Expansion Of Mythos-Level LLMs Makes Exploitability The Key Focus: CISO

The expected spread of frontier AI capabilities for vulnerability discovery such as Anthropic’s Claude Mythos means that organizations will need to prioritize patching based on the exploitability of software flaws, Optiv’s Rob Gregory tells CRN.

That’s a shift from traditional vulnerability management approaches that focused more on seeking to reduce the total number of vulnerabilities in the organization’s environment, said Gregory, CISO at Denver-based Optiv, No. 28 on CRN’s 2025 Solution Provider 500.

With the massive awareness generated by Anthropic’s disclosures about Mythos starting in early April, “I think it’s been positive overall to allow the entire industry to shift focus,” he told CRN.

“Historically, we’d gotten to a point where, specifically around vulnerabilities, we were managing the risk based on the cumulative number of vulnerabilities—how many are in your environment,” Gregory said. “For a while, that’s been a legacy way of thinking. But [until Mythos] it really hadn’t gone mainstream, to no longer view vulnerabilities like that.”

The necessity of shifting focus in this way is likely to only become more urgent, given the latest signals from AI platforms such as Anthropic about where frontier AI models such as Claude Mythos are going next.

Last week, Anthropic disclosed that it now expects to release vulnerability-discovery capabilities akin to Mythos, which seemed to indicate a shift from prior messaging that implied Mythos might never become public.

In an update about its Project Glasswing initiative on May 22, Anthropic wrote that “in the near future, once we’ve developed the far stronger safeguards we need, we look forward to making Mythos-class models available through a general release.”

A separate post from Anthropic, published the same day, likewise suggested that publicly available capabilities comparable to Mythos are not far off.

“We believe that Mythos-level models will become widely available in the next 6-12 months,” a team at Anthropic wrote in the post.

Other disclosures about the proficiency of frontier AI for vulnerability discovery have concerned Anthropic’s Opus 4.7 model, as well as OpenAI’s GPT 5.5.

Without a doubt, the latest generation of models are more capable at coding and reasoning around vulnerability discovery and exploitability, as well as at executing complex cybersecurity use cases, CrowdStrike CTO Elia Zaitsev said during an event earlier this month. This is both because of improvements and due to reductions in guardrails, Zaitsev said.

However, where the latest frontier models are “particularly good [is] at chaining together existing vulnerabilities and identifying these non-obvious attack paths, as well as some reverse- engineering tasks,” he said.

This new level of vulnerability risk means that organizations will need to understand more than just how many vulnerabilities they have or what the severity level is of those vulnerabilities, Optiv’s Gregory said.

“I think what Mythos and what other frontier LLMs will start to identify and drive—from a vulnerability management standpoint—is starting to look at not vulnerability, but exploitability,” he said. “What are your exploitability weaknesses, and what are you doing about those? And do you already have emergency patching cycles? Do you already have the capability to do agentic patching?”

Ultimately, what Mythos brought to the forefront is that AI will “not only shift how we focus on risk, but it’s really going to reduce the skill floor that is required for a threat actor to be able to [execute] a pretty complicated cyberattack,” Gregory said.

“Exploitability has always been kind of a niche skill set,” he said. “Being able to have that in an LLM that [attackers] can access would be a massive risk, globally.”