Anthropic’s marketing team has been pushing its new Mythos cybersecurity model and the volume of vulnerabilities it’s finding. According to Mozilla, those findings appear to be legitimate. If the pace holds up near term, a lot of people inside and outside the industry are worried, with good reason, and wondering if this is the new normal. As someone who’s been writing detection logic for cybersecurity vendors for nearly a decade, these numbers are less scary and less world-ending than they appear. I’ve managed SOCs that regularly went up against state-sponsored actors, in the role where our organization won the Cogswell Award from the Defense Counterintelligence Agency. I’ve worked for a Fortune 100 doing detection at an enterprise scale most engineers never get to see, and put out the first public white paper on detection as code. All of that to say, I’ve been at it for quite some time now. While I think the short-term impact of models like Mythos is going to be rough, I also believe It’s also a lot less bad than people are making it out to be. New Exploit Releases Have Always Far Exceeded Defenders’ Ability to Write Detection Writing detection logic has always been whack-a-mole. David Bianco’s Pyramid of Pain, one of our industry’s foundational write-ups, argues exactly this. You lean on behavioral detection over individual IoCs and exploits because new exploit disclosures have always outrun defenders’ ability to write rules. One-off exploit coverage isn’t where detection engineers spend most of their time. People still do it. The ET Open ruleset is a decent look at how many individual rules exist for historical CVEs. Rules typically get written for the major vulnerabilities, anything actively used against your industry, and the handful of cases where automation makes the work cheap. Adversaries Haven’t Needed Zero-Days Threat actors haven’t needed zero-days to compromise their targets. Old exploits have worked just fine for decades. One of the most prevalent initial-access techniques today, ClickFix, doesn’t rely on zero-days at all, it tricks users into pasting malicious code into PowerShell or the Run dialog and executing it themselves. Detection Logic Doesn’t Map 1-to-1 to Exploits For anyone who hasn’t written detection logic before, my favorite example of why behavioral detection beats signature-based hunting on individual exploits and IOCs is Remote Code Execution (RCE) bugs in Microsoft Office. Office products like Word and Excel have produced some of the most impactful and most abused vulnerabilities in the industry for two decades, more than 1,000 distinct RCE CVEs and counting. Microsoft Office RCE Vulnerabilities by Year All Office product CPEs in NVD — Word, Excel, Outlook, PowerPoint, Visio, Access, Publisher, Project, OneNote, 365 Apps, LTSC, Office Online Server 2002 – April 2026 · 1,072 total Office RCE CVEs 0 20 40 60 80 100 120 140 160 RCE CVEs published (NVD) 4 2002 4 2003 5 2004 7 2005 44 2006 34 2007 62 2008 39 2009 87 2010 41 2011 23 2012 44 2013 19 2014 56 2015 60 2016 50 2017 64 2018 39 2019 61 2020 57 2021 40 2022 33 2023 36 2024 144 2025 19* 2026 Record year (144) AI-assisted discovery Standard year Record year Partial year Source: NVD CPE-matched · magonia research * 2026 partial through April 27 (19 RCEs YTD) Microsoft Office RCE CVEs by year, 2005–2025 Despite the prevalence of these vulnerabilities and their impact, detecting their abuse is a lot less difficult than one might think. For example, in 2022 Microsoft changed the default so that Office documents arriving from the internet, those tagged with Mark of the Web (MOTW), would no longer run macros, requiring the user to right-click the document and choose Unblock or run Unblock-File in PowerShell. While some may think of this as an exploit mitigation or hardening rather than detection, I disagree. From a detection engineer’s perspective, before Microsoft made this change I could have written a custom detector for that same behavior. After Microsoft implemented it, there was a major drop in macro-based malicious document delivery. Microsoft Office Share of Malware Deliveries HP Wolf Sure Click Enterprise telemetry — share of isolated threats arriving as Office files (Word, Excel, PowerPoint, Outlook) Quarterly data, 2021 – 2025 0% 10% 20% 30% 40% 50% 60% Office share of isolated deliveries 40 Q3 2021 50 Q4 2021 44.5 Q1 2022 45 Q2 2022 32 Q3 2022 37 Q4 2022 32 Q1 2023 30.5 Q2 2023 31.5 Q3 2023 28.5 Q4 2023 18 Q1 2024 16 Q2 2024 15 Q3 2024 11 Q4 2024 14 Q1 2025 13 Q2 2025 12 Q3 2025 15 Q4 2025 All-time peak Q4 2021 = 50% Microsoft macro block Jul 2022 · −13pp Office share roughly halves 2023 ~30% → 2024 ~15% AI-vuln-discovery era no spike (avg 13.5%) Standard quarter Inflection quarter All-time peak Source: HP Wolf Threat Insights · magonia research Office malicious-document delivery by quarter This, combined with modern EDR tooling that makes profiling behaviors easy, lets you build baselines and detections for behaviors ...