Beyond Mythos: Why AI Vulnerability Discovery Only Solves Half Of The Security Problem

Following the recent release and hype surrounding Anthropic's Mythos model, policymakers moved quickly to assess the ripple effects of AI-powered bug hunting. The US government brought in major financial institutions and raised concerns about how these tools might impact national infrastructure. But security teams on the ground heard a different story. For operators, the real headache is operational: AI may make it cheap and easy to find software flaws, but fixing them remains a human bottleneck. Vulnerability discovery is commoditizing, but remediation capacity has not kept pace.

Ira Winkler, Field CISO at AISLE, began his career as an intelligence analyst at the National Security Agency before spending more than three decades advising some of the world's largest organizations on cybersecurity strategy. A former elected President of the Information Systems Security Association and adjunct faculty at UMBC's Center for Cybersecurity, he also founded CruiseCon, an industry event bringing security professionals together. He said the Mythos moment has less to do with what AI can now discover and more to do with whether organizations have built the systems to act on what they already know.

"We don't need an industry that cries wolf. We need an industry that says 'this is the risk,'" Winkler said. The infrastructure for finding and fixing software vulnerabilities has existed for decades. Mythos forces a different question: whether organizations have built the operational discipline to act on what they find.

To Winkler, companies brute-forcing vulnerabilities with AI are accelerating a reality that has existed for decades. Software has always shipped with defects, and the infrastructure for finding and fixing them, from responsible disclosure programs to consolidated Patch Tuesday releases, predates AI by decades. Many enterprise breaches, he said, still trace back to a simpler weakness: the patching gap, the time between a fix being available and organizations actually applying it. When AI-driven discovery accelerates without a corresponding lift in responsible disclosure and timely mitigation, that window widens, and attackers move into it.

• Moths in the machine: Winkler was direct about what Mythos actually represents: an acceleration of existing practice, not a new category of risk. "This is something that has been happening since the advent of software. Because LLMs are more efficient and can brute-force code, they find vulnerabilities faster than a person could in practice," Winkler said. For some teams, that acceleration translates into higher API spending and operational pressure as they rush to process proprietary and third-party code through expensive models. The underlying capability, he said, does not require a frontier model to be effective. "We tested it on OpenSSL, which is used by two-thirds of the Internet," he added. "We did responsible disclosure, and they're now fixed."

• The patching paradox: The failure he described was one of remediation, not discovery: fixes sitting undeployed while the window for attackers widens. "The fear is that somebody will use an LLM capability against commonly used open-source software and run a supply chain attack before people fix it," Winkler said. "People are not being hacked because of zero-day vulnerabilities. They're being hacked because they haven't implemented a patch that was distributed six months ago."

• One bug to rule them all: Adversaries have consistently treated widely deployed, unpatched flaws as opportunities for broad access, and the Log4j vulnerability showed how quickly defenders can be overtaken when they move too slowly. "A single vulnerability can be the master key for a lot of computers. The worst-case scenario is getting access to software that people don't patch quickly enough, like EternalBlue, where bad guys got access to NSA software and took down the National Health Service in the UK," Winkler said.

Discovery without triage is noise. AI-powered scanners pointed at legacy codebases return a mix of old and new vulnerabilities, including bugs dormant for decades that may never be reachable in practice. Without an engineering filter for exploitability, that influx creates a triage bottleneck that clogs pipelines with low-priority alerts and buries what actually matters. Winkler likened discovery-only tools to a schoolyard bully: quick to point at a problem, with nothing to offer once it lands.

• Panic over antiques: The age of a vulnerability is not a reliable proxy for danger. What matters is whether attackers can actually reach the vulnerable code path and what the business impact would be if they did. "Here's this piece of software sitting there for 25 years that nobody gave a damn about. If it hasn't been found in 25 years, it might not even be technically reachable to exploit," Winkler said. "How old the vulnerability is, is irrelevant to the exploitability and criticality of the exploit. Who cares if it's 25 years?" Exploitability, not age, must drive how organizations prioritize their response.

• Signal over static: Winkler described one practical test run where an automated mitigation pipeline cut a large vulnerability dataset down to a fraction of its original size, surfacing only the findings that were genuinely severe and actionable. Automating how findings are routed, enriched, and executed across engineering and operations requires shared accountability between CIOs and CISOs. "You need a funnel where you have 5,000 vulnerabilities, merge down to 1,100, and of those, only 30 are really critical. Then you implement the fixes," Winkler said. The technical capabilities for deeper automation are already available. The harder part, he noted, is pacing that integration to match an organization's risk tolerance. Some security leaders remain hesitant to let systems auto-patch or auto-remediate without human review, even as they rely heavily on AI-assisted coding and automated testing elsewhere in the development lifecycle. "The problem is not faster problems. It's faster triage and mitigation so companies can get fixes into production quicker."

The pressure from Mythos has accelerated a shift already underway: security teams backlogged by AI-generated alerts are moving toward solutions that help them act rather than just observe. The platforms gaining traction are those that sort findings by real risk, suggest concrete mitigations, and close the loop between discovery and fix. Doing so increasingly depends on CIOs and CISOs operating from a shared accountability model. For Winkler, the deeper question was never whether AI could find vulnerabilities faster. It was whether organizations had built the systems, the workflows, and the shared accountability to do something about them before attackers did.

"The industry doesn’t need more tools pointing and laughing at every flaw," Winkler said. "It needs systems that can walk into the chaos, assess severity, and decide what needs action first."