“The ‘AI Vulnerability Storm’: Building a ‘Mythos-Ready’ Security Program” was released this week, warning that the opportunity to get ahead of AI threats is closing, while briefing cybersecurity leaders on how to do so. The report — self-described as a “unified strategy” — was developed by the SANS Institute, Cloud Security Alliance, [un]prompted and OWASP GenAI, with 60 named contributors and more than 250 CISOs involved, according to a press release.
The vulnerability window was already compressing by 2025, but Anthropic’s Mythos significantly accelerates that trend, pushing the time between discovery and exploitation down to hours, the report says. For context, Anthropic on April 7 announced Claude Mythos Preview, its most capable AI model to date, which can identify and exploit vulnerabilities across operating systems and web browsers, generate exploits without human input and enable more complex attack chains.
“The window between vulnerability discovery and weaponization has collapsed into hours,” said Rob T. Lee in a statement. Lee is chief AI officer and chief of research at SANS Institute, as well as a co-author of the report. “What Mythos shows us is a permanent acceleration. This document gives CISOs something the commentary doesn’t: a risk register, priority actions with start dates, and a board briefing they can use this week.”
The report argues that while AI can help defenders identify and fix vulnerabilities more quickly, the attackers have a greater advantage because patching remains uneven in organizations. Existing patch cycles, incident response processes and vulnerability tracking systems are not based on an AI-enabled model. Cybersecurity leaders and practitioners will need to rethink their approach.
The first recommended step is for cybersecurity operations to “point AI at their own systems” and see what they find. SANS researchers discussed similar approaches in a Thursday webcast based on 15 months of penetration testing.
In line with the report, its presenters demonstrated how to use available AI models to test systems. They also discussed newer challenges.
“We need to do better in all parts of our ecosystem,” said Joshua Wright, a SANS Institute fellow and technical adviser.
He specifically noted that doing better includes reassessing business risk and acceptable downtime.
“Maybe we have critical systems that we can’t operate in a post-Mythos world, when we have so many zero-days hitting us all the time,” Wright said. “We try to schedule a two-hour outage and reboot. We really need to carefully consider that, and that is at the CISO level on down.”
Despite the challenges, Wright said organizations should also view the shift as an opportunity. It includes engaging managers, CISOs and other business leaders to reassess how organizations respond to risk. It also means ensuring security leaders are communicating directly with executive leadership about what the new threat environment requires.
Experts emphasized that organizations should not abandon traditional controls, but instead strengthen them — limiting blast radius, reducing excess access, improving threat hunting and shortening mean time to detect intrusions. They also recommend reframing training and exercises to reflect the new reality, including testing teams on how they would respond to multiple concurrent attacks.
The report itself, “is much more CISO-focused than technical-focused, but that is a really valuable resource for all of us,” Wright said. “If you read this, there’s a lot of actionable advice that is high level and useful for planning, and content you can share with your CISO about what to do about these risks.”
