Blog 5 Questions Every CISO Will Be Asked About Mythos — and How To Answer Them

Mythos surfaced thousands of new critical vulnerabilities. Here are the five questions every CISO will be asked, and how to answer them.

If you’ve woken up at 3 a.m. in the last few weeks running through your environment in your head (the legacy systems, the open‑source dependencies nobody’s touched in years, the third‑party software inherited through acquisitions), you’re not alone.

Every CISO I’ve spoken with since Anthropic went public with their Mythos LLM has been doing the same mental inventory.

Leveraging Mythos, Project Glasswing has surfaced thousands of previously unknown critical vulnerabilities across operating systems, browsers, and infrastructure layers. That’s the part that’s made the headlines.

The harder part lands at 3 a.m. Although nothing has changed in our environment, the risk that we are exposed to has increased exponentially. Vulnerabilities that couldn’t realistically be exploited before can now be chained together by Mythos to compromise any environment they can get an initial foothold in.

This won’t be contained by simply constraining access to Mythos. Every frontier model from now on will have these inherent capabilities. It’s also made one thing unmistakable: AI created this exposure surface, and AI is going to have to be part of how we defend it.

Here’s what I’ve learned fielding questions since April. The 3 a.m. version of this runs its course when the patches land. The daylight version is what you can shape now.

Knowing exactly what your board, your legal team, and your regulators are going to ask (and having a defensible, operational answer ready) is what shifts you from being run by this response to running it.

These are the five questions that matter most.

First: What Mythos actually did

Project Glasswing was a controlled-release coalition. Anthropic made their most advanced AI model, Mythos, available to a select group of technology vendors to scan their own source code for vulnerabilities before any public disclosure.

The result: thousands of previously unknown critical vulnerabilities found across major operating systems, browsers, edge devices, and infrastructure layers. Mythos analyzed source code directly at the blueprint level, surfacing flaws that had been sitting in production for years, some for decades.

The patches are coming. The question is whether your organization will be ready to receive them.

Question 1: “What is our exposure, and do we even have an accurate asset inventory?”

This is usually the first question, and it’s often the hardest to answer honestly. Mythos changed the math on which vulnerabilities matter: It can chain medium and low CVEs together to achieve the same access as a critical exploit — which means your backlog just got a lot more relevant.

If you can’t answer your leadership’s exposure question, it’s usually because continuous asset visibility hasn’t been treated as a mission-critical capability. In most environments I’ve worked in, a small fraction of vulnerabilities drives the overwhelming majority of real organizational risk. You need to know which ones you’re looking at today, not last quarter.

And the math gets harder once you factor in the volume of patches coming from your OEM and infrastructure providers. Every operating system, browser, and platform layer is staring at the same disclosure pipeline, and that work is going to outpace the risk-scoring methods most of us have relied on for the last decade.

The answer that holds up in front of your board is a live exposure number with a date attached, a named owner for whatever's still in the gap, and a scoring approach built for chained vulnerabilities.

Question 2: “Can we patch fast enough, at scale, without breaking production?”

The answer here is ideally yes … but maybe not with current processes. Most organizations run on monthly or quarterly patch cycles, a cadence built for an era when threats moved slowly. When a patch comes out, the clock starts for everyone, including the threat actors who reverse-engineer it to find the underlying vulnerability.

Speed alone breaks things. In organizations where one person manages IT, security, and half a dozen other functions, a failed deployment at the wrong moment means days of downtime. What works is building a patch response capability with asset criticality prioritization, coordinated change management, and escalation pathways. That’s a new operating model, built for the cadence the threat now demands.

What you bring back to leadership is exactly that: a defined patch SLA for your most critical assets, documented prioritization for the rest, and a change management protocol that survives a real deployment.

Question 3: “What’s hiding in our open-source and third-party software?”

Every experienced CISO knows the honest answer: No, and we have to pay attention to that. Think about Log4j. Bad actors had seeded vulnerabilities in that library years before anyone noticed; it was used across thousands of organizations, many of which had built it into software they’d delivered to clients. The exposure wasn’t discovered. It was already everywhere.

Project Glasswing surfaced the same reality at a larger scale. Vulnerabilities live in the open-source libraries your developers pulled in years ago, in third-party integrations inherited through acquisitions and the packages that power your web infrastructure.

If you don’t have a software bill of materials for your environment, you don’t know what you’re holding. What you bring back to that room is an SBOM in flight, a prioritized list of your highest-risk dependencies, and a vendor contact tree ready before the next disclosure lands.

Question 4: “Do we have the engineering capacity to remediate our own backlog?”

This is the question nobody wants to say out loud to their leadership team, but everyone is thinking. Remediation takes skilled people, and the security talent shortage didn’t pause for Glasswing. For most organizations, the people who would do the remediation work are already fully committed.

If there’s a gap in your engineering capacity, acknowledging it clearly is the most responsible thing you can do. Augment with external resources, triage ruthlessly to focus internal teams on highest-risk items, and build secure-by-default practices into development going forward. The organizations that come through this best will be the ones making realistic capacity decisions now.

What works in front of leadership is honest math: the hours required, the gap between that and your team's capacity, and the specific plan you're running to close it.

Question 5: “If a patch lags, can we detect and contain the exploit?”

Here’s the honest reality: Not every patch is going to land in time. The board knows this. Legal knows this. The question they’re really asking is: What’s the backstop?

Zero Trust has always included an “assume breach” principle, and most organizations adopted other parts of it years ago. This is the moment where assume breach stops being a planning concept and becomes an operational posture. Continuous monitoring, proactive threat hunting, and containment measured in minutes, not hours.

If your detection-to-isolation loop is measured in hours, the threat actors are already moving faster than you are. The defensible answer is your current mean-time-to-contain, the target you're driving it toward, and a threat hunting program scoped to Mythos exposure surfaces.

The questions compound. So do the answers.

None of these five questions lives in isolation. An asset visibility gap feeds the patching problem. A patching lag creates a detection window. An unscanned supply chain means you may be carrying exposure you haven’t even asked about. That compounding effect is why addressing exposure at this scale takes continuous visibility, coordinated patching, supply chain scanning, engineering capacity, and detection running in parallel.

That means running at AI speed. Mythos proved what AI can do on the offensive side. The defensive side has to match it, with AI tooling and automation woven into every step of our remediation efforts. That’s the only way we stay ahead of the adversaries instead of perpetually catching up.

The window is real, and it’s finite. The questions are already coming. Make sure you’re ready with more than an answer.

How we mapped these questions internally

If you’re asking yourself how to operationalize these answers, here’s how we did it. The five questions above map directly to five functional capabilities — the ones we deployed for ourselves first, then packaged for clients under the name Insight Managed Exposure Defense. If you’re evaluating your posture or building a case internally, here’s how they connect:

“What is our exposure, and do we have an accurate asset inventory?”

• Continuous Threat Exposure Management: Real-time asset visibility, risk-based vulnerability prioritization, and daily scanning so you’re working from a live picture of your environment.

“Can we patch fast enough, at scale, without breaking production?”

• Managed Patch: SLO-driven remediation with asset criticality scoring, coordinated change management, and escalation pathways for critical findings that don’t require your team to choose between speed and stability.

“What’s hiding in our open-source and third-party software?”

• Software Supply Chain & OSS Risk: Continuous scanning of open-source libraries, software bill of materials development, and dependency risk monitoring so you can answer the supply chain question with grounded data.

“Do we have the engineering capacity to remediate our own backlog?”

• Software Developer Outsourcing: Security-native engineering resources that augment your internal team’s capacity without adding headcount, purpose-built for the kind of backlog Glasswing is creating.

“If a patch lags, can we detect and contain the exploit?”

• Managed XDR: 24/7 SOC monitoring, proactive threat hunting, and containment capability measured in minutes, so detection coverage fills the gap while remediation catches up.

The reason these five services work as an integrated offering (and the reason we’re running all of them ourselves right now) is that the questions compound, and so does the risk of addressing them piecemeal.

Whether you build these capabilities in-house, buy them, or partner to fill the gaps, the goal is the same: one coherent response across all five. The time to build it is now.