Gaining improved visibility and implementing compensating controls are the most important steps for many organizations alongside shifting to accelerated patching cycles, cybersecurity experts tell CRN.
As CISOs rethink their approaches to exposure management and cyber defense following recent revelations about AI-powered vulnerability discovery, gaining improved visibility and implementing compensating controls are the most important steps for many organizations alongside shifting to accelerated patching cycles, cybersecurity experts told CRN.
Following Anthropic’s announcement about its unreleased Claude Mythos Preview earlier this month, the security industry has signaled that a massive push is needed around vulnerability management and hardening environments against a potentially massive spike in cyberattacks from the use of similar capabilities.
[Related: How CrowdStrike Is Helping The Industry To Withstand AI-Driven Vulnerability Deluge: Exec]
However, the real risk is not the zero-day vulnerability itself, per se, according to Adam Meyers, senior vice president for counter adversary operations at CrowdStrike.
“A zero day is the beginning of the story for us, not the end of the story,” Meyers told CRN. “The adversary still has to move laterally. They still have to escalate privilege. They still have to do [a series of] things to have a successful attack.”
What that means is that there are numerous steps along the way where organizations will have an opportunity to shut down a cyberattack—provided they have the necessary visibility to do so, he said.
“The concern that you need to have is, do you have the visibility across your enterprise?” Meyers said. “Can you see when they jump or when they move or when they do something? That should be the No. 1 concern.”
To enable a strong security posture in a threat environment that may see as much as a 20-fold spike in software vulnerabilities, containing the attack surface through implementing zero-trust controls will prove to be especially pivotal, Zscaler founder and CEO Jay Chaudhry told CRN.
“Containing the attack surface really means doing zero trust—where everything is an island of its own, and [you can] only talk to certain parties, and you can’t just move left or right on the network,” Chaudhry said. “To keep [relying] on these firewalls, to create segments and rules, will be almost impossible.”
Anthropic disclosed on April 7 that Claude Mythos Preview points to the fact that “AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.”
Chaudhry said the emergence of AI-accelerated vulnerability discovery—paired with long‑running challenges such as insufficient patching—has created a level of anxiety in the cyber field that he has never seen before.
The overall reaction in cybersecurity right now is, “‘Man, this is so scary,’” he said. “I don’t recall a moment like this in cybersecurity in the past 30 years.”
Indeed, the advancement of AI-powered vulnerability discovery likely upends existing vulnerability management practices, according to experts.
The result is that organizations must “plan for surge” when it comes to responding to vulnerabilities, according to Presidio’s Dan Lohrmann.
That is, in addition to developing a process for faster patching, organizations should have a plan for what happens if they can’t keep up, said Lohrmann, field CISO for public sector at Presidio, No. 24 on CRN’s Solution Provider 500 for 2025.
“What if we just get overwhelmed?” he said. “Are we ready for the tsunami?”
Without a doubt, the revelations around Claude Mythos and OpenAI’s GPT-5.4 Cyber raise the stakes by demonstrating the potential to automate vulnerability chaining and discovery work, which in the past had required substantial manual effort, according to security experts.
The AI models are “really good at chaining vulnerabilities and getting a foothold and working their way in,” said Jason Rader, global CISO at Insight Enterprises, No. 20 on CRN’s Solution Provider 500 for 2025. “What used to take individuals a lot of [manual effort], this can do it all almost instantaneously.”
The result, according to experts, is that CISOs most definitely should not be treating AI-driven vulnerability discovery as a distant possibility. Even if Anthropic succeeds at keeping Mythos tightly controlled, similar capabilities will inevitably emerge elsewhere, the experts said.
“Every additional frontier model that’s going to come out after this is going to be probably equal, if not better, at doing those kinds of things,” Rader said.
For CISOs, the focus should not merely be on accelerating their patching practices, according to Presidio’s Lohrmann.
Rather, CISOs will need to rethink vulnerability management altogether, starting with shifting from periodic scanning to continuous exposure management, he said.
CISOs should also make compensating controls such as segmentation “first-class,” since many organizations will face challenges in trying to patch as quickly as necessary, Lohrmann said.
“Tighter controls buy you time when [your] patch speed loses the race,” he said.
