Come and find us at Stand D48.
Over the next three days, our Cyber Operators will be on the ground at InfoSecurity Europe 2026, showing how CybaOps helps organisations cut through the noise, take control and command their mission.
Stop by the stand to experience a live cyber incident simulation, see CybaOps in action, meet the team and grab some exclusive CybaVerse merch.
Can't make it to InfoSecurity this year? We've got you covered. Below, you can read our Cyber Chronicle newspaper, the very same edition we're handing out at the expo.
Inside, you'll find the latest cyber insights, industry commentary, and discover what our Cyber Operators really think about Mythos.
See you at stand D48.
Mythos or Just Myth?
By Oliver Spence, Co-Founder & CEO
Every frontier AI release follows the same playbook now. Scary capability. Restricted access. Cyber warnings on the spec sheet. Project Glasswing for Mythos is just the latest run of it.
Let's cut the sh*t about what's going on. The safety warning has become the marketing. GPT-2 in 2019, held back on misuse grounds, Dario Amodei on the author list. Claude Opus 4 shipped under ASL-3 with cyber evals across web, crypto, pwn, reverse engineering, network and Cybench. OpenAI's o3 and o4-mini system card covered vulnerability discovery.
Google DeepMind's Frontier Safety Framework treats cyber as a severe risk.
Now Mythos.
Nothing sells capability like saying you're not allowed to use it yet. I'm not calling anyone a liar. The risks are real. But the incentives are mixed, and the
industry should be grown-up enough to spot it. Safety publication is responsible. It's also really f*cking good marketing.
Here’s the bit everyone keeps missing.
If Mythos can find a flaw, the flaw already exists. Mythos isn't creating vulnerabilities. It's discovering shit that was already there. Open�source code is public. Binaries can be reversed. Fuzzing, static analysis, symbolic execution, exploit dev, none of this is new. LLMs already help attackers read code, write tooling, and automate recon. Agentic workflows already chain scan, analyse, payload, validate, report.
If one frontier lab can do this, others will follow. Open models, fine-tunes, attacker-built agents. The capability curve is flattening fast, and the vulnerabilities are not gated. The code is not gated. The binaries are not gated. Your attack surface is sure as hell not gated. And attackers already have AI. Anthropic published GTG-1002 in November 2025. Chinese state actor, thirty global targets, Claude Code doing 80 to 90 percent of the tactical work. Humans clicked yes four to six times across an entire campaign. That's the world you're already in. Mythos doesn't change the timeline. The timeline already moved.
The 100-day Glasswing window? Helpful. Not a shield. A disclosure deadline is not a remediation plan. Vendors can pull fixes forward. They cannot rewrite the laws of engineering capacity. Critical RCEs get prioritised. Architectural fixes slip. Open-source maintainers drown. Enterprises hit change freezes and stall. Attackers read the disclosures and hunt adjacent bugs.
AI generates findings faster than organisations can absorb them. That's the actual problem.
Here's the thing nobody wants to say. Your business is not a GitHub repo. It's a mess of users, suppliers, endpoints, SaaS, identity sprawl, stale devices, forgotten kit and unpatched edge appliances. Attackers get in through stolen credentials, weak MFA, exposed services and dogshit logging. Not through elegant zero-days reasoned out by a frontier model.
Mythos will accelerate discovery. The advantage goes to whoever can turn findings into action. Prioritisation. Ownership. Patching. Evidence. Monitoring. Response.
Final word. Mythos isn't overhyped because it lacks capability. It's overhyped because we're all staring at the model when the real fight is the remediation gap. Stop waiting for the launch. Start shortening the time between finding and fixing. That's the war.
Dissecting One of the Biggest Mythos Myths
Simon Phillips, CTO
Since Claude Mythos was launched in April, speculation around its long-term impact on cyber security has escalated rapidly.
One of the most common claims is that organisations will soon need to abandon Patch Tuesday in favour of constant, daily patching cycles. This is leading to security teams being worried they will be overwhelmed by a flood of newly discovered vulnerabilities, forcing them to fire fight continuously and dramatically increase resources to keep pace.
But in reality these claims are completely overhyped.
Advanced AI platforms like Mythos will increase the speed and scale of vulnerability discovery, but organisations must remember that effective vulnerability management has never been about volume. It is about understanding which vulnerabilities genuinely pose a meaningful risk to the business.
Not every CVE requires urgent remediation. Many vulnerabilities remain low risk due to limited exploitability, lack of exposure within environments, or the existence of compensating controls. This is why risk-based prioritisation remains critical. If organisations aim to patch every vulnerability AI platforms uncover, this will require significant resourcing as patches can’t simply be automated without review, they need to be manually assessed to understand the impact they will have within environments.
This is where some of the conversation surrounding Mythos is becoming counterproductive.
The idea that organisations must move from Patch Tuesday to “Patch Every Day” is creating unnecessary chaos and distracting from the main objective, which has always been about improving resilience through better prioritisation, visibility, and risk management. AI-driven vulnerability discovery will undoubtedly change the security landscape over time.
It may increase patching volumes and accelerate remediation timelines for critical flaws. However, this does not mean organisations suddenly need to treat every
discovered vulnerability as an emergency. Fortunately, the reality is far less dramatic. Security teams should focus on understanding the actual risk a vulnerability presents to their unique environments. So, no, the patch apocalypse has not arrived.
Context is always key.
Mythos: Sounds impressive, but let's not get carried away
Michael Jepson, Head of Penetration Testing
When Anthropic announced Mythos earlier this year, it caused a bit of a stir.
The claims were significant: a platform powerful enough that distribution had to be restricted, capable of accelerating vulnerability discovery to a degree that some described as an AI-enabled weapon. The honest answer is that we don't yet know how much of that holds up outside the conditions it was tested in. Much of the published work involved source code access and defined scope, which is a very different problem to what an external attacker actually deals with.
That doesn't make the results meaningless, but it does mean the headline framing needs to be treated with some caution.
What is harder to dismiss is the broader direction of travel. Zero-days are not new, and major vendors have been dealing with them for years. What is changing is the cost and skill required to go from spotting a weakness to building something that works against it. If advanced LLMs and generative AI applications keep developing the way they are, the practical effect is that the capability which previously needed a specialist starts becoming available to anyone willing to pay for the tokens and resources.
That is the shift worth paying attention to, rather than any single application.
Restricting access might slow things down for a bit, but it won't hold forever. Once something is shown to be possible, it gets copied, sold or abused elsewhere. Best to assume that's coming and plan for it. None of this changes the fundamentals, and that is really the point. The organisations most exposed are still the ones struggling with the basics: weak patching, poor asset visibility, exposed services, little to no monitoring, no regular penetration testing, and incident response plans that haven't been tested.
For those unaware, the likes of Cyber Essentials (CE) and CE+ are a useful baseline and worth having, but they are not the finish line. In the current landscape, businesses should be aiming for stronger assurance, regular penetration testing, better monitoring, and a genuine ability to respond quickly when something new lands.
This is exactly the kind of maturity CybaVerse helps organisations build towards.
The takeaway is fairly straightforward.
Assume vulnerability discovery is getting faster. Assume the specialist barrier is lowering. And make sure your defences, your patching and your response processes are fast enough to keep up.
The AI hype will keep coming, but for most organisations, the work that matters has not changed.
Mythos vs. the SOC
Oliver Legg, Head of Security & Incident Response
Anthropic's "Claude Mythos" has triggered a familiar reaction-cycle of disbelief and hype, into a creeping sense of operational inevitability. An AI model capable of
autonomously discovering and chaining zero-days at scale sounds like a massive breaking point, and in some ways it is. From a detection perspective, the real risk isn't that "everything is completely vulnerable and being exploited as we speak", it's that the conditions Security Operations teams rely on to stay ahead of threat actors may no longer exist.
Security Operations teams have always lived and worked around zero-days. The idea that threats appear before intelligence, signatures, and patches isn't new. What Mythos changes is the speed and scale at which that reality unfolds. Elia Zaitsev said it perfectly, that the windows between discovery and exploitation that was once measured in weeks or months, is now measured in minutes. That compression is the real story.
When discovery-to-exploitation collapses into minutes, every assumption baked into the modern SOC operating model fails under load. Alert queues that are worked top-down by human analysts, detection engineering cycles that run-in sprints, none of these were designed for an adversary that can plan, weaponise, and deploy in minutes at scale.
The instinct in our industry may be to respond with more tooling, more telemetry, more headcount. The issue isn't capacity, it's speed. Meeting AI-driven offence with AI-augmented defence becomes less of a strategy choice, and more an operational requirement. The harder part? Automation at pace is easy; automation at this pace maintaining high accuracy and quality is not.
Blind auto-response is arguably worse than slow human response, creating risks and a blast radius of its own. The SOCs that thrive in a Mythos-shaped world will be the ones that get the balance right: AI doing the heavy lifting on detection, enrichment, correlation and containment, with humans elevated to judgement calls, proactive security work, and tuning the machine that's doing the work.
The window hasn't just shrunk, it's closed for any SOC still operating on human-speed workflows.
SOC leaders now face a choice: redesign for machine speed or accept blind spots that adversaries will inevitably exploit. Detection and response now has to run at machine speed by default, with humans governing the system rather than sitting inside every decision loop.
The Gap is Closing. Are You?
Andreas Wuncher, Chairman
The conversation around frontier AI in cyber security tends to fixate on the model. What it can find. What it's been restricted from doing. Whether the capability is real or the hype is manufactured.
That's the wrong conversation.
The question that actually matters is speed. Specifically: what happens to the gap between discovery and exploitation when AI is doing the work on both sides?
That gap used to be measured in weeks. Skilled researchers, manual analysis, slow triage. Defenders had time, not much, but some. AI compresses that window
dramatically. Discovery becomes cheaper, faster, and more scalable. The long tail of medium-severity findings that nobody had the time or economics to exploit starts looking attractive. Agentic workflows can chain reconnaissance, analysis, payload generation and validation without meaningful human intervention. The asymmetry that defenders quietly relied on, that most vulnerabilities simply weren't worth the effort, is eroding fast.
The honest answer to "how long do we have when something is found?" is getting very close to zero.
That changes the calculus entirely. Patching cadences designed around human-speed threat actors are not designed for this world. Change freezes, vendor timelines, open source maintainer backlogs, enterprise approval chains, none of these were built for a threat environment where the time between a finding and a working exploit is measured in hours rather than months.
So what does readiness actually look like?
It starts with knowing what you have. Not in the abstract, in practice. Asset visibility, data classification, identity sprawl, third-party dependencies, exposed services. AI Governance isn't a compliance checkbox. It's the foundation for understanding your actual exposure. You cannot prioritise what you cannot see, and you cannot defend what you haven't inventoried.
From there: understand your exploit vectors. Where are the realistic entry points? Credentials. MFA gaps. Exposed services. Unpatched edge kit. Prioritise ruthlessly based on what an attacker can actually reach and chain together, not just on CVSS scores in a spreadsheet.
The organisations that survive this shift won't necessarily be the ones with the best detection. They'll be the ones who shortened the loop, from finding to fix, from alert to action, from exposure to remediation.
AI moves at AI speed. The question is whether your response process does too.
Reduce Security Chaos With CybaOps
If your organisation is struggling with fragmented visibility, disconnected security tools or growing identity risk across your environment, now is the time to rethink how security operations are managed.
CybaOps was built to help organisations move beyond reactive security and gain clearer operational control across detection, response, vulnerabilities, compliance and identity activity in one unified platform.
To learn more about how CybaVerse can help simplify your security operations and reduce operational chaos, get in touch with our team or request a demo of CybaOps today.