A non-technical executive's guide to the most important cybersecurity shift of the decade.
On April 7, 2026, Anthropic made an announcement they clearly did not want to make.
They had built a new AI model, Claude Mythos Preview, and decided almost immediately that they could not release it to the public. Not because it did not work. Because it worked too well.
In controlled testing, Mythos Preview was given a simple prompt and a codebase. No human help after that. It read the source code, formed hypotheses about where bugs might hide, ran the actual software, tested its theories, corrected itself when wrong, and iterated until it found something exploitable. Autonomously. Over and over again.
271 vulnerabilities found by Mythos in a single Firefox release cycle. The previous generation found 22 in two weeks, already considered remarkable.
Palo Alto Networks, one of the world's leading cybersecurity firms and a Project Glasswing partner, reported that Mythos accomplished the equivalent of a full year of professional pentesting in under three weeks.
The oldest bug it found had been sitting undetected in OpenBSD for 27 years. A TCP vulnerability that three decades of professional audits and automated fuzzers had missed entirely. Mythos found it, understood it, and produced a working exploit at a total compute cost under $20,000.
Anthropic's response was to form Project Glasswing: a restricted consortium of roughly 40 organizations including AWS, Apple, Microsoft, Google, CrowdStrike, JPMorgan Chase, and the Linux Foundation. Mythos is available only to them, only for defensive use.
The lock on the vault is real. But it will not hold for long.
Here is the honest question: how long before someone outside Project Glasswing has equivalent capability?
The answer, based on the trajectory of the open-source AI ecosystem, is 3 to 6 months.
This is not speculation. It is a trend line. One year ago, open-source models trailed frontier proprietary models by roughly 12 months. Six months ago, that gap was down to 6 months. Today the gap is compressing faster than ever. DeepSeek demonstrated in early 2025 that a small team with a fraction of the budget could replicate frontier reasoning capabilities within weeks of a major proprietary release. The gap is not closing. It is collapsing.
This matters because the critical window, the period where attackers have Mythos-class capability but defenders have not yet retooled at scale, represents 18 to 24 months of structural danger, starting very soon. Three simultaneous paths will drive that spread:
The capability that makes Mythos dangerous is not its size. It is its ability to reason across a complex system: hold an entire codebase in mind, form a logical chain about where something might break, then test and iterate without human involvement. DeepSeek proved this kind of reasoning can be replicated in open source at low cost. That proof cannot be undone.
When Anthropic built Mythos, they added extensive safety training to prevent offensive use. The filter works. But the history of open-source AI is consistent: within 24 to 48 hours of any model being released with open weights, the community produces methods to remove those restrictions entirely. The filter and the capability are technically separable. They always have been.
Even before any single lab releases a Mythos-class open-source model, the community has a third route.
Researchers on Hugging Face have already built hybrid models by merging reasoning-focused bases with code-specialized variants. The result inherits both capabilities. It is available for download. This is not theoretical.
Meta has committed to releasing Llama 4 with frontier-level reasoning as open-weight before end of 2026. Qwen (Alibaba) and DeepSeek ship major coding-focused iterations every three to six months. Mistral publishes flagship models under open licenses. The question is not whether a Mythos-class capability will be freely available. The question is only which release triggers the first uncensored derivative, and on which afternoon.
The open-source convergence alone would be serious. But several concurrent technical advances are amplifying the threat. Understanding them matters, because the same advances eventually explain why defenders recover the advantage.
Until recently, AI models could only analyze a limited slice of code at once, roughly like reading a single chapter of a book at a time. Research teams, including work published by Google at ICLR 2026, solved the memory management problem that caused this limitation. Some models now operate with context windows of 12 million tokens, meaning they can read and reason across an entire operating system or enterprise codebase in a single session.
For attackers, this means the model is no longer searching for bugs in small pieces of code. It is mapping the entire system architecture and finding interaction points that no individual reviewer ever examines because they span too many layers.
Earlier AI models responded to a prompt and stopped. Mythos-class models run in loops: they attempt an action, observe the result, revise the approach, and try again, indefinitely, until they succeed or exhaust the search space. This is what enabled a 27-year-old OpenBSD bug to be found and fully exploited without any human involvement after the initial prompt.
New generation techniques allow models to generate and validate entire blocks of code simultaneously rather than word by word. Benchmark improvements in code-generation tasks exceed 300% compared to 18 months ago. In practical terms: the time between “start analysis” and “working exploit in hand” is now measured in minutes, not hours.
Techniques like DARE (Drop And Rescale) allow a model to compress the capabilities of four or five specialized models into a single one, eliminating up to 90% of redundant parameters without measurable performance loss. The result is a model powerful enough to find and exploit vulnerabilities running on a rented cloud instance costing a few dollars an hour.
None of these advances are exclusively offensive. The same extended context windows that let an attacker map a system comprehensively let a defender audit it comprehensively. The same speed improvements that accelerate exploit development accelerate patch development. But there is a sequencing problem: these tools become available to attackers before defensive pipelines are rebuilt to use them. That gap is the transition window.
We are now entering the most dangerous phase.
Defenders inside Project Glasswing have Mythos-class capability today. For a brief period, the most sophisticated organizations in the world are running ahead. The vulnerabilities being found and patched right now are a genuine gift: 27-year-old bugs closed before any attacker could use them.
But when the open-source equivalent arrives, the asymmetry flips sharply in the attacker's favor for 18 to 24 months, before defensive infrastructure catches up.
A human security researcher developing a working exploit might spend weeks. A Mythos-class model does it in a single autonomous session, often for less than the cost of a business lunch. The rate of exploits entering circulation will not increase incrementally. It will jump by an order of magnitude.
Traditional attackers specialize. A ransomware group expert in Windows infrastructure invests months learning to pivot to a new target type. An AI agent does not specialize. It reads the documentation, understands the system architecture, and adapts. The number of exploitable surfaces any single threat actor can realistically target expands dramatically.
The most dangerous attackers today are highly skilled. An open-source Mythos equivalent changes who can cause serious damage. The barrier to entry for a sophisticated targeted attack drops to near zero when the intelligence is provided by a model anyone can download.
What is coming is not one Log4Shell. It is the industrial production of Log4Shell-class events, potentially on a daily basis, as AI-discovered zero-days flow into circulation faster than any patch pipeline in the world can absorb them. Security teams that currently manage a handful of critical incidents per year will face a fundamentally different operational reality.
The data already points in this direction before AI enters the picture. Published CVEs grew from 18,323 in 2020 to 48,448 in 2025, a 164% increase in five years. The daily flow of disclosed vulnerabilities tripled from roughly 50 to 133 per day over that same period, generating a structural backlog of approximately 2,500 new vulnerabilities every month. This trend was established well before the current AI wave. AI does not create the problem. It industrializes it.
The patch capacity problem compounds this further. The share of organizations able to deploy critical patches in under 30 days has fallen from 45% in 2022 to 30% in 2025. Teams are already losing ground against the existing flow. AI-accelerated discovery will widen that gap faster than most organizations can respond.
Even with AI available to help write the fix, closing a vulnerability is not a one-click operation. The median time to remediate a vulnerability across all severity levels remains 70 days. That figure has not meaningfully improved in several years, and AI alone will not change it quickly.
The reason is structural. Patching at scale requires confirmed asset inventory, contextual triage to determine which vulnerabilities actually apply to which systems, code review and validation before deployment, staged rollout across environments, and regression testing to ensure the fix does not break something else. AI can accelerate the analysis phase and help write candidate patches. It cannot replace the human judgment required to validate and deploy them safely across a complex enterprise environment.
This is not a critique of AI-assisted defense. It is a realistic description of where that capability stands today. AI is a powerful acceleration layer, not a standalone operator. The most advanced defensive uses of Mythos-class models still require expert humans in the loop: people who understand the system, can evaluate the AI's output, and carry accountability for the decision to push a patch to production systems that thousands of people depend on.
As this capability matures, the human-in-the-loop requirement will shrink. The closing time will compress. But during the transition window, the combination of an accelerating attack surface and a constrained human patching capacity means that some vulnerabilities will remain open, for weeks, across organizations that have no idea they are exposed.
This is not a permanent condition. It is a transition.
The same capabilities that create the attacker advantage during the window also create the conditions for a durable defender advantage afterward. The reason is structural: defenders can share patches globally and permanently eliminate a vulnerability for every organization in the world simultaneously. Attackers must hoard their findings, because sharing destroys the advantage. At scale, with AI-powered defensive pipelines running continuously, this asymmetry eventually resolves in the defender's favor.
Mozilla's experience with the 271 Firefox vulnerabilities illustrates the endpoint. They described receiving that volume of findings as “vertigo.” But they patched them. A 27-year-old vulnerability that survived three decades of elite human review was permanently closed in a single release cycle.
The long-term trajectory is toward a meaningfully more secure baseline. But it would be misleading to suggest that the cat-and-mouse dynamic ever fully disappears. What changes is the relative position: the gap between attacker capability and defender capability narrows significantly once AI is embedded in both sides of the equation at scale. The game continues. The score gets closer. And the organizations that build genuine operational resilience during the transition window will be structurally better positioned for whatever comes after it.
The transition window, the 18 to 24 months between “Mythos-class capability is freely available” and “defensive pipelines are operating at machine speed,” is genuinely dangerous. During that window, the organizations that suffer most will not be the ones without perfect security. They will be the ones without an answer to a simple question: if your IT systems go down for three to four weeks, what happens to your operations?
Most organizations of significant size have a business continuity plan. A document. Probably audited annually. Probably reviewed by a committee that never has to use it.
That document will not help them.
A plan describes what should happen. It does not create the ability to make it happen. When systems go down in a real incident, the gap between a documented procedure and an organization that can actually execute it is not a gap in knowledge. It is a gap in capability. And capability cannot be improvised under pressure.
The data on what “systems down” actually means is no longer theoretical. The average ransomware attack today keeps organizations offline for 24 days (Statista / Coveware). The largest enterprises are no longer planning for a two-week scenario. They are stress-testing a 30-day horizon, because that is what serious incidents now produce. For three to four weeks, the organization must function without its nominal IT infrastructure.
Consider what that means in practice for a large enterprise: treasury cannot process payments, not because people do not know the procedure, but because the procedure assumes access to banking systems that are encrypted or offline. Purchase orders cannot be approved. Suppliers stop shipping. Payroll may miss a cycle. Customer commitments go unmet. The physical and digital infrastructure of modern operations are so deeply intertwined that removing IT does not slow the business. It stops it.
Banks have understood this for decades. They maintain the operational capability to process critical transactions manually, not just a plan that says “in an emergency, process manually.” They have the trained staff, the validated fallback systems, and the practiced workflows to actually execute. When their systems went down, they kept operating. The plan did not keep them operating. The execution capability did.
This is the distinction that matters most right now. The question is not whether your organization has a continuity plan. The question is whether your organization can execute its critical processes when the systems those processes run on are gone.
That execution capability must exist before an incident. It must be tested under realistic conditions. It must be maintained as systems evolve. And it must cover the processes that actually keep the organization alive: payments, compliance, customer commitments, supply chain.
Faced with this imperative, most leadership teams ask the same question: where do we start? The answer is deceptively simple. Start with what cannot stop.
Every organization, regardless of industry, has a small set of activities whose interruption causes immediate, irreversible damage: payments to employees and suppliers, regulatory reporting, critical customer commitments, inventory control. These are not the activities that would be nice to maintain during a crisis. They are the ones whose failure, for 30 days, threatens the survival of the organization itself.
This thinking is increasingly formalized under the concept of the Minimum Vital Company: the irreducible core of the business, identified and made independently executable before a crisis occurs. The principle is straightforward. Map the vital activities. Make them executable without the nominal IT environment. Ensure they operate on the freshest possible data at the moment the incident occurs, so that the decisions and actions taken during the crisis are grounded in reality, not in a snapshot from the last backup. And ensure that everything executed during the crisis is fully traceable, so that when systems are restored, the data generated during the outage can be used to reconstruct and rehydrate nominal systems before they reopen.
Critically, this execution environment must be architecturally independent: not a degraded mode of the existing system, not a cloud failover that shares dependencies with the infrastructure under attack, but a standalone capability that is unaffected by whatever state the nominal environment is in.
Governance matters here. The Minimum Vital Company is not an IT project. It is a C-suite decision about what the organization fundamentally is, and what it cannot afford to lose. The right starting point is the executive committee: the people who know which activities, if stopped for a month, are existential. That conversation, led at the top, then draws in the heads of the relevant business functions to translate strategic priorities into operational execution capability.
This approach maximizes the return on investments already made. Every organization with a Business Impact Analysis and a Business Continuity Plan has already done significant work on identifying critical processes. The Minimum Vital Company framework does not replace that work. It builds on it, transforming documented procedures into actual execution capability.
The practical starting point does not require waiting for the full governance process to complete. A parallel pragmatic track can launch immediately: identify the processes where consensus is instant, salary payments, supplier payments, stock and delivery management, critical customer claims. These are the no-brainer vital processes that every C-suite agrees on in under five minutes. Deploy execution capability for those first. The governed top-down approach and the pragmatic bottom-up track run in parallel, converge, and accelerate each other. Neither waits for the other to finish.
The transition window created by AI-enabled cyber offense is real, it is close, and its duration is finite. Organizations that use this period to build genuine operational execution capability will navigate it. Organizations that treat continuity as a documentation exercise will discover, under the worst possible conditions, that a plan is not a capability.
The window is open. This is the work that matters right now.
The data in this article draws on public research from Anthropic's Project Glasswing announcement (April 2026), the UK AI Security Institute's evaluation of Claude Mythos Preview, Mozilla's Firefox 150 security release, Bain and Company's Mythos cybersecurity analysis, the Centre for Emerging Technology and Security at the Alan Turing Institute, SecurityWeek, Help Net Security, Statista / Coveware (average ransomware downtime, 24 days), and NVD / CVE.org (CVE volume 2020 to 2025: 18,323 to 48,448 published vulnerabilities).