old threats to the point where most companies aren’t going to keep up.

The game of Cat and Mouse (that age-old security metaphor) works because cats and mice are generally equally matched. The cat runs fast, and the mouse runs just a bit faster. Usually. But what about when the cat straps on rocket boosters?

That’s essentially what’s happening with Mythos. The same old plays are being run: some variation of find the vulnerability, exploit the vulnerability, steal the data, get away. But now, they’re happening at machine speed, and pretty unilaterally so; the only thing stopping all adversaries from using the technology is availability, and that problem will likely be remedied by dark web distribution.

Now, defenders are left to defend at – the speed of automation? It’s no match for AI. And yet the pace of AI adoption doesn’t depend on a download for most companies (like it does for attackers). It’s tied up in red tape, regulations, legal frameworks, executive buy-in, budgets, integrations, and (security-first) training. As well it should be; legal use of AI should be both ethical and safe.

But it does present a problem. The speed gap – that is, attackers being considerably quicker on the draw than defenders are right now – is what needs to be addressed. The challenge for organizations will be removing the roadblock to safe and fast AI adoption so they can begin to catch up; or outrun.

Put simply, the real story isn't what Mythos can do; it's what Mythos reveals about how unprepared most organizations are to defend at machine speed.

AI accelerates, it doesn’t invent

While AI can invent, no one’s about to do things the hard way. If attackers are able to find success doing the same old tricks faster – and they are – they're going to do it.

What we see with Mythos is a force-multiplied ability to find exposed security holes. This was the stuff of expertise just five years ago; the ability to scan the public IPv4 space looking for open ports (Nmap, Shodan), grabbing ports and correlating them to vulnerable versions, and mapping those versions to CVE databases and GitHub PoCs.

At that point, the resident hacking expert would do what only they could do: create the exploit. This meant reverse-engineering the findings – does the bug actually work? Is it a logical flaw? An issue with authentication or API behavior? And then, once the flaw mechanics were understood, crafting a custom trigger that would reproduce the event: malformed packets, oversized requests, crafted API calls, etc.

The work was hard, prone to human error, and frankly, something to be proud of. Moral qualms aside.

But now engineers with zero security training are using Mythos to produce working exploits overnight. The process used to take teams weeks. Before, SOCs working with equal skillsets and equal tooling stood a chance of defending against these attacks, if only because they took so long to build. RaaS sped up the process; SOC automation countered it. Now AI strapped the process to a rocket ship; and defenders have yet to counter, at least en masse.

Mythos finds what millions of scans can’t, and fast

Going back to the first-released data on Mythos’ capabilities, we see that within its first series of tests, Mythos was able to find things that had been lying dormant – and unfound - for decades.

It discovered a 27-year-old OpenBSD flaw and a 16-year-old FFmpeg vulnerability that had both been missed for that long of a time – and by 5 million previous fuzzing tests, according to Project Glasswing’s Technical Report. Within just a few weeks, it “was able to spot thousands of previously undiscovered zero-day vulnerabilities,” and did so autonomously, “proving how invaluable it could be for the future of cybersecurity.” Provided it doesn’t fall into the wrong hands. Which, shortly after its public release, it did.

AI lowers the attacker skill floor dramatically. It also lowers the rate of attacks, combining the two factors to mean that faster exploits can now be churned out by anybody. Consequently, AI-enabled attacks were up by 89% in 2025: and that was before Mythos. It will be interesting to see comparative rates next year.

The key malicious capability of AI right now is speed. As Tenable CPO Eric Doerr states in Security Boulevard, “[AI] supercharges traditional attack methods...it might even find a new zero day or two, but it’s not finding novel attack techniques.” Which is why Doerr advocates that the best way forward for defenders is doubling down on foundational cybersecurity practices, albeit at machine speed.

Orgs aren’t ready for machine-speed defense

Most security teams are still operating reactive detect-and-respond processes that assume response time still exists. The mean-time-to-exploit dropped from 32 days down to 5 back in 2023. Mythos reasonably drives that time down to minutes.

Now that the window between a vulnerability existing and that same vulnerability being weaponized has effectively collapsed, a cybersecurity ‘hysteria’ has been setting in. But the point isn’t to throw around FUD: as experts agree, the threat has always existed—it’s just now out in the open.

What AI exposes is the problem of fast-moving AI agents. These non-human identities (think service accounts, agentic AI) now represent 52% of identity-based cloud risk, per Tenable’s Cloud and AI Security Risk Report. The majority are over-permissioned and unmonitored, and most likely under-governed, as it’s an open secret that AI adoption has far outpaced AI security frameworks and GRC.

When those vulnerability-seeking agents meet most environments, the problem comes to light. A full 86% of organizations now host third-party code with critical-severity vulnerabilities, according to the same report, and most still don’t know it. Between overworked SOCs and AI-powered Mythos, any guesses as to who will find them first?

Hybrid cloud sprawl and shadow IT leave large portions of the attack surface untracked, and legacy code survives in production long after its risks are fully vetted or understood. The old method of “find and patch” is not going to work, because Mythos and other AI tools aren’t just finding CVEs. Exposures are everywhere, so the new solution is to ask, “do we know everything that’s exposed?” And then use AI to fix things from there.

Eliminating exposures at machine speed

AI didn’t fundamentally change the game; it only upped the stakes of not knowing what’s exposed and not being able to fix it fast enough.

Those are problems alleviated (or eliminated) by exposure management. AI-wielding attackers are using Mythos to find all threats, or all exposures, across all surfaces at machine speed.

Exposure management plays the same game, using AI to likewise find and expose (to the SOC) all exposures across all areas of the attacks surface (EDR, SIEM, cloud, identity, email). Also at machine speed.

Now the Cat and Mouse game is back on. Not only that, but exposure management platforms prioritize remediations based on exploitability, likelihood of being exploited, and business impact, so threats are tamped down in the order of importance. External threat intelligence is drawn in, so remediations are also ordered by what’s happening in the landscape and where attackers are likely to strike first.

Threat intelligence and internal security context is integrated into security workflows, so remediations happen autonomously, and at the pace of human-directed AI agents. AI vulnerability management becomes AI exposure management.

Exposure management levels the playing fields. It provides analysts with a comprehensive attack surface view, just like attackers have. And it uses AI to do for defenders what it is already doing for attackers—and just as fast.

Mythos-ready security will come down to not only who knows where the critical weaknesses are, but who can get there first. And that will be decided by which side best knows how to use their AI.

Disclaimer

Please be advised this section of cybernews.com includes paid promotions and native advertisements, which are fluidly integrated into our editorial content. As a responsible media publisher, cybernews.com strives to maintain transparency and provide clarity to our readers about the nature of certain content on our platform.

The information presented in native ads is intended to inform and engage, but readers should note that these articles may promote products, services, or brands.

We encourage readers to exercise personal judgment and critical thinking when consuming native advertising content and/ or making any decisions based on the information provided in such content. The inclusion of native ads on our platform should not be interpreted as approval by our editorial team.

We take our editorial integrity seriously and strictly separate advertising and editorial content. Editorial decisions are always independent and remain unaffected by advertisers.

By using this website, you acknowledge and accept the terms outlined in this Press Release Disclaimer. For further inquiries, please contact us here.

Share

Post

Share