To handle the elephant within the room, this weblog treats Anthropic’s latest Claude Mythos Preview and Undertaking Glasswing bulletins as legitimate, reputable, and regarding. Whereas many people are dismissing a lot of what Anthropic introduced as advertising hype, Anthropic did again up its assertions with proof, as did its companions.
If that is advertising, Anthropic’s achieved a masterful job of it. However we’ll go away that evaluation to our colleagues in B2B advertising.
The response to the bulletins included among the usual recommendation that’s been disbursed yr after yr:
Benchmarks. Vulnerability counts. SBOMs. Accomplice logos. Patch quicker. Automate extra.
These are all correct and extra essential than ever. We agree, and we mentioned so. However the capabilities of Anthropic’s newest mannequin additionally signify a shift that goes past the near-term changes that groups must undertake.
Automated testing instruments scanned a 16-year-old line of code 5 million instances and did not catch one thing Mythos recognized and exploited. The issues launched by Mythos can’t be solved the outdated method. If they might, then 12 firms — many opponents of each other — wouldn’t have banded collectively to attempt to mitigate among the potential harm it could trigger if unleashed on the world.
Anthropic said that it doesn’t intend to launch Mythos Preview as usually out there, however it’s going to launch Mythos succesful fashions sooner or later. And its opponents — home and worldwide — might not be so prepared to pump the brakes on releasing a mannequin that prices billions of {dollars} to develop and prepare.
The second- and third-order results of Mythos are fascinating and, to date, undiscussed. Throughout domains as disparate as safety tooling, vulnerability administration, insurance coverage, and regulation, Undertaking Glasswing and Mythos will carry adjustments. Most of those received’t present up in headlines as a result of they are going to floor as value corrections, lacking knowledge, and uncomfortable questions, over months and years.
This put up lays out a few of these penalties, grouped by after they’ll hit: instantly, over the subsequent 6–18 months, and over the subsequent 2–5 years. These observe straight from what Glasswing and Mythos demonstrated.
First-Order Results: What Adjustments Now
These are the direct penalties of Mythos current, not adoption curves or hypothetical futures.
1. Open-source maintainers turn into the bottleneck
Glasswing surfaced vulnerabilities that have been 16 and 27 years outdated in initiatives maintained by small volunteer groups. Anthropic’s $4 million donation to open-source safety teams will get the intuition proper. Mythos turns discovery into an exponential downside. Remediation capability in open supply doesn’t scale with it. It stays human, finite, underpaid, and largely voluntary.
After Mythos, vulnerability administration stops being about discovering bugs. It turns into about figuring out, funding, and retaining the individuals certified to repair them safely. With out that shift, many important open-source initiatives danger replaying the COBOL downside: indispensable code with no sustainable upkeep mannequin.
2. Discovery now not units the value for penetration testing
Conventional penetration exams for functions, net functions, and infrastructure routinely run between $20–120K, with pricing anchored to the perceived shortage of discovery experience. Mythos Preview surfaced 1000’s of comparable vulnerabilities autonomously in weeks, with out billable hours. Discovering bugs is now not the differentiator; interpretation, prioritization, remediation steering, and authorized defensibility are.
Corporations that proceed pricing pentests as if vulnerability discovery is the worth will see income erosion earlier than they exchange it with one thing defensible. The worth shifts to understanding the code base, the programs that run it, and find out how to deploy remediations that really cut back danger.
3. Anthropic is now a very powerful associate for each safety firm
Mythos elevates Anthropic to a core dependency for a lot of cybersecurity distributors past the preliminary Undertaking Glasswing group — till the subsequent succesful frontier mannequin comes out, a minimum of. The inclusion of Anthropic and its instruments will form how future capabilities are delivered, ruled, and trusted. Distributors that formalize partnerships with Anthropic, with specific expectations round reliability, governance, escalation, insurability, and regulatory alignment, will achieve leverage over deployment fashions and buyer outcomes. It will translate into clearer accountability, stronger differentiation, and fewer downstream surprises. Distributors that go away the connection implicit settle for dependency with out affect, growing publicity when governance gaps floor underneath buyer or regulatory strain.
Second-Order Results: 6–18 Months Out
These emerge because the market reacts to the first-order shift. Anticipate repricing, consolidation, and a few quiet failures.
4. Remediation companies turn into the prize class
Discovery is now low-cost. Remediation is the place the worth lives. Discovering issues is straightforward; fixing them is tough. The primary companies agency to construct a Mythos native apply that interprets AI-generated findings, prioritizes them towards enterprise context, and coordinates large-scale patching captures the margin penetration testing simply misplaced. This isn’t an extension of current pentesting practices; it’s a brand new working mannequin constructed round scale, sequencing, and alter management throughout actual manufacturing environments. That companies class doesn’t exist but. The window to outline it, value it, and lock in purchaser expectations earlier than it commoditizes is roughly 18 months. Anthropic’s launch of Managed Brokers foreshadows this. Anticipate one thing akin to MDR — with an emphasis on the “response” a part of MDR — to return to different safety domains.
5. The CVE system begins visibly failing
Mythos Preview discovered 1000’s of zero-days in weeks inside a single atmosphere. Scale that throughout consortium members and broader availability, and CVE quantity will overwhelm triage infrastructure fully. The failure received’t look dramatic. It should present up as months-long enrichment backlogs whereas vulnerability instruments proceed prioritizing danger on more and more incomplete knowledge. As this compounds, the marginal worth of discovering the subsequent vulnerability collapses. Every further zero-day doesn’t enhance danger posture if it can’t be validated, contextualized, and acted on contained in the window the place exploitation issues.
6. Nation-state cyber technique shifts from hoarding to racing
Nation states have spent many years compiling their very own shops of zero-days to burn when it issues most. These stockpiles and the many years of assets and work used to gather them are about to be ineffective. Stockpiling zero-days depends on discovering issues which might be troublesome for others to search out, and with Mythos, that’s now over. Mythos forces their arms. Anticipate nation states which have stockpiled zero-days to make use of them to exfiltrate knowledge and/or set up footholds into the atmosphere for use at a later date.
7. Cyber insurance coverage will reprice shortly
Cyber insurance coverage premiums entered 2026 at flat to declining charges, pushed by refined underwriting, extra capability, and aggressive strain. Mythos breaks the invention assumptions embedded in insurer loss fashions. Within the quick time period, insurers will possible confirm safety posture through Mythos companions slightly than proudly owning the software themselves, which comes later by way of provider, dealer, and insurtech M&A.
Anticipate exclusions that explicitly goal AI-discovered vulnerabilities that aren’t remediated inside outlined timeframes, triggered by the primary high-profile post-Mythos loss. Insurers haven’t stress-tested portfolios towards Mythos-driven vulnerability discovery. After they do incorporate Mythos verification into insureds’ management profiles, repricing can be abrupt, not gradual.
8. Regulators lock Glasswing in because the reference case
The EU AI Act, NIST AI RMF, and SEC cyber guidelines have been written earlier than autonomous zero-day discovery at this scale existed publicly. Mythos successfully resets requirements for “cheap care” and offers regulators a brand new anchor for “excessive functionality” AI. For CISOs, this creates a compliance hole as conventional patching turns into more and more inadequate. Moreover, Mythos Preview nearly definitely qualifies as “excessive danger” underneath the EU AI Act resulting from its potential use instances in important infrastructure and its function as a security part.
CISOs working within the EU might want to bridge the hole between conventional and AI-speed vulnerability discovery earlier than compliance groups ask questions they’re not ready to reply. CISOs within the US ought to anticipate an acceleration of AI regulation in consequence and replace their cyber disclosures to deal with autonomous zero-day discovery as a foreseeable risk.
Third-Order Results: Structural Adjustments In 2–5 Years
These reshape markets and careers. You received’t see them but, however they’re already baked in.
9. AI-assisted safety governance turns into its personal compliance subject
Regulators and insurers would require documented human oversight (“human within the loop” audit trails) between AI discovery and motion. The artifact appears to be like like: AI discovering, human evaluation and validation, authorization, execution. This creates a brand new audit and evaluation market round AI-assisted safety governance that extends past most organizations’ governance applications. Distributors within the GRC and AI governance classes are offering restricted functionality, however true AI-assisted safety governance requires built-in tooling throughout safety tech stacks that largely doesn’t exist at the moment.
The distributors that construct documentation, workflow, and oversight tooling earlier than mandates formalize it’s going to personal the class, and people mandates usually tend to arrive first by way of insurance coverage underwriting necessities.
10. Safety careers pivot away from discovery
Unearthing vulnerabilities and reverse-engineering malware cease being in-demand abilities as AI autonomously surfaces 1000’s of credible, high-severity exposures throughout each main system. The brand new important abilities are judgment-based and embody validating AI findings, red-teaming AI-generated patches earlier than they’re rolled out, and making accountable selections about when to behave underneath extreme time strain. Universities, certification issuers, and plenty of cybersecurity abilities and coaching platforms are nonetheless constructing finders, not deciders.
Organizations that retrain quickest and retrain for this new profile — one that’s centered on area experience utilized as structured reasoning underneath strain — will workers the subsequent era of safety operations appropriately.
What CISOs And Distributors Ought to Do Now
For CISOs, the quick work nonetheless issues, greater than it did earlier than: patch cadence, legacy code evaluation, vendor benchmarking.
The more durable work begins subsequent: 1) Reread cyber insurance coverage exclusions by way of an AI-accelerated disclosure lens; 2) determine which instruments depend upon Nationwide Vulnerability Database enrichment and construct different knowledge paths; 3) stress-test detection towards attackers able to in a single day exploit growth; and 4) upskill your practitioners and groups on AI output validation and judgment calls underneath strain.
For distributors, the query is easy. Does your worth proposition survive when frontier mannequin entry turns into unusual? In case your worth is derived from discovering and never fixing, what you are promoting mannequin has an expiration date.
Join With Us
Forrester shoppers with questions associated to this could join with us by way of an inquiry or steering session.
