From Claude Mythos to meaningful response
How to prepare for the surge in vulnerabilities, patches, and cyber operational pressure
With the release of Claude Mythos, the ‘Mythos moment’ has generated much attention, concern and discourse because it is seen as an inflection point in cybersecurity that will:
- Lower the barrier to entry for adversaries with historically lower maturity, and increases the overall advantage that threat actors can achieve in the near-future with AI-enabled offensive capabilities
- Highlight structural weaknesses in reactive security models, in particular vulnerability management, that has traditionally been slow to adjust to accelerating technical developments
- Force a rethink of what areas to prioritise when looking at current and future Cybersecurity investment
In practice the widespread availability of Mythos (and similar technology) will:
- Substantially increase the volume of vulnerabilities discovered
- Reduce the time between a vulnerability being disclosed and weaponised from days to hours
- Within 3–6 months, result in broadly accessible, Mythos-level offensive reasoning capabilities , based on orchestration of existing tools rather than access to frontier models.
Our perspectives on AI-enabled cybersecurity
We are taking a measured view of events and how organizations will be required to respond. While benchmarks of Claude Mythos and comparable frontier models do indicate a step-forward in offensive reasoning, we are yet to see whether they will be as effective in environments where fundamental security controls and defense-in-depth are in place.
It is already clear that where gaps in defense-in-depth exist, and where organizations persist with traditional information security management methods, they will undoubtedly expose themselves to the major and perhaps catastrophic offensive advantage that Mythos’ vulnerability discovery and exploitation capabilities can provide.
While the efficacy of vulnerabilities Mythos can discover is yet to be confirmed, the acceleration in time-to-exploit is undeniable. Where it was previously possible to minimise the gap between attackers’ time-to-exploit and defenders’ time to remediation at human-speed, this guarantee melts away at AI-speed.
In the immediate term, defenders need to focus on testing the operational readiness of the core security controls, strengthening the vulnerability management program, and readying themselves for a potential surge in incidents to manage (while not taking their eye off existing challenges).
Naturally, as this situation evolves, so will our analysis and recommendations; keep this page bookmarked to stay up-to-date with our latest advice and experience.
As a starting point, we summarize the critical next steps and three practical actions based on live engagements and discussions with our clients.
The immediate focus
The critical next steps in the next 6 months are focused on readiness and prioritization. The first wave is the immediate operational playbook to activate if vulnerability volume and patching pressure increase as quickly as expected.
First steps to take for the Mythos-driven patch wave:
- Clarify critical threat exposure across key business systems and critical security tools Reinforce foundational hardening measures
- Establish patching ownership, councils, and SLAs
- Stand up an emergency playbook, pressure-tested via exec tabletop
- Ready the SOC and IR function for compressed exploit timelines
- Use the current executive attention to fix what has been known but unresolved for years, before the window closes
Action to take right now
To help organisations prepare in the short term, we recommend the following practical actions:
A 2-3-hour tabletop with the CTO, CISO, and heads of production simulating 20 concurrent zero-days on a critical, internet-facing application. The exercise tests whether patching workflows handle volume, and whether governance in production is fast and clear enough under pressure.
This provides: an immediate prioritised list of where operations break, and how to fix them.
A more systematic assessment of the organisation’s vulnerability management capabilities, from triage through to patch deployment.
Wavestone have developed a Cyberbenchmark – Vulnerability Management framework that allows organisations to assess and benchmark their practices against the market, in order to support a pragmatic and prioritised action plan.
This provides: a one-page organisational readiness snapshot, top risks and gaps, and a short list of immediate actions per domain.
8-12 week programs based on findings, running targeted projects covering critical weaknesses and forming an adaptive roadmap to keep pace with evolving threats.
- Improve asset inventory quality: prioritising internet-facing assets, open-source supply chain components, and the most widely reused components across the information system.
- Prepare an emergency patching mode: clear mandate, dedicated remediation squad, simplified testing and deployment paths, and defined SLAs with vendors and third parties.
- Strengthen containment mechanisms: outbound traffic blocking and egress filtering, “red-button” capabilities across network, endpoints, and accounts, and virtual patching.
- Build AI-enabled defensive capabilities: LLM-orchestrated BAS / penetration testing, automated alert triage, and access to frontier AI models.
This provides: Targeted projects across the weakest domains and an AI-ready roadmap.
The new normal: Changes for Cybersecurity long term
Long term (6 months+) there are 5 challenge statements to guide discussions on response measures:
- Patch management becomes continuous. Faster testing, sharper prioritization, tighter deployment coordination. The quarterly patch cycle is dead.
- AI plays both sides. Expect it to accelerate attacker reconnaissance and strengthen defensive capability.
- Vendor patch velocity becomes a procurement criterion. Your exposure is now a function of your vendors’ SDLC maturity, not just yours.
- The attack surface expands beyond code. Configuration, identity, and supply-chain weaknesses are equally exploitable at AI speed.
- AI-enabled defence becomes part of the baseline. As the AI landscape evolves, organisations will need to build defensive capabilities that can keep pace with attacker speed and scale.
We’re here to help
We are working with many of our clients, who are in various stages of the above actions. If you’d like to discuss tactical actions to take for your context or explore the longer term implications for your security program, do get in touch with one of our experts, we’re here to help.
