A tsunami of flaws: When frontier AI and Patch Tuesday collide

Critical vulnerabilities

Such is Mythos’s power – Anthropic claims to have discovered “thousands” of critical vulnerabilities, some of which have been hiding in plain sight for years – that a wraparound Project Glasswing has been created to limit access to the potentially dangerous model to a select group of tech companies, or at least to give them a head start on fixing the flaws before Mythos becomes more widely available.

These include Amazon Web Services (AWS), Apple, Broadcom, Cisco, CrowdStrike, Google, Microsoft, Nvidia and Palo Alto Networks.

Mythos and Project Glasswing were only made public earlier this month – far too recently to have had much impact on the Patch Tuesday update. And according to analysis of recently disclosed vulnerabilities conducted by VulnCheck, only 75 mention Anthropic and only one is directly attributable to Glasswing.

Therefore, it’s reasonable and accurate to say the correlation between its release and the spike in Patch Tuesday disclosures is a hypothetical one for now.

Fast-moving timeline

However, things are moving fast, and given the timeline is advancing at pace, the conversation needs to happen today. Indeed, in an open letter published on 15 April, business secretary Liz Kendall urged UK business leaders to “plan accordingly” as frontier models become more adept.

“The scenarios that Mythos enables aren’t routine,” says Doc McConnell, head of policy at Finite State and a former Cybersecurity and Infrastructure Security Agency (Cisa) branch chief and White House advisor. “AI is a ratchet wrench for cyber security – it only goes in one direction: faster. It enables security teams to respond to incidents more quickly, but it also increases the volume and severity of those incidents.

“Sure, the basics still apply – building security into the product lifecycle, accelerating the patch cycle, making sure that cyber security is central to your company’s risk management and long-term strategy. What’s changed is that the traditional advice to “do the basics, but faster” is no longer sufficient … Regardless of how skilled your technical team, humans simply can’t go fast enough to keep up with AI.”

While McConnell applauds Anthropic and its Project Glasswing squad for their approach, he says it would be wise to assume that if Anthropic is being noisy and responsible about this, someone else is being quiet, and irresponsible.

How will Mythos be used?

Goettl at Ivanti says: “Most of the discussions around Mythos have been focused on where it will be used and the ramifications, [and] finding exploitable flaws in code can be a powerful tool for good when used by the vendor writing the code before it is released.

“However, it will also be used by researchers and threat actors to find flaws in code that is already released, and that is where my speculation is directed,” he says.

Goettl invites us to consider the knock-on effects of a frontier model like Mythos and what it means for software companies.

In the immediate future, he says, large tech firms will use it to release more secure code. But at the same time, both legit security researchers and threat actors will be adopting more robust AI models to identify exploitable flaws.

“This will result in more coordinated disclosures – good – zero-day exploits – bad – and n-day exploits – bad,” says Goettl. “All of this will result in more frequent, and more importantly, urgent software updates.

“Many organisations currently struggle to keep up with priority updates resolving exploited vulnerabilities when they occur outside of their normal monthly maintenance. [For example], I suspect most organisations were not aware of the Adobe Acrobat zero-day exploit until the Cisa Kev update … This means that threat actors had another two to three days of free reign to exploit CVE-2026-34621 before most organisations became aware,” says Goettl.

Given browser security updates are weekly occurrences these days, and many other business applications in regular use release updates on a continuous cadence and not a set monthly date, it isn’t hard to see that a good number of exploits are going to, a) make a mockery out of organisations’ maintenance schedules and, b) do it a lot. Of course, it’s not possible to say if this will be a doubling, trebling or quadrupling of vulnerabilities, but it probably is safe to say that the increase will be noticeable and will likely exacerbate the challenges security leaders already see around patch management.

Next steps

What’s the solution? Goettl believes security leaders need to make a step change in mindset, and maturity, defining their risk appetite and risk posture, which if done effectively, can make remediation activities much more clear cut.

This, he argues, should go alongside a technical evolution in which traditional vulnerability assessment and intelligence services become better integrated into a broader ecosystem where they marry up with asset visibility or systems of record. This hybrid approach can help refine the process of determining if things need to be addressed right away, or if they can wait for regular maintenance activities. This stack should be integrated with an autonomous endpoint management (AEM) platform, adds Goettl, to speed remediation.

Meanwhile, Finite State’s McConnell lays out three steps the industry itself should be considering.

“Security has to move to the very beginning of the product lifecycle,” he says. “If you’re waiting until a CVE drops to find out whether your product is affected, you’re already behind. Binary analysis and software composition analysis need to happen continuously from the very first stages of design and development – not as a ‘final check’ when the features are final and the release is scheduled.

“Second, security needs to keep pace with product development, even as companies accelerate development with AI. That means a real-time SBOM, with automated reachability analysis for new vulnerabilities so that they can confidently prioritise the fixes that matter most.

“Finally, companies need to understand that even in a capable security environment, incidents will still happen.” says McConnell. “When they do, defenders need to match attacker speed. That means an automated vulnerability and incident response capability that can triage, communicate and coordinate remediation across a product portfolio without relying on manual investigation at each step. 

“Companies need to act on this immediately: make it the top topic at your next board meeting. If you don’t have this capability today, partner with a company that does.”

Could frontier models be good for cyber?

Could this leap forward in the bug-hunting capabilities of frontier models like Mythos ultimately prove to be beneficial for cyber security? Richard Horne, CEO of the UK’s National Cyber Security Centre (NCSC), certainly seems to think so.

In an article first published as a letter to The Financial Times, Horne says there is a path towards the industry using AI appropriately to find and fix flaws, but the road ahead is paved with risks.

“In the immediate term, we will increasingly see AI exposing those organisations that have not taken appropriate steps to safeguard their cyber security,” says Horne.

“AI will make it easier, faster and cheaper to discover and exploit weaknesses that previously required more time, skill or resource for attackers to identify. And the pressure on organisations to patch systems quickly will only grow more acute.

“That’s why it is more essential than ever that organisations ensure they are following established good practices, set out by the NCSC, to raise their security baseline.”

For Horne, this includes reducing “unnecessary” exposure to attacks, rapid application of updates, and monitoring for and responding to malicious activity. These technical actions, he says, will have to be championed by all leaders and board-level executives at organisations if they are to have a positive impact.

This includes reducing unnecessary exposure to attack, applying security updates rapidly, as well as monitoring for, and quickly responding to, malicious activity detected.

These are technical actions, but they must be championed by all leaders and board members at organisations to have a positive impact. Cyber risk is business risk.

“As our society navigates these fast-evolving capabilities, the NCSC will stay focused on its mission to protect the UK from cyber threats, working alongside industry and wider government, and we will continue advising on the risks and opportunities,” says Horne.

“By getting the fundamentals right and carefully adopting frontier AI models for good, network defenders can retain an advantage and help keep the UK safe online.”