What AI Vulnerability Discovery Means for Your Business

In April 2026, Anthropic released Mythos — an AI model purpose-built for cybersecurity research. Within its first week, it discovered 181 previously unknown exploits in Firefox alone. That is not a typo. The previous state-of-the-art model found 2. This guide explains what happened, why it matters for every business with an internet presence, and what practical steps you can take right now.

What You'll Learn
  • What Anthropic's Mythos model demonstrated and why it changes the threat landscape
  • How Project Glasswing aims to use AI defensively
  • Why AI attackers do not discriminate by company size
  • Why continuous monitoring is now essential, not optional
  • Practical steps to prepare your organization today
10 min read
See our methodology

What Mythos Demonstrated

Anthropic's Mythos model was the first large-scale AI system purpose-built for offensive cybersecurity research. The results were staggering. In controlled testing, Mythos discovered 181 previously unknown exploits in Firefox — compared to just 2 found by the previous best AI model. But Firefox was only the beginning.

Mythos found exploitable vulnerabilities in every major operating system and browser tested. Windows, macOS, Linux, Chrome, Safari, Edge — none were immune. Perhaps most alarming: 99% of the vulnerabilities Mythos discovered were unpatched at the time of disclosure. These were not known bugs being rediscovered. These were novel zero-days that no human researcher had identified.

181 vs 2: The Scale of the Shift

The jump from 2 exploits to 181 in a single software product represents a roughly 90x improvement in AI vulnerability discovery capability. This is not incremental progress. This is a phase change in offensive security capability — and it happened in a single model release.

What makes Mythos fundamentally different from previous AI security tools is its ability to reason about code at a deep architectural level. It does not just scan for known patterns or match against CVE databases. It understands how software components interact, identifies logical flaws in authentication flows, and discovers race conditions that would take human researchers weeks to find. Mythos can do this in hours.

Project Glasswing: $100M to Use AI Defensively

Recognizing the dual-use nature of this capability, Anthropic announced Project Glasswing — a $100 million initiative to apply AI vulnerability discovery defensively. The goal is to find and responsibly disclose vulnerabilities before attackers can exploit them, working with major software vendors to patch critical issues at AI speed.

Project Glasswing represents a fundamental bet: that AI-powered defense can outpace AI-powered offense if defenders have access to the same caliber of tools. The initiative includes partnerships with major browser vendors, operating system developers, and cloud providers to create a coordinated disclosure pipeline that operates at the speed AI demands.

Defense at AI Speed

Project Glasswing's core insight is that traditional responsible disclosure timelines — 90 days is standard — are no longer viable when AI can discover and weaponize vulnerabilities in hours. Glasswing aims to compress the discover-to-patch cycle from months to days by providing vendors with AI-generated proof-of-concept exploits alongside detailed remediation guidance.

But Project Glasswing only protects software vendors who participate. It does not directly protect the millions of businesses running that software. The gap between a patch being available and a business actually applying it — the patch window — is where real-world breaches happen. And as we will see, that window is collapsing.

The Unauthorized Access Incident

On the same day Anthropic announced Mythos, a Discord group gained unauthorized access to the model. Within hours, members of the group were running Mythos against live targets. This incident underscored two critical realities about AI-powered offensive tools.

Access Control Cannot Be Assumed

Despite Anthropic's security measures, unauthorized users accessed Mythos on its announcement day. This demonstrates a fundamental challenge with powerful AI models: once the capability exists, controlling access becomes extraordinarily difficult. Even with the best intentions, the technology will reach adversaries faster than defenders would like.

First, containment is temporary at best. Once an AI model demonstrates a capability, competitors and adversaries will replicate it. The techniques Mythos uses are not secret — they are the product of publicly available research applied at unprecedented scale. Other models will achieve similar results within months, not years.

Second, the barrier to entry for sophisticated attacks just dropped to zero. Before Mythos, finding zero-day vulnerabilities required deep expertise, months of research, and significant resources. Now it requires access to an AI model and a prompt. The skill required to discover exploitable vulnerabilities has been compressed from "top 1% security researcher" to "anyone with a computer."

What This Means for SMBs

Small and mid-sized businesses have historically operated under a comforting assumption: "We are too small to be targeted." AI-powered attacks demolish this assumption entirely.

AI Attackers Do Not Discriminate by Company Size

AI does not choose targets based on revenue or name recognition. It scans entire IP ranges and exploits every vulnerable system it finds. A 10-person accounting firm running an unpatched WordPress site is just as discoverable — and just as exploitable — as a Fortune 500 company. The economics of AI-powered scanning mean attackers can target everyone simultaneously.

Consider what changes when vulnerability discovery becomes automated:

  • Volume of attacks increases exponentially. AI can scan thousands of targets in the time a human takes to scan one. Every internet-facing asset is now within reach of AI-powered reconnaissance.
  • Sophistication increases at no additional cost. AI-discovered exploits are not simple script-kiddie attacks. They are the same caliber of vulnerabilities that previously only nation-state actors could find.
  • Speed of exploitation collapses. The time between a vulnerability existing and someone exploiting it is shrinking from months to hours. Annual pentests and quarterly patching cycles cannot keep pace.
  • Automation chains entire attack sequences. AI does not just find the vulnerability — it can chain multiple findings together to build complete attack paths from initial access to data exfiltration.

For SMBs, this means the security model that worked for the last decade — annual pentests, reactive patching, and hoping to fly under the radar — is no longer viable. You need to know your attack surface continuously, not periodically.

Know Your Attack Surface Before AI Does

DriftAlarm continuously monitors your external attack surface — discovering new subdomains, open ports, expiring certificates, and configuration drift before AI-powered tools can exploit them.

See How It Works

Why Continuous Monitoring Is Now Essential

Before AI-powered vulnerability discovery, the calculus was straightforward: scan quarterly, patch critical vulnerabilities within 30 days, and run an annual pentest. This cadence worked because attackers operated on similar timelines. Finding and weaponizing a zero-day took weeks or months of skilled human effort.

That timeline has collapsed. When AI can discover novel zero-days in hours and unauthorized users can access the tools on day one, the defender's scanning cadence must match the attacker's capability. Quarterly scanning against hourly AI discovery is not a security program — it is security theater.

FactorPre-AI (2024)Post-AI (2026)
Time to discover a zero-dayWeeks to months (human researchers)Hours (AI models)
Cost of vulnerability research$50K-$500K per zero-dayNear-zero marginal cost
Number of simultaneous targetsDozens (resource-constrained)Thousands (automated)
Attack sophistication floorScript kiddie to nation-stateNation-state caliber for everyone
Required defender scanning cadenceQuarterly to monthlyDaily to continuous

Continuous monitoring does not mean you need to watch a dashboard 24/7. It means automated systems scan your attack surface daily, compare results against a known-good baseline, and alert you when something changes. The key shift is from point-in-time assessment to continuous awareness.

Practical Steps You Can Take Today

You cannot control when AI-powered attacks reach your organization. But you can control how prepared you are when they do. Here are five concrete steps that meaningfully reduce your risk — regardless of your budget or team size.

1
Know Your Full External Attack Surface

You cannot defend what you do not know exists. Enumerate every domain, subdomain, IP address, and cloud resource your organization exposes to the internet. Include shadow IT, forgotten staging servers, and legacy systems. AI-powered scanners will find them — you need to find them first.

2
Monitor Continuously, Not Periodically

Replace quarterly or annual scanning with daily automated monitoring. Your attack surface changes every day — new subdomains, updated services, expiring certificates. AI attackers scan continuously. Your monitoring must match their cadence.

3
Patch Faster Than Ever Before

When AI can discover and weaponize vulnerabilities in hours, 30-day patching SLAs are insufficient for critical systems. Prioritize internet-facing assets for emergency patching and automate updates wherever possible. The patch window is no longer measured in weeks.

4
Reduce Your Attack Surface Area

Every internet-facing service is an entry point that AI can probe. Remove unnecessary services, close unused ports, decommission end-of-life software, and clean up dangling DNS records. The smaller your external footprint, the fewer targets AI scanners can find.

5
Use AI-Powered Analysis to Prioritize

With AI generating more vulnerability data than ever, human-only triage becomes a bottleneck. Use AI-powered risk scoring and prioritization to focus your remediation efforts on the vulnerabilities that matter most — not just the ones with the highest CVSS score.

Get Ahead of AI-Powered Threats

AI vulnerability discovery is here. The question is not whether your organization will be scanned by AI-powered tools — it is whether you will see the gaps before attackers do. Continuous monitoring with automated baselining gives you that visibility.

View Pricing