AI Will Find More Vulnerabilities Than Ever. Are We Ready to Fix Them?

A Model Too Powerful to Be Released Publicly

For years, the hardest part of software security was simply finding vulnerabilities in the first place. Project Glasswing suggests that may no longer be true. Anthropic says Claude Mythos Preview identified thousands of zero-day vulnerabilities across critical infrastructure within just a few weeks and showed exceptional capability in both discovering and exploiting complex flaws in operating systems and web browsers. 

That is also why Anthropic chose not to release the model publicly. Instead, it was initially deployed in a limited setting with partners responsible for operating or maintaining critical software. This marks a significant shift. If AI dramatically accelerates vulnerability discovery, the main bottleneck moves elsewhere, away from detection and toward triage, prioritization, validation, and the safe deployment of fixes into production. 

The New Bottleneck? Maintenance and Remediation

This view is reinforced by Forrester’s analysis. One of its key takeaways is that teams maintaining open-source software may become the next major bottleneck in the security ecosystem. According to Forrester, Glasswing exposed very old vulnerabilities in projects often maintained by small teams or volunteers. As the firm puts it: “Mythos turns discovery into an exponential problem. Remediation capacity in open source, however, is limited.” 

This matters even for companies that do not build software themselves. Their infrastructure and applications depend on a wide range of open-source components, and the long-term maintenance of those components is far from guaranteed. In that context, security will no longer be defined by who finds the flaw first. It will depend on who can remediate it safely, test it properly, and roll it into production without unnecessary side effects. Forrester also argues that the most valuable part of security services will increasingly shift from discovery to interpretation, prioritization, and remediation guidance. 

The Impact Will Extend Into Governance

Forrester’s point is not limited to developers and maintainers. It also highlights broader implications for governance. If AI can identify relevant vulnerabilities at scale, organizations will face growing pressure to maintain far better visibility into their assets, dependencies, versions, and ownership. The real value will no longer lie in generating a list of issues as quickly as possible, but in understanding those issues in the context of a specific environment and turning them into controlled, well-managed change. 

From a business perspective, that means one thing: monitoring threats is no longer enough. Organizations will also need robust patch management, dedicated testing environments, clear decision-making authority, and recovery scenarios for cases where a fix cannot be deployed immediately. As the window between discovery and exploitation continues to shrink, operational discipline becomes increasingly important. In the years ahead, that discipline may matter more than the number of security tools a company has in place. That is the logical conclusion of what both Anthropic and Forrester are describing. 

Take It With a Grain of Sailt

Some experts have pointed out that the model is also surrounded by a strong wave of publicity tied to Anthropic’s planned IPO, and that some of the more dramatic claims have yet to be independently verified. Many of the vulnerabilities in question may also be detectable using smaller, less expensive models. Red Hat adds an important nuance here: context matters. What ultimately determines risk is the exposure level of the affected service, the system’s default configuration, and the defensive controls already in place. 

Even so, Mythos should not be dismissed. Even if some of the current claims turn out to be overstated, the broader direction is clear: AI is accelerating vulnerability discovery and increasing pressure on the teams responsible for assessing, prioritizing, and fixing issues. For organizations, the key question will not simply be which security tools they use, but whether they have sufficient visibility into their environment, clear accountability, and the operational processes needed to respond in time. That is where real resilience will increasingly be defined.