The real shift underneath Mythos

The Real Shift Underneath Mythos

Smiling person with short dark hair and a beard, wearing a black shirt with a logo that includes the letter U. The background is a plain light grey.

By Tomer Hadassi

Apr 22, 2026

Key Takeaways

  • Whether Anthropic’s Mythos delivers on its claims is the wrong question to build a security program around.
  • The defensive trajectory that matters is independent of any single model: AI is lowering the attacker skill floor and accelerating zero-day disclosure.
  • Most security programs are well-instrumented for AI-assisted patching and environment hardening, but structurally underinvested in agentic remediation and runtime response controls.
  • AI defense is a context problem, not a model problem – and that context only exists at runtime.

Anthropic’s Mythos model has been called a cybersecurity watershed and a marketing stunt in the same week. Both camps have a point. Mythos appears to represent a real capability gain, and Anthropic deserves credit for releasing it through Project Glasswing rather than dropping it in the wild. At the same time, independent replication work has surfaced quickly. Researchers have shown that some of Mythos’s headline zero-days, including the FreeBSD vulnerability Anthropic led with, can be reproduced using much smaller open-weight models. The full picture is probably somewhere in the middle of what the dramatic launch coverage suggested and what the cynics will admit.

Here’s what most of the Mythos coverage is missing: whether the model is a watershed or an incremental step is the wrong question to build a security program around. The trajectory is what matters. AI is lowering the skill floor for attackers and accelerating the cadence of zero-day disclosure, and that trend doesn’t depend on any single model delivering on any single claim. Over the past two weeks, we’ve watched a different shift play out across customer environments. Security teams are making operational tradeoffs that would have been off the table eighteen months ago.

Whether Mythos is exactly what Anthropic says or something less, the defensive posture that holds up is the same one. That’s the posture worth digging into. 

Mythos isn’t the story. The risk calculus is.

A couple months before the Mythos announcement, a customer of ours, a consumer internet company running well over 100,000 containers, was dealing with the Shai Hulud zero-day in TruffleHog, the open-source secrets scanner. Not business-critical software. Security tooling.

Their team had exploit activity detected in their environment 24 to 30 hours before public disclosure. Standard remediation was going to take a week: identify affected workloads, patch the binary, verify, redeploy. Meanwhile the exploit was in the wild and the clock was running.

So they did something they wouldn’t have considered in 2024. They enabled environment-wide prevention – blocking the TruffleHog process – for the compromised tool across every container in their production environment. For non-critical software and without a committee.

That decision, not the Mythos announcement, is the actual story of where cloud security is going.

Zoom out from that one decision and the picture is this. The average enterprise takes over 60 days to remediate a critical vulnerability. Sixty percent of breaches exploit known vulnerabilities where a patch was already available. Large enterprises carry backlogs where 45% of identified vulnerabilities remain unpatched after twelve months. That’s the structural condition security teams have been operating under for years.

What makes this more challenging is the speed on the other side. Time-to-exploit has collapsed from 2.4 years in 2018 to under a day in 2026. AI can reverse-engineer a patch and produce a working exploit within hours of disclosure. The gap between what defenders can fix and what attackers can exploit has been widening for eighteen months. 

Either Mythos or one of the upcoming models is accelerating that shift even further.

The threshold has collapsed across the board

What we’re seeing:

A leading North American bank runs a six-month sprint this year to remediate previously-accepted low and medium severity vulnerabilities, because AI-assisted patch diffing has compressed the exploit window on those shorter than the bank’s quarterly review cycle. A large asset manager is rebuilding its live-patching practice from the assumption that critical zero-days will arrive twice-weekly rather than quarterly. In another conversation I had with a customer with direct Mythos access they concluded their in-house red team is still better than the model and yet, has responded not by standing down, but by doubling down on environment hardening.

What these teams have in common is that they’ve already stopped arguing about whether AI-driven offense is real. We all recall the story of XBOW. An autonomous system that became the top researcher on HackerOne’s US leaderboard and the first AI to outperform every human hacker on the platform. Mythos wasn’t even born yet. That was freely available tooling applied persistently. The floor on what a low-skill attacker can do has been rising for twelve months: automated reconnaissance, custom tooling, exploit generation, all in reach of operators who couldn’t have pulled any of it off in 2024. Mythos is pointing at the ceiling rising too. Whether the specific model delivers on the claim is beside the point. The direction is what matters.

Meanwhile the remediation side has only gotten harder. Most vulnerability management programs are running against backlogs in the tens of thousands. The engineering teams who actually apply patches are competing with feature work, migrations, and on-call rotations. Remediation capacity has been the real bottleneck for years. The queues are getting longer and the clock is getting shorter.

The common thread isn’t Mythos. It’s that security teams are trading operational risk for exploit risk at a rate that was unimaginable eighteen months ago.

Four defensive plays

There are four distinct strategies teams are running in response. Most organizations are doing some version of the first two reasonably well and are structurally underinvested in the third and fourth.

AI-powered patching. Using AI to fix vulnerabilities at scale. That includes automated code fixes, image cleaning, and regression testing. Works well for what it works for. Doesn’t help with the legacy code nobody wants to touch, and by definition can’t address unknown zero-days. Necessary, not sufficient.

Environment hardening. Making attack chains structurally difficult regardless of entry point: container-to-host escape prevention, workload isolation, identity and network policies built from runtime behavior rather than guesswork. This is where AI earns its keep on defense – analyzing how workloads actually communicate to surface what least privilege should mean in your environment, not what a policy template says it should mean. This is the layer to lean into post-Mythos, not away from. It’s the most durable defense and the slowest to build.

Live patching and agentic remediation. Automated package updates across environments when vulnerabilities land; AI-driven runtime sandboxes that simulate patch impact before deployment. Solves the frequency problem but introduces new risk. Meaning, agents that can modify production at machine speed are also agents that can take it down at machine speed.

Runtime response controls. Process termination, network flow blocking, packet dropping, API request denial, syscall blocking. Treats the container or endpoint as the defensive boundary rather than the network perimeter. Have the controls to respond to new attacks in real time.

These aren’t alternatives or a la carte options. They’re layers. Most security programs are well-instrumented for the first two layers and structurally thin on the last two. That gap is what the AI-driven offensive era exposes. The shift happening across our customer base isn’t a rip-and-replace; it’s teams adding the missing layers to the stack they already have.

The question for any security team reading this isn’t which one to pick. It’s which layer you’re underinvested in.

What AI defense actually needs

Notice what every layer above depends on: knowing what’s running, how it’s communicating, and what’s allowed. That’s necessary context. Models don’t fail at security because they’re not smart enough; they fail because they don’t know what they’re looking at. A frontier model handed a 500,000-line codebase with no environmental context will produce confident-sounding nonsense. The same model handed the same code but with runtime telemetry that tells it what processes are actually executing, which APIs are actually being called and what identity is actually doing what, will produce something defenders can use.

This is Upwind’s view of how AI defense actually works. The hard part isn’t the model, it’s the context the model needs to be useful, and that context only exists at runtime. Not in static scans, not in configuration files, not in the documentation of what a workload is supposed to do, but in the live signal of what it’s actually doing right now. 

AI-powered patching needs runtime context to know which vulnerabilities are reachable. Environment hardening needs runtime context to know what least privilege should look like. Agentic remediation needs runtime context to know whether a fix is safe to deploy. Runtime response controls need runtime context by definition. You get the idea. 

The defensive AI conversation is mostly happening at the model layer. The decisive layer is the one underneath it.

The perimeter moved

Here’s what actually shifted. In 2023, if you asked most security leaders whether they wanted an agent that could terminate production processes based on runtime signal, the answer was no because the operational risk of a false positive outweighed the exploit risk. In 2026, that math is reversed for a growing number of teams. Exploit dwell time is collapsing faster than false positive rates are rising. The perimeter is no longer the VPC edge. It’s the container, the syscall, the API request.

Upwind ships process termination today, with the remaining response-control suite rolling out through the year. But the product mention is the smallest part of this piece. The argument is bigger: any cloud security platform that doesn’t let you enforce at runtime is going to be the wrong platform for the world that Mythos is pointing at.

The teams that come through this in good shape won’t be the ones who guessed right about Mythos. They’ll be the ones who stopped needing to guess.

The Real Shift Underneath Mythos

Further Reading

We Knew It Was Coming
Thought Leadership

We’ve Been Here Before and We Knew It Was Coming

By Jake Martens

Apr 21, 2026

The AI security industry is calling 2025 the new 1990s. The uncomfortable truth is that we predicted every mistake we’re making right now — and made them anyway. TL;DR: AI security in 2025 is repeating the same structural mistakes that made the early internet a golden age for hackers — not because the industry forgot […]

RSAC 2026 from the floor: What an AE heard between the keynotes and the handshakes
Thought Leadership

RSAC 2026 from the floor: What an AE heard between the keynotes and the handshakes

Kevin McCord

By Kevin McCord

Apr 13, 2026

RSAC 2026 drew 43,500 attendees, 600+ exhibitors, and enough AI announcements to fill a small data lake. But the conversations that mattered most didn’t happen on the main stage. They happened in hallway pull-asides, over bad coffee, at HH and during blunt one-on-ones with security leaders who are done being marketed to and ready to […]

Agentic Security is Here
Thought Leadership

Agentic Security Is Here — But Who Is Accountable When the AI Acts Alone?

Screenshot 2025-11-05 at 6.12.41 AM

By Gourav Nagar

Apr 10, 2026

TL;DR: Agentic security is the use of autonomous AI systems that detect, triage, and respond to threats without human intervention, which introduces a new category of operational risk. The most valuable security skill in 2026 is not prompt engineering or AI fluency. It’s consequence engineering: the ability to anticipate what happens when an autonomous system […]