How CISOs can prepare for a new wave of AI-discovered software vulnerabilities

Sorry, tired security pro: You’re likely going to need to patch and fix vulnerabilities faster than ever. Here’s why:

• There will be more discovered vulnerabilities, thanks to AI models like Anthropic’s upcoming Claude Mythos Preview that can scan codebases quickly. Anthropic says the LLM has already found “thousands of high-severity vulnerabilities,” and has given select industry partners early access so they can patch their systems, an effort dubbed “Project Glasswing.”
• Attackers are getting faster at reverse-engineering exploits from patches. Cybersecurity company Palo Alto’s Unit 42 research found that some attackers are scanning for newly discovered vulnerabilities within 15 minutes of a CVE being announced: “Exploitation attempts often begin before many security teams have even finished reading the vulnerability advisory,” Palo Alto wrote in its 2026 global incident report.

In a strategy guide issued in April, the nonprofit Cloud Security Alliance (CSA) warned that the capabilities seen in Mythos Preview will soon become mainstream, “dramatically increasing the number and frequency of complex, novel attacks organizations will face.”

“What Mythos is capable of today without help is available using other models with more expertise, and then eventually those capabilities are going to become more automated and more widely available,” Rich Mogull, chief analyst at CSA, told us.

“You need to prepare for those patches, but you need to understand that it’s probably months, probably not years, before we start seeing more of those kinds of attacks on a wider scale, and you need to prepare your program to deal with that,” Mogull said.

Mogull shared strategies for the CISO looking to prepare for the patch frenzy.

The conversation below has been edited for length and clarity.

What can a security officer implement right now to deal with an influx of patches?

You need to basically have a good inventory. You need to know what’s patchable and what’s not patchable, using the kind of standard tooling that we’ve had for a while. It’s not always easy, it’s not always cheap, necessarily. And prepare your patch programs to more quickly get those out. So, it could be improving automation. It could be investing in something you haven’t before. It could be preparing to bring in contract workers. It could be expanding your team, but really pulling everybody together, making a focus and understanding...We’re not going to be able to necessarily take weeks for patching.

Should you be ready to patch everything all at once?

You don’t have to patch everything at the same time. It’s the things that are exposed. [That’s] where you need to start. So, this is why inventorying, understanding your environment, where your risk exposures are, is so important, and then start doubling down on your security fundamentals. Look at segregating your networks better. If you have older hardware on your network or defending your network, older firewalls and such...If they’re end-of-life, you need to get rid of those, because those will be exploited.

Do you have an example of exposure?

I would look for web servers, app servers, internet gateways, and network routing [equipment]. Now, if you’re in the cloud, you’re probably almost in better shape, because the cloud provider is going to patch stuff. But if you’re using a virtual appliance for one of the firewall vendors, well, clearly that’s going to need to be patched, because the cloud provider is not going to do that one. There’s your external surface. The other is anywhere the outside can affect the inside. Email and desktops are a big one. We already know the vast majority of successful attacks today are based on various forms of credential theft, a lot of infostealer malware. Those are the areas that I would look for early. Because if I can get onto your web browser, get into your email, get onto your desktop and steal credentials, then I don’t need to have zero days.

How do you see IT teams restructuring to account for new vulnerabilities?

One of the things we talked about in the paper is standing up a VulnOps, which is all about actually performing more internal vulnerability discovery and focusing a lot more on automated and autonomous patching—to really make that more of a continuous cycle, versus, “We run a scan and then we contact the team, and then they do the patching.” As we evolve, moving into more of an automated fashion [and dedicating people to that] is definitely the pathway we see.

Do you see Project Glasswing overall as a positive for defenders?

Absolutely, because it’s going to try and flatten the curve.

What does “flatten the curve” mean from a cybersecurity perspective?

It’s being able to handle this influx of patches and taking the window of opportunity before the attackers can get out there and run rampant against us by putting in better security controls in the right places.