Over the past week, reaction to Anthropic’s Glasswing disclosure has split along familiar lines. At one end: alarm over an AI system capable of autonomously identifying and exploiting vulnerabilities. At the other: dismissive hot takes, arguing there is nothing new here.
A more grounded view comes from a new briefing by the Cloud Security Alliance (CSA), led by Gadi Evron, CEO of Knostic and CISO-in-Residence for AI at the alliance; Rob T. Lee, chief AI officer and chief of research at SANS Institute; and Rich Mogull, chief analyst at CSA.
The paper draws on a deep bench of contributors, including former CISA Director Jen Easterly, Bruce Schneier, former National Cyber Director Chris Inglis, and former Google CISO Phil Venables, along with dozens of CISOs and CEOs.
Evron told CSO that assembling that level of input among so many leaders so quickly reflects the nature of cybersecurity itself: “The cybersecurity industry is also a community, and knowing each other, all folks need to have is a good cause, and dispelling noise and spreading good information matters to us.”
The group’s conclusion is direct: Glasswing is not an outlier. It is an early example of a capability that will scale, and CISOs should start getting ready for this era.
“In the near term, security organizations will likely be overwhelmed by the need to apply patches and respond to AI-discovered vulnerabilities, exploits, and autonomous attacks,” the paper states. “The storm of vulnerability disclosures from Project Glasswing is the first of many large waves.”
The shift is speed
AI-driven vulnerability discovery is not new. What has changed is speed. Tasks that once took weeks or months — finding a flaw, building an exploit, chaining it into an attack — can now happen in hours.
According to the paper, “Anthropic’s Claude Mythos (Preview) represents a step change in that trajectory, autonomously finding thousands of critical vulnerabilities across every major operating system and browser, generating working exploits without human guidance, and empowering autonomous attack orchestration, all at a speed and scale that outpaces any prior capability.”
This acceleration deepens a familiar asymmetry: Defenders must be right consistently, whereas attackers only need to succeed once.
Moreover, “The window between discovery and weaponization has collapsed to hours. Attackers gain disproportionate benefit, and current patch cycles, response processes, and risk metrics were not built for this environment,” the paper states.
“Building a ‘Mythos-ready’ security program is not about reacting to one model or announcement. It is about permanently closing the gap between how fast vulnerabilities are found and how fast your organization can respond.”
Claude Mythos Preview is a step up
A separate analysis from the UK’s AI Security Institute (AISI) evaluated Mythos Preview itself.
The evaluations involved both capture-the-flag (CTF) challenges and more complex ranges designed to simulate multi-step attack scenarios, where the model outperformed other AI systems.
Mythos Preview came out on top in a 32-step corporate network attack simulation spanning initial reconnaissance through to full network takeover, which the Institute estimates requires humans 20 hours to complete.
AISI’s tests also showed that Mythos Preview is capable of autonomously attacking small, weakly defended enterprise systems once access is obtained. “Our testing shows that Mythos Preview can exploit systems with weak security posture, and more models with these capabilities will likely be developed,” AISI concluded.
What CISOs should do now
AISI’s recommendation to organizations is that they should strengthen fundamentals, including regular application of security updates, robust access controls, security configuration, and comprehensive logging.
It advises, “Future frontier models will be more capable still, so investment now in cyber defence is vital. AI cyber capabilities are dual use; while they pose security challenges, they can also help deliver game-changing improvements in defence.”
The CSA paper highlights three predictions for CISOs.
Operationally: Expect a surge of patches from the approximate 40 vendors in the early access program, potentially mirroring recent periods where multiple supply chain incidents required response within a two-week window.
Risk management: Business risk is shifting, requiring close engagement with stakeholders on risk planning and tolerance. The CISO’s ability to manage risk is becoming more constrained, with potential downstream effects on reporting and projections.
Strategically: Conduct longer-term gap analysis and selectively overhaul key functions, including governance processes that enable faster technology onboarding and the deployment of AI-driven security controls.
The report also elevates Mythos to a board-level issue, allowing CISOs to frame current capabilities and make the case for further investment.
The bottom line, as the CSA paper concludes, is that “AI-based attacks represent a structural shift in how offense and defense work, and it will not change. The cost and capability floor to exploit discovery is dropping, the time between disclosure and weaponization is compressing toward zero, and capabilities that previously required nation-state resources are now becoming broadly accessible.”
See also: “Cybersecurity in the age of instant software”
No Responses