These insights are distilled from sessions held over the past week with RSAC’s global network of security leaders, including members of the Executive Security Action Forum, Cyber Leaders Forum, and CISO Boot Camp.
In response to Claude Mythos Preview and Project Glasswing, experts have already produced several useful assessments, including the UK AI Security Institute’s analysis of Mythos’s capabilities, The "AI Vulnerability Storm", The Day-Zero Normal, Fortifying the Enterprise, and Shields Up.i Rather than duplicate those efforts, RSAC’s global CISO community focused on three categories of further practical implications for defenders: 1) what CISOs can do now; 2) operating assumptions for this moment of flux; and 3) where uncertainty remains.
Some of the members of the RSAC CISO community have had direct access to Mythos, which grounded our discussions in experience. These members emphasize that Mythos Preview does not include guardrails, making it both powerful and dangerous: it may attempt to bypass constraints, and its output should be treated as untrusted and validated accordingly.
Mythos appears to be significantly better at finding vulnerabilities than previous models—it can create sub-agents to learn as much as possible about a product and become an expert in the target environment. Members reported that Mythos has found complex flaws and chained vulnerabilities together in ways they doubt would have been discovered through conventional means. In one widely-cited example, the Mozilla Project’s latest version of Firefox fixes 271 bugs found with Mythos. Some of the vulnerabilities discovered by Mythos and other frontier models may also require significant architectural changes, making remediation harder on compressed timelines.
The central operational implication is that Mythos and similar frontier models further narrow the gap between vulnerability discovery and exploitation. Defenders therefore must accelerate the transition from traditional vulnerability management toward continuous resilience, including continuous attack surface management, faster remediation pathways, and clearer governance for high-volume vulnerability response. Here are the specifics:
1) What CISOs Can Do Now
The RSAC CISO community’s recommendations fall into three categories: a) use AI to increase resilience; b) streamline response processes; and c) update governance practices:
a) Use AI to increase resilience
Use available models to find and fix vulnerabilities now. Organizations do not need access to Mythos to begin preparing. Although Mythos may identify more issues than currently available models, most organizations have not yet pointed secure code review and vulnerability-discovery agents at all of their own code and pipelines. Security teams should begin there, as The “AI Vulnerability Storm” recommends.ii And those secure code review and vulnerability discovery agents should run whenever code changes. To manage costs, use smaller, cheaper models wherever quality tradeoffs are acceptable.
Use AI not only to identify vulnerabilities, but also to draft fixes... Existing human-speed remediation processes will not scale to the volume of vulnerabilities that Mythos and other frontier models may uncover. Instead, use coding agents to create draft code fixes and write pull requests (PR) for your engineers so that they can focus on review, approval, and integration. Reviews should pay particular attention to areas where LLM-generated code is known to be weak, such as input validation and memory safety.
…and remember to impose non-technical constraints on coding agents. Coding agents must implement the same business process constraints that human software development teams capture in user stories or requirements documents so that AI-generated fixes do not trigger regulatory or business-rule violations. As coding agents and firms’ own system prompts improve, development teams may be able to move carefully from human-in-the-loop review for all fixes toward human-on-the-loop oversight for routine, qualified changes.iii
Increase attacker cost. Layered defense, deception, obfuscation, and continuous remediation can force attackers to spend more tokens as they attempt to compromise your environment. Because attackers must either buy or steal tokens, attackers will redirect their agents if compromising any given target becomes too costly.
b) Streamline response processes
Compress patch windows and SLAs. CISOs can no longer rely on conventional 30-day patch windows, or even the 15-day windows many organizations use for more critical systems. Some members of the RSAC CISO community have already moved to a 24-hour SLA for remediating externally facing vulnerabilities, recognizing that faster remediation may reduce availability.
“Rehydrate” all stateless systems to reduce the number of systems requiring a traditional patching strategy. For stateless systems, the preferred pattern is to add the fix to a known clean image, rebuild or rehydrate a new instance from that revised image, and delete the existing running instance. This both accelerates remediation and reduces the risk that a compromise persists after conventional patching. Stateful systems still require a more traditional isolate-and-patch strategy.
Practice continuous attack surface management. Continuous attack surface management should reduce the number of situations in which a public disclosure or patch release is the organization’s first indication of exposure. Earlier discovery gives security teams more room to remediate or mitigate before the time-to-exploit clock is publicly ticking.
Create a vulnerability surge mode. Organizations commonly treat truly critical vulnerabilities as incidents, which appropriately triggers a full incident response process. That model may not scale if Mythos and other frontier models increase the number and frequency of critical vulnerability notifications. As suppliers use these models to find and fix more flaws, security teams should expect more frequent alerts and disclosures. To avoid overwhelming incident response capacity, organizations should implement an aggressive “criticality for me” evaluation process that determines whether a generally critical vulnerability is actually critical in their environment. They should also define a streamlined vulnerability surge mode for periods when vulnerability volume exceeds normal response capacity.
c) Update governance practices
Reassess supplier tiers for this specific risk. Many mature third-party risk management programs already use fine-grained supplier tiering models. For the immediate Mythos-driven risk, CISOs need a simpler operating distinction: 1) suppliers that are critical and irreplaceable; 2) suppliers that are non-critical or meaningfully replaceable. Here’s how to treat each group:
- (1) Critical, irreplaceable suppliers may require deeper integration, closer validation, and additional support. Some of these suppliers lack the capacity to use security tools and resources even when they’re provided at no cost, which will require the security team at the larger enterprise to shoulder more of the security burden. Where contracts permit, perform continuous control testing via API and AI-red team their edges to understand current exposure. Nudge them toward improvement whenever possible, and act to limit the blast radius of damage when it isn’t.
- (2) For non-critical or replaceable suppliers, give them a chance to improve, and work with stakeholders on a replacement strategy if they don’t. Cybersecurity won’t be the only consideration in a supply chain decision, but severe, persistent deficits should trigger a search for a replacement.
Prepare stakeholders for more outages as a risk-reduction tradeoff. RSAC CISO community members expect that faster remediation, more aggressive mitigation, and shutdowns for systems that cannot be fixed within acceptable windows will produce more outages. Thus, CISOs should set expectations with executives, Boards, and regulators now. Deciding to take major customer-facing systems offline often requires a complex process with many participants. A substantial increase in critical vulnerabilities could overwhelm that process; hence, executives should pre-authorize shutdown decisions for defined conditions.
2) Operating Assumptions for This Moment of Flux
Mythos and other frontier models are most useful when they have access to both source code and binaries. Access to both source code and binaries will allow these models to identify the broadest range of vulnerabilities. Some members with access to Mythos are limiting its use to source code for open-source projects and holding the vulnerabilities they find because it is unclear who will fix those flaws or when they will be fixed; no one wants to trigger a Log4j-like event. Organizations that identify and remediate a maximal range of vulnerabilities before attackers have access to comparably-capable models will gain an advantage. CISOs should assume that attackers will soon have access to similar capabilities, whether by compromising security researchers with legitimate access, or because competitors publicly release new models with those capabilities.iv
Basic security hygiene and compensating controls remain essential. The resources cited above also make this point, but it bears repeating. To improve containment speed, reduce recovery time, and limit blast radius, continue investing in known controls like Zero Trust architecture, strong authentication, restrictions on lateral movement, standard and swift containment protocols for compromised systems, strict adherence to patch SLAs, virtual patching, and aggressive outbound traffic filtering.
Prioritize vulnerabilities that are externally reachable and exploitable. Mythos and other frontier models can chain lower-severity vulnerabilities into serious compromise paths, but not everything they find is remotely reachable or exploitable. Given the likely volume of newly discovered vulnerabilities, security teams must focus finite resources first on vulnerabilities that are both externally reachable and exploitable, then on vulnerabilities that are internally reachable and enable lateral movement. Vulnerabilities that are not exploitable should receive substantially lower priority.
Expect a messy process for deciding on the next wave of Mythos access... Anthropic is reportedly working through requests to join the next wave of access after the Project Glasswing group and is assessing which potential participants would be able to make meaningful progress with Mythos. Compute cost is also a constraint because Mythos is expensive to run.
…and use the waiting time to build operational readiness. To prepare to use Mythos successfully, CISOs should: 1) build strong sandboxes and use existing models to test them; 2) expect and practice for attempted escapes; 3) strengthen incident management and recovery processes; and 4) separate vulnerability discovery from patch validation and application processes.
3) Where Uncertainty Remains
Will participants in subsequent waves of Mythos Preview receive “unguarded” access, as first-wave participants did, or will Anthropic apply guardrails? RSAC does not yet know, and Anthropic may not have made a final decision. RSAC will provide an update when we know more.
Contributors to and reviewers of this guide include members of the RSAC Executive Security Action Forum (ESAF), Cyber Leaders Forum (CLF), and CISO Boot Camp (CBC) Communities.
__________________________________________________________________________________
i Some of the members of the RSAC CISO community who contributed to the recommendations here were also reviewers of The "AI Vulnerability Storm" paper.
ii Organizations that do not want to expose confidential information to an externally-hosted model via API can run a smaller open-weight model locally.
iii Here, a “human-in-the-loop” pattern would mean that a human engineer must review before anything gets committed, while a “human-on-the loop” pattern would mean that qualified fixes get implemented by default, and a human engineer monitors and intervenes as needed.
iv Nation-state actors have targeted security researchers in the past, as Katie Moussoris notes, referencing analysis by Google Threat Analysis Group.