After Mythos: The Real Cybersecurity Shift Business Leaders Are Missing

Written By Peter Mercado

I recently wrote that Mythos was a real event surrounded by an unreal conversation. The panic was lazy. The dismissals were lazy. The interesting work was going to happen quietly, after the discourse moved on, when business leaders had to stop reacting and start deciding.

That moment is arriving faster than expected.

We are now in what I'd call the reality phase. The hype has cooled. The skeptics who called it pure marketing have gone quiet. And the data, the actual numbers from companies using these models in the wild, has started landing in places that matter. The story is no longer about whether Mythos is real. It's about what it's already doing.

Let me walk through what's changed since I posted the last piece, because the practical implications for business leaders is now sharper.

The numbers stopped being theoretical

Palo Alto Networks, one of the early Glasswing partners, ran their own systems through Mythos and GPT-5.5-Cyber. They disclosed 26 critical exploits covering 75 issues. Their normal baseline is under five. That's a five to seven times jump in vulnerabilities found, in a single audit cycle.

Mozilla shipped 423 bug fixes in April. Their average is around 22 per month.

Google's threat intelligence group confirmed the first observed case of an attacker using a zero-day exploit that was developed with AI. The Canvas learning platform was breached and its parent company had to negotiate with attackers for the return and destruction of stolen data.

In my last piece I said your security posture was going to matter more, not less. I want to be more direct now. The half-life of unpatched software has already shrunk. Not theoretically. Measurably. The Palo Alto CEO put it plainly: the window between breach and exfiltration used to be measured in days. It's now measured in minutes.

The 90-day disclosure window is dead

This one matters and almost no one outside cybersecurity is talking about it.

For decades, the standard practice when a researcher found a vulnerability was a 90-day responsible disclosure window. Notify the vendor privately. Give them three months to fix it. Then go public. The whole system was built on the assumption that attackers could not move faster than that timeline.

That assumption no longer holds. When AI can find and exploit a vulnerability in 25 minutes, a 90-day window is not a safety mechanism. It's a head start for whoever gets to the bug first. Security teams are already operating on a different clock and the rest of the world hasn't noticed yet.

If you run a business that depends on software, and that's essentially every business now, the timeline you've been planning around is gone. You don't have months to apply patches. You have days. And in some cases, you have hours.

The regulatory picture is moving

Here's the part I genuinely did not see coming.

The Trump administration is reportedly drafting an executive order to establish a government review process for frontier AI models before release. The Center for AI Standards and Innovation is back in active conversation. There's a working debate over whether the NSA or the commerce department should lead frontier model vetting. Senators on both sides of the aisle are now publicly discussing catastrophic risk. Germany's cybersecurity agency just proposed a Mythos-access framework of their own. China formally requested access through diplomatic channels.

This is a meaningful shift in posture, and it's worth taking seriously regardless of how you feel about any particular administration. The point isn't political. It's strategic. When the regulatory ground moves this fast, business leaders who built their AI roadmap on the assumption of a stable rule set have a problem. The shape of compliance for frontier AI is being decided right now. Whatever lands is going to be navigated by every company using these models.

If your AI strategy assumes a stable regulatory environment, you don't have a strategy. You have a hope.

The end of equal access

There's a quieter shift happening underneath all of this, and it might be the most consequential one for long-term strategy.

For most of the past few years, frontier AI access was effectively equal. If you had a credit card, you had access to roughly the same models as everyone else. A startup in Iowa and a Fortune 500 in Manhattan were pulling from the same API. That period is ending, and Mythos is the first clear marker of where it's headed.

Three forces are pushing in the same direction. Security gating, where the most capable models go to a vetted few first. Compute scarcity, where there simply aren't enough chips to serve frontier capability to everyone who wants it at current prices. And government involvement, which is now formalizing what was already happening informally.

The pattern that emerges looks roughly like this. A new frontier model gets released first to defenders and a small set of pre-cleared firms. Then to companies that can clear high compliance and KYC bars. Then to the general API. By the time the average business gets unfettered access, the next generation is already moving through the same pipeline.

If you're a business leader, the implication is straightforward. You can no longer assume your competitors are using the same AI capability as you are. The companies inside that early access circle are going to spend three to six months operating with tools your team can't touch. That's a real gap, not a theoretical one, and it compounds.

This doesn't mean you're locked out. It means you need to think harder about which capabilities matter most to your business, and what you'd do if access to those capabilities became conditional on something other than your ability to pay.

The asymmetry that should keep you up at night

The Palo Alto CEO had a line that I haven't been able to shake. He said defending an organization is Batman vs. Superman, but uneven. The defender has to be right 100% of the time. The attacker only has to be right once.

AI doesn't change that asymmetry. It amplifies it. If a model finds five vulnerabilities in your stack and an attacker exploits just one, you don't get credit for the four you patched. You lose.

This is why the "Mythos is just marketing" takes have collapsed so completely. It doesn't matter whether Mythos itself is the most powerful model that will ever exist. What matters is that we now have public, verifiable evidence that AI-assisted vulnerability discovery works at scale, and that capability is going to keep diffusing. Open source models are roughly three to five months behind the frontier. The math is not complicated.

What this means for you

Last time I gave you four things to do. They all still hold. The data has sharpened a few of them, so let me update them.

Patch cadence is now a board-level issue. Not an IT issue. Not a CISO-only issue. If your organization waits weeks to apply security updates, you are operating on a calendar that no longer matches reality. The first question your board should be asking your technical leadership is "what is our actual time-to-patch on critical CVEs, and what would it take to cut it in half."

Your vendors are your attack surface. The Palo Alto findings, the Mozilla bug count, the Canvas breach. None of those happened to the end user directly. They happened to platforms the end user depends on. Do you know which of your software vendors are running AI-assisted audits right now? Do you know which ones aren't? That conversation should be on your calendar this quarter.

Plan for a tiered AI future. Assume the model your team can buy today is not the model your largest competitors will be using in twelve months. Build flexibility into your AI architecture so you can swap in better capability when you get access to it, and so you're not over-invested in any single provider. The teams that use abstraction layers are already doing this. Most businesses are not, and they will feel it.

Build for regulatory flexibility. Whatever AI compliance framework lands in the next six months, it will require documentation, auditability, and governance. The companies that thrive will be the ones whose AI implementations were already designed with these in mind. Not because they predicted the rules. Because they built in a way that adapts to any rules.

Stop reacting to headlines. Build internal capability to read the signal. I said this last time and I'll say it again, because nothing in the past few days has made it less true. The companies winning right now have a standing conversation between technical leadership and the executive team. Quarterly at minimum. Not "what did Anthropic announce." But "what does this mean for our stack, our customers, our regulatory exposure, and our next twelve months."

The takeaway

In my last piece I said the leaders who do well in this era won't be the ones who reacted hardest. They'll be the ones still thinking clearly about it later on. We are now in those months.

The hype is gone. The dismissals are gone. What's left is the work. The patching, the planning, the conversations with your team, the audit of which assumptions you made six months ago no longer hold.

That's not a sexy headline. It's never going to trend. But it's the only part of this story that actually matters to anyone running a business.

The reality phase is here. The leaders who treat it like a moment of clarity rather than a moment of panic are the ones who will be glad they did.

Peter Mercado
Previous

Google Just Killed the Blue Links. What Should Your Business Actually Do About It?
Next

Project Glasswing, One Month In: A Level-Headed Look for Business Leaders