The Zero-Day Clock Has Moved to Zero: What the Mythos Moment Means for Defenders
by Brad Hibbert, COO & CSO//12 min read/
Two of the most capable AI labs in the world have, within the span of two months, both decided their latest models are too dangerous to release publicly. Not because of what the models say. Because of what they can do to software security.
Attackers exploit newly disclosed vulnerabilities in a median of five days. Your team takes 32 to 38 days to patch them. For the most critical internet-facing systems, the window is zero: mass exploitation begins before most organizations have finished reading the disclosure. That was already the reality before this week.
Two months ago, OpenAI launched Trusted Access for Cyber, built around GPT-5.3-Codex, the first model they classified as high risk on their own internal cybersecurity preparedness framework — meaning capable of meaningfully enabling real-world cyber harm at scale. They restricted access to vetted defenders and called it a watershed moment. Yesterday, Anthropic raised the bar further. Claude Mythos Preview has already discovered thousands of critical and previously unknown vulnerabilities across every major operating system and browser, some hiding undetected for nearly three decades. It finds them, chains them into working exploits, and executes. Autonomously. At scale. Anthropic has responsibly restricted access to a select coalition of defenders through Project Glasswing.
This is now a pattern, not an event. The two most capable AI labs in the world have, within the span of two months, both concluded that their latest models are too dangerous to release openly because of what they can do to software security. Others will follow. And not all of them will make the same responsible choice about access.
The question is not whether AI changes the vulnerability landscape. It already has. The question is whether your exposure program was built for this world.
| 5 Days | 32-38 Days | 0 Days |
|---|---|---|
median time for attackers to exploit a newly disclosed vulnerability at scale | median time organizations take to patch those same vulnerabilities | the window defenders have before attackers begin exploiting the most critical internet-facing flaws |
Source: 2025 Verizon Data Breach Investigations Report
The core problem is context, not count
Most organizations already struggle under the weight of exposure volume. Tens of thousands of new vulnerabilities are published each year, and security teams are forced to triage a backlog that never shrinks. The instinct is to close more tickets faster. But closing vulnerabilities is not the problem. Knowing which ones actually threaten your business is.
A vulnerability in isolation means almost nothing. What matters is whether it is reachable in your environment, whether it can be connected with other weaknesses to let an attacker move deeper into your systems, and whether the asset it sits on is critical to your business. Without that context, cyber risk prioritization is guesswork dressed up as a program.
AI-powered adversaries do not need to find one perfect flaw. They find clusters of imperfect ones and chain them into a lethal path. This is exactly what Mythos Preview demonstrated on the Linux kernel: no single catastrophic bug, just a sequence of weaknesses assembled into a full system compromise. The goal of modern exposure management is not to count vulnerabilities. It is to understand how they connect across your specific environment, and to reduce the greatest amount of business risk with the least amount of effort and disruption.
What defenders need to build toward, now
1. Shift left: secure the code before it ships
AI models can now find flaws in software faster than development teams can release patches. Security scanning must become part of the build and release process itself, not a periodic audit after the fact. Most teams resist this because it slows releases. That tradeoff looks very different when the alternative is remediating an AI-discovered zero-day in production with no patch available and attackers already moving.
2. Move to continuous, real-time discovery
Scanning your environment once a month made sense when threats moved slowly. Exposure management must now be a live, always-on discipline that continuously pulls together findings from scanners, threat intelligence, cloud environments, and internet-facing systems. The common pushback is that real-time data is noisier and harder to act on. It is. That is exactly why the context and prioritization layer matters more, not less.
3. Prioritize by business context, not raw severity
Standard vulnerability severity scores do not support effective cyber risk prioritization because they don't know which systems run your most critical operations. Yet most teams still open a spreadsheet and start arguing whose data is right. Effective vulnerability prioritization must account for what an asset does, whether an attacker could realistically reach it, and whether it could serve as a stepping stone to something more valuable. AI that understands your business context surfaces the handful of exposures that genuinely matter today.
4. Trust the data and govern the decisions
If you do not believe in the data, you will not act on the AI output. That is the real barrier to mature exposure management, not the technology. Organizations need platforms that show their reasoning, flag uncertainty, and have guardrails that prevent a bad recommendation from automatically becoming a bad action. AI systems that feed into other AI systems can amplify mistakes just as easily as insights. Trust is not assumed. It is built.
5. Accelerate remediation with targeted and autonomous action
When no patch exists, mitigation is the only option: isolating affected systems, applying compensating controls, hardening configurations. Teams need specific guidance on exactly which actions reduce risk fastest. And for a growing set of well-understood remediation activities, organizations must start trusting automated execution. When the cost of waiting exceeds the risk of acting without manual approval, automation is not optional.
The orchestration imperative: from data to decisions to action
The exposure management market has been on an irreversible journey through three phases of maturity (what practitioners recognize as the CTEM progression) and where that journey leads is the most important strategic question security teams face today.
| Phase One | Phase Two | Phase Three |
|---|---|---|
Data Orchestration Connecting disparate scanners, normalizing findings, and building a unified view of the exposure landscape. The challenge was integration and data quality. | Decision Orchestration Applying context, risk scoring, and AI to transform raw findings into prioritized, actionable intelligence. The challenge became relevance and precision. | Action Orchestration Translating decisions into remediation automatically, with and without humans in the loop, at the speed and scale that machine-speed threats demand. |
Many vendors and practitioners still reluctantly acknowledge that action orchestration is next. The reluctance is understandable, and starting cautiously is right. The path forward begins with humans identifying risks, validating patterns, and building confidence in the decisions the platform is making. Models learn from known behaviors first. As that learning matures and trust accumulates, the scope of what can be safely delegated to autonomous action expands.
But that trust has to be earned from the ground up. Action orchestration is only possible when the two preceding stages are solid. If the underlying data is incomplete or disconnected, the decisions built on top of it will be wrong, and automating wrong decisions at speed is worse than moving slowly. Data integrity comes first. Decision quality comes second. Autonomous action is the destination, but it is only reachable by organizations who have done the work in the stages before it. This is ultimately what exposure management is for: not dashboards or reports, but taking the actions that reduce risk, faster and more precisely than the threat demands.
Adding human approval steps to every remediation workflow feels safer. It gives teams a sense of control and confidence that the right eyes have reviewed every change. But feeling safer and being safer are not the same thing. In many cases those approval steps do not make the environment more secure. They make the response slower. In a world where attackers move in hours, a ten-day internal approval process for a configuration change is not governance. It is an open window.
The question is not whether to automate remediations. Every organization will. The question is how many you can automate today, with confidence, and how your platform helps you earn the trust to expand that number over time.
The platform foundation that makes it all possible
None of this works without a highly trusted, high-integrity data foundation. AI agents are only as good as the data they operate on. An autonomous remediation decision made on stale or siloed data is not automation. It is automated error.
The power of AI-driven exposure management does not come from the model itself. It comes from what the model has access to: a unified, continuously refreshed view of every asset, every finding, every relationship, and every business dependency across the environment. That foundation is what allows AI to reason about your environment the way an attacker would: understanding not just what is vulnerable, but how vulnerabilities chain together, what the real-world impact of a compromise would be, and where a single remediation action delivers the greatest reduction in risk.
- Chain-aware risk modeling
Understanding how vulnerabilities connect across your environment to form paths an attacker could actually follow.
- Business-context prioritization
Ranking exposures by the business risk they represent, not just their technical severity score.
- Confident autonomous action
High-integrity data gives AI agents the confidence to act, and gives security leaders the confidence to let them.
- Maximum risk reduction, minimum disruption
Identifying the smallest set of actions that eliminate the greatest amount of risk, rather than chasing an endless list of individual findings.
The Brinqa perspective
We have been saying for some time that exposure management is evolving from data orchestration to decision orchestration to action orchestration. This week makes that argument for us more forcefully than any analyst report could. The threat is now moving at machine speed. The only credible response is a defense that does the same.
But speed without a trusted foundation is just faster mistakes. At Brinqa, the Cyber Risk Graph is that foundation: a unified exposure management layer that continuously maps every asset, every finding, and every dependency in your environment. It is what allows AI to reason about your environment the way an attacker does — not just identifying what is vulnerable, but understanding how vulnerabilities chain together, what the blast radius of a compromise would be, and where one well-targeted action removes the most risk.
"It is not about how many vulnerabilities you closed. It is about how much risk you took out of the organization."
That principle has not changed. What has changed is the urgency. The zero-day clock has moved to zero. If you do not believe in your data, you will not act on your AI output. And if you cannot act fast enough, the program is not working, no matter how good the dashboard looks.
For security leaders reporting to the board, this moment is also a business conversation: the risk calculus for organizations without a mature continuous threat exposure management program has changed permanently. What was a best practice is now the minimum viable defense.
Not sure if your exposure program is built for machine-speed threats?
