Vulnapalooza: Why Anthropic's Mythos Is the Loudest Headliner Nobody Bought Tickets To

Anthropic didn't sell tickets, but the show has already started. Claude Mythos Preview has taken the stage, and it's turning vulnerability disclosure up to 11 with thousands of zero-day vulnerabilities across every major operating system and browser in a VIP-only show. The crowd waiting to get in is every organization, and we're being warned to bring earplugs via Project Glasswing.

Is all this just great marketing to get people excited about the new Anthropic model, Mythos? Is it the end of the world as we know it? The roar of the crowd can make it hard to hear the harmonies, but I've been to this festival before.

Having created many vulneraility disclosure programs and one of the first multiparty vulnerability coordination programs at a software vendor, as well as helped companies suddenly faced with a deluge of bug reports, I know how cacophanous this music festival of vulnerabilities can be. And this time, the show doesn't end after the weekend.

The Venue Wasn't Built for This Crowd

In 2008, I started Microsoft Vulnerability Research, the first formal multiparty vulnerability coordination program at Microsoft, kicking off with OG research rock star Dan Kaminsky's DNS vulnerability. Even back then, finding bugs was never the hardest part. The hard part was the coordination infrastructure: triage, validation, communication, pushing patches, verifying remediation.

That infrastructure was built for a boutique club, not a stadium. Fewer than 1% of the potential vulnerabilities Mythos has discovered so far have been fully patched by their maintainers. Lucky for us, Anthropic is deliberately throttling the pipeline to keep from blowing the speakers, for now.

This Isn't a One Night Only Show. It's a Residency.

Mythos identified thousands of zero-day vulnerabilities over the past few weeks, and comparable performances are expected in the Battle of the AI Bands within six to eighteen months. This is a permanent residency, not a limited run. Every few months, the models get better and the setlist of bugs gets longer.

The attack side has been warming up for years, even before the new AI bands dominated the charts: the average time-to-exploit dropped from 32 days in 2021 to 5 days in 2023, then went negative in 2024, meaning attackers were exploiting vulnerabilities before patches were publicly available. That held through 2025.

Mythos and other models will crank up the volume. Tick tock, make it pop, goes the Zero Day Clock.

Sources: Mandiant M-Trends 2024  ·  Mandiant M-Trends 2026  ·  Rapid7 2026 Global Threat Landscape Report

The Show Must Go On, But Someone Still Has to Run Sound

Even if AI writes a perfect pitch patch, you still must deploy it into a production environment running the vulnerable software. That means big hair, sound checks, stage makeup, and a dozen wardrobe changes in the form of testing, change management, maintenance windows, fallback plans, and none of those instruments play in tune just because AI wrote the patch.

The 2025 Verizon DBIR found a median of 38 days to remediate all KEVs, with only 54% of edge vulnerabilities fully remediated. In healthcare and education, the remediation gap is staggering.

AI is Remixing Open Source Supply Chain Folk Tunes

Log4j taught us what happens when the crew gets overwhelmed. The Cyber Safety Review Board, which I served on, found that SBOMs were not useful to any responders we interviewed, despite others singing their praises. What mattered was knowing which assets you had, which were exposed, and which were critical. The most actionable intel in real time came from software and cyber vendors, and yet the tour bus still broke down and the pyrotechnics were still a fire hazard for many. The teams that did the best were those who already achieved operational harmony by jamming together through many other incident playlists.

You’ll need experienced roadies for the KEV-pop AI bands on the next world tour. Staff up now.

Festival Survival Guide for Security Teams

Every good festival has a survival guide. Here's yours for the AI Vulnapalooza.

🎟️ Harden the perimeter first. Headcount and security controls are your general admission wristband. Without them, attackers will flood the gates.

🔦 Invest in threat detection next. Know you've been breached fast. Teams that contain intrusions in hours, not weeks, are still standing at the end of the set.

🚌 Build operational redundancy. Patch some nodes while keeping services running on the others. It's the shuttle that gets you home.

⚡ Optimize patch deployment. Get faster at these riffs, but don’t rely on this as your main strategy.

🤖 Bring AI into every layer of your defensive operations, from software development and patch creation to vulnerability scanning, penetration testing, and red teaming. Offense already has too much of a head start. Match AI with AI or you'll be doing the wrong kind of headbanging.

Stay Hydrated. Charge Your Devices. Use the Buddy System.

The security community has survived every major threat shift in history. This one is bigger and faster, but the fundamentals hold: know your assets, know your vendors, know your exposure. Detect fast. Contain fast. Patch fast. You may need an IV before it's all done.

And as with any festival: stay hydrated, charge your devices before the gates open, find a buddy, and do not go in alone. The organizations that show up prepared, with their team, their kit, and a plan, are the ones still standing when the last encore plays.

Vulnapalooza is only beginning. Defenders who are prepared will be ready to rock.🤘🏼

Katie Moussouris is the founder and CEO of Luta Security, a company that specializes in exactly this kind of vulnerability coordination and management you're scrambling to do better right now. She designed Microsoft Vulnerability Research, the first multiparty vulnerability coordination program at Microsoft, and served on the Cyber Safety Review Board. She is a pioneer of bug bounties and vulnerability disclosure, having coauthored the international standards for vulnerability disclosure and handling, created Microsoft’s and the Pentagon’s first bug bounties, and the UK government’s first Vulnerability Disclosure Program.