There was a session at BSides Luxembourg that I keep thinking about. Presented by Catalin Tiganila, CSA Luxembourg Chapter President, it was called The AI Vulnerability Storm: Building a Mythos-Ready Security Program. And the reason it stayed with me is because it was not built on speculation. It was built on something that had already happened and something that the security industry is only beginning to process.

What Happened on April 8, 2026

On April 8, 2026, Anthropic announced Claude Mythos Preview — a frontier AI model that autonomously discovered and wrote working exploits for thousands of zero-day vulnerabilities across every major operating system and web browser. Capabilities that Anthropic determined were too dangerous for general release. The company withheld the model rather than ship it. That decision is its own signal about where the technology now sits.

The security industry has long operated under a rough equilibrium. Finding and weaponising zero-day vulnerabilities required specialised human expertise, significant time, and an adversary willing to spend both. A skilled offensive researcher might need days or weeks to analyse a target, identify a novel vulnerability, develop a reliable exploit, and chain it into something meaningful. That constraint shaped the economics of the entire threat landscape and gave defenders a window between discovery and weaponisation.

That equilibrium has broken.

Where Claude Opus 4.6 achieved near-zero success at autonomous exploit development, Mythos developed 181 working exploits in a specific Firefox engine benchmark alone — without intermediate human guidance after the initial task was set.

What Mythos Actually Did

  • Identified a 17-year-old unauthenticated remote code execution vulnerability in FreeBSD's NFS server and autonomously constructed a working exploit involving a 20-gadget return-oriented programming chain
  • Found a 27-year-old signed integer overflow in OpenBSD's TCP implementation enabling remote crash of any affected host
  • Discovered multiple independent Linux kernel privilege escalation paths
  • Constructed a four-vulnerability chain that escaped both the renderer sandbox and the operating system sandbox in a major browser

All of this without intermediate human guidance after the initial task was set.

Linux kernel exploit — per run
<$2k
The bottleneck in offensive operations shifts from researcher expertise to access control and model availability.
OpenBSD — 1,000 parallel runs
<$20k
Total cost to scan an entire operating system across 1,000 simultaneous runs. A fundamentally different risk posture for defenders.

November 2025 — Before Mythos

And then there is November 2025, which preceded Mythos entirely. Anthropic identified and disrupted a campaign attributed to suspected Chinese state-sponsored operators who had jailbroken Claude Code to automate a coordinated cyber espionage operation against approximately 30 global organisations spanning technology companies, financial institutions, chemical manufacturers, and government agencies.

Claude Code conducted 80 to 90 percent of the operation autonomously, handling reconnaissance, privilege escalation, lateral movement, credential theft, and data exfiltration at a request rate impossible to sustain with human operators. Four organisations were assessed to have been successfully breached.

First publicly documented large-scale AI-orchestrated cyberattack.

And it happened with a model that did not yet have Mythos-level capabilities. That is the context this session was built around.

What the Risk Register Actually Says

The session mapped the security programme implications directly and did not soften them.

Level
Risk
Critical
AI generates working exploits at machine speed — the skill floor for attackers has collapsed
Critical
Defenders still operate at human speed while attackers use AI agents freely
Critical
Privileged AI agents are insecure by default and not covered by existing controls
Critical
Alert triage, SIEM correlation, and containment authorisation were built for human-paced threats — structurally outdated
Critical
Cybersecurity risk models built on pre-AI assumptions may be leading to underfunding and inaccurate board reporting today
High
Incomplete asset and exposure inventories — attackers can scan an entire codebase faster than most organisations can inventory it
High
AI-generated code shipping without LLM-driven security review
High
Network architectures insufficient to contain automated lateral movement
High
Quarterly pen tests cannot keep pace with AI-driven vulnerability discovery rates
Governance
Approval friction without cross-functional governance structures blocks new defensive controls
Governance
AI hype causing confusion and inaction — organisations miss the actual threat landscape while debating whether AI risk is real

The 11 Priority Actions

The session gave a concrete eleven-step programme with specific timelines — not a strategy document.

This week
Point AI agents at your own code and pipelines. Require AI agent adoption across security functions with mandatory controls. Begin establishing innovation and acceleration governance.
Within 45 days
Define scope boundaries and human override mechanisms for any agents being deployed. Prepare continuous patching capacity. Update risk models and reporting to reflect the new threat environment.
Within 90 days
Inventory and reduce your attack surface starting with critical internet-facing systems. Begin building deception capabilities including canaries and honey tokens.
Within 6 months
Complete environment hardening with MFA, segmentation, zero trust, and egress filtering. Layer behavioural monitoring with pre-authorised containment.
Within 12 months
Build automated response capabilities. Stand up a VulnOps function that owns continuous zero-day discovery and automated remediation pipelines.

For CISOs Specifically

The session closed with six direct actions for security leaders:

  • Start using LLM-based vulnerability discovery now — it is already mature enough
  • Update risk metrics — pre-AI assumptions about patch windows and incident frequency no longer hold
  • Double down on segmentation, MFA, patching, IAM, and egress filtering — they still work and they raise attacker costs
  • Treat every security role as an AI builder role — getting started is now easier than using Excel
  • Run tabletop exercises for simultaneous high-severity events and pre-authorise containment actions
  • Engage ISACs, CERTs, and sector groups — attackers operate as syndicates and defenders need collective defence structures to match

The frameworks exist: OWASP Top 10 for LLM Applications, MITRE ATLAS, NIST CSF 2.0, OWASP Top 10 for Agentic Apps 2026. The CSA paper this session drew from ties all of it together through MAESTRO, the AI Controls Matrix, and the STAR for AI programme.

The shift that Mythos represents is permanent acceleration, not a temporary spike. The window between a vulnerability existing and causing business disruption has compressed from weeks to hours.

Organisations that treat this as a future planning exercise are already behind.

Based on the session by Catalin Tiganila, CSA Luxembourg Chapter President, at BSides Luxembourg 2026, and the CSA research paper: The AI Vulnerability Storm: Building a Mythos-Ready Security Program, published April 14, 2026.

Previous
01 — From Zero Trust to Trusted Adviser
Next
03 — Third Party Risk Management