AI/ML , Generative AI , Security Operations , SOC , Vulnerability Management , Application security The vulnerability flood is here. Patching won’t save you. May 8, 2026 Share By Ariel Parnes (Adobe Stock) COMMENTARY: Something fundamental shifted on April 7. Anthropic announced Claude Mythos Preview — and disclosed that over 99% of the vulnerabilities the model discovered in its first weeks of testing remained unpatched at the time of the announcement. Thousands of zero-days. One model. A few weeks of work. [ SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here . ] This is not just a better scanner. Mythos identifies a zero-day weakness, chains it to adjacent vulnerabilities to amplify impact, and — if directed maliciously — can operate undetected indefinitely. That's a different category of threat, not a faster version of what we already knew. The patching math has never worked — now everyone knows it Let's be direct about what this means operationally. The industry's working assumption has always been that patching is the answer — that if you move fast enough, you close the window before it's used against you. That assumption was already strained. Mythos breaks it openly. Related reading: Claude Mythos Preview identifies 27-year-old bug, finds ‘thousands’ of zero-days in weeks Bessent, Powell met privately with top bankers over impact of Claude Mythos on cybersecurity Beyond Claude Mythos: Securing critical systems when the grace period hits zero Anthropic and Project Glasswing are working to responsibly disclose findings, rightly prioritizing the most critical systems first: major operating systems, browsers, widely deployed open-source infrastructure. But this is the first wave, not the last. Other labs are building toward the same capabilities. The pipeline only widens from here. Meanwhile, consider where most organizations actually stand. On average, over 45% of discovered security vulnerabilities in large organizations remain unpatched after 12 months. Many organizations responsible for critical infrastructure still run end-of-life software with no vendor support. That was already a crisis before AI-accelerated discovery entered the picture. The gap between discovery speed and remediation speed is now unbearable — and it won't close. Known to defenders, known to attackers Here is the part that matters most. When a critical vulnerability is responsibly disclosed — published as a CVE, incorporated into scanner signatures, announced in a patch advisory — it doesn't just reach defenders. It reaches everyone. And Mythos-class capabilities are not, and will not remain, exclusive to responsible actors. Nation-state groups are already experimenting with AI-powered exploitation. A Chinese state-sponsored campaign was documented using Claude Code to infiltrate roughly 30 organizations — tech companies, financial institutions, government agencies — before it was detected. That wasn't a theoretical future scenario. That was last year. As Mythos-class discovery becomes more broadly available, the window between a vulnerability becoming publicly known and a threat actor weaponizing it will compress dramatically. For many exposures in your environment — particularly in legacy systems, complex SaaS integrations, and cloud configurations — that window will be shorter than your patch cycle. When you can't close the window — watch it We worked recently with a global organization that identified eight critical posture gaps in a single core application. The mapped risk exposure exceeded $200 million. The IT team's response was honest: "It will take us two years to close these gaps without disrupting operations." That's not an anomaly — that's most enterprises. If your security strategy relies on closing every gap before an attacker finds it, you are playing a losing game. The question isn't when IT will fix this. The question is: if a threat actor walks through a known, unpatched vulnerability in your environment today, will you know? This is where the strategic shift has to happen. For every system where a critical vulnerability exists but cannot yet be patched — a legacy OS, an unmitigated cloud misconfiguration, a third-party SaaS dependency — you need a compensating control. Continuous behavioral visibility into that environment. Detection coverage tuned to the specific risks of that exposure. The ability to identify early stage lateral movement, anomalous authentication, and unusual access to the data or resources that vulnerability would unlock. Not "patch everything." Know precisely where you're exposed, instrument those environments deeply, and be prepared to detect and respond before the damage is done. The operating model has to change The teams that will navigate the post-Mythos landscape well are the ones who have built the best answer to a simple question: If an attacker came in through a known, unfixed vulnerability in my environment today — would I see them? Treat your known-vulnerable inventory as your highest-value detection surface. Prioritize behavioral visibility over the same systems you're prioritizing for patching. Don't wait for the patch queue to catch up before you instrument the risk you've already accepted. The vulnerability flood is here. The organizations that recognize this early — and shift their model from patching as a primary defense to detection as a parallel strategy — are the ones that will come out the other side intact. An In-Depth Guide to AI Get essential knowledge and practical strategies to use AI to better your security program. Learn More Ariel Parnes Ariel Parnes is co-founder and COO of Mitiga. Related Vulnerability Management Lesson from Mythos Preview: double-down on the fundamentals Michael Spencer May 7, 2026 Here’s six ways teams can survive in the machine speed era. Cloud Security The hidden risk in hybrid IT: Fragmented vulnerability management Srikant Sreenivasan May 7, 2026 Hybrid IT and AI expand attack surfaces, making continuous, context-aware risk management essential. Identity Most security pros say managing identity has become a major challenge Steve Zurier May 6, 2026 Nearly 9 in 10 security leaders struggle with identity sprawl as AI and NHIs expose governance gaps. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Algorithm Blue Team Cache Cramming Client Cold Warm Hot Disaster Recovery Site Common Gateway Interface (CGI) Cookie Countermeasure Disassembly Disaster Recovery Plan (DRP) You can skip this ad in 5 seconds