Getty Images
The AI vulnerability storm is here: Is your security program ready?
AI platforms are poised to accelerate vulnerability discovery and exploitation faster than humans can manage. It's time for CISOs to rethink their security strategies.
Emerging frontier AI models, such as Anthropic's Claude Mythos, are dramatically accelerating vulnerability discovery and exploitation, shrinking the window between a software flaw's discovery and its weaponization to mere hours.
In just a few months, Mythos has discovered thousands of critical flaws across every major OS and browser, creating working exploits without human guidance and enabling autonomous attacks at speed and scale, according to the Cloud Security Alliance (CSA) report, "The Vulnerability Storm: Building a 'Mythos-ready' Security Program."
The report, co-authored with SANS, OWASP and more than a dozen CISOs, argues that organizations clinging to pre-AI assumptions about patch cycles, exploit timelines and incident frequency are operating with an already outdated risk model.
For CISOs and security teams, the trend demands a fundamental rethink of how vulnerabilities are prioritized, triaged and remediated.
Fight AI with AI
The CSA report authors recommended that organizations deploy their own AI to defend their operations and strengthen their security architecture to slow attackers and limit consequential damage.
- Automate vulnerability management. Use LLM-powered agents to find and fix vulnerabilities in code, pipelines and dependencies and to move toward a fully automated vulnerability review process embedded in CI/CD pipelines.
- Automate incident response. Automate incident response processes by preauthorizing containment actions and building playbooks that execute without waiting for human sign-off at every step.
- Strengthen security basics. Enforce basic security controls -- network segmentation, egress filtering, phishing-resistant MFA, zero-trust architectures -- that limit damage and buy critical response time when an attack succeeds.
- Rebuild risk models. Update risk models and board-level reporting to reflect the new threat environment. Organizations that still base response times and patch windows on pre-AI assumptions risk distorting their actual exposures and underfunding controls that matter most.
A to-do list for CISOs
Rich Mogull, chief analyst for CSA and one of the report's authors, said CISOs should build security programs around the expectation that AI-enabled attackers can discover new vulnerabilities, create near-instant exploits and automate complex, multistage attacks without requiring any specialized skills.
"Minimum viable resilience means an organization expects constant, advanced attacks, often using zero days, and uses a mixture of security boundaries, more effective incident detection and response and faster patching to defend," Mogull said. "It also means fully integrating these same technologies into software development so the flaws attackers rely on are more likely to be remediated before software is ever released."
Short-term priorities
CISOs should prepare for a flood of patches addressing AI-discovered vulnerabilities that attackers could exploit within hours. Given the sheer number of discoveries, organizations won't be able to patch their way out of the crisis. Instead, they must focus on containing fallout as much as possible.
"Inventory and identify your most critical applications," Mogull said. "Then start segregating them and adding security boundaries so an attacker doesn't get the entire stack with only one flaw."
Integrate AI into development
Use AI agents for code review and align that process with existing software development lifecycle tools, such as static application security testing, dynamic application security testing and software composition analysis.
"Most organizations can even start scans in parallel with their existing pipelines if they can't get it inserted into the pipeline," Mogull said. "Be smart and use multiple agents to validate findings and not flood your own developers."
Empower the SOC with AI
"This is one area AI is very well suited for, and we've seen as organizations integrate AI into the SOC, they are getting some great results," Mogull said.
A mindset shift, not just a tech upgrade
Andrew Braunberg, principal analyst at Omdia, a division of Informa TechTarget, said the CSA report highlights how important it is for CISOs and other security leaders to reassess their strategies.
"We are moving to an era of exploits on demand, basically," he said, adding that agentic AI lowers the bar for less sophisticated threat actors, increasing the persistence and cadence of attacks.
"The entire C-suite is going to need to get way past their traditional comfort zone with the idea of autonomous remediation. We are moving to a machine versus machine environment, and folks are going to have to readjust their risk tolerances one way or another," Braunberg said.
Proceed with caution
While Braunberg recommends deploying AI agents to bolster security, he warned about the potential long-term cost implications. Vendors up and down the AI stack are currently subsidizing the use of their tools. Enterprises will ultimately have to consider what the actual costs are based on the complexity of the tasks being automated.
"Alert triage, for example, is relatively straightforward and requires modest inference and resource lookups," he said. "Threat hunting is a different animal entirely. Organizations need to understand those real costs before baking agentic into the SOC."
Rethink software lifecycle management
Beyond technical controls, organizations should rethink software lifecycle management in an AI-driven environment. It means understanding how AI tools enable secure-by-design software and how to reorient the SOC to embrace attack surface reduction, threat detection and incident response.
"How do we balance business risk, resiliency and security as we move toward autonomous response? The big questions are still people- and process-oriented," Braunberg said.
Getting the fundamentals right
Mythos represents an inflection point for both cybersecurity and AI, but it doesn't change the fundamentals of security as much as it changes the speed at which those fundamentals must operate, said Justin Fier, senior vice president of offensive security at Darktrace.
Many organizations are already struggling with basic security challenges, including lack of visibility across their environments, over-permissioned accounts, weak identity controls, and poor identity and access management hygiene. Mythos did not create those issues, but it raises the stakes around them, Fier said.
To that end, an AI-ready security environment wouldn't necessarily need to look dramatically different from what a strong security program does today. But that security foundation needs to move a whole lot faster in an AI world.
Automate safely
"CISOs need to start thinking about automation done in a safe and structured way," Fier said. "If organizations are going to patch at the speed and scale that will be required, some form of safe automation is going to be necessary."
He recommends using AI agents for code review, red teaming, incident response and other security functions, but only if organizations fully understand the risks -- especially those associated with AI agents -- before diving in.
"If organizations do not get identity right, they are essentially letting agents run around the business without enough visibility or auditability into what they are doing," Fier said. "That is where we start to see stories about agents wiping out code bases, making costly mistakes or creating real losses because they did not have the right controls around what they could access or change."
Transform vulnerability management
Diana Kelley, CISO at Noma Security, said organizations must stop treating vulnerability management as a queue -- scanning to find issues, assigning an owner for the issue and waiting for the next patch or change window -- and start treating it as an operating model.
In an AI world, the queue approach won't work, she said, explaining that in an operating model, vulnerability response becomes a continuous business process with clear ownership, decision rights, automation, escalation paths and preapproved authority to contain risk. "The team is constantly asking: Is this exploitable in our environment? Is it on a critical system? Can we patch it now? If not, can we isolate it, block egress, rotate credentials, add monitoring or reduce blast radius today?"
In practice, that involves security, engineering, IT and business owners working together.
"The metric can't just be 'how many critical and high vulnerabilities did we patch this month?'" she said. "It has to be, 'How much exploitable exposure remains on systems that matter and how quickly can we reduce or contain it?'"
Jaikumar Vijayan is a freelance technology journalist with more than 20 years of award-winning experience in IT trade journalism, specializing in information security, data privacy and cybersecurity topics.