Insight
The Post-Mythos era has arrived
Why the real problem is not Mythos itself, but the fact most organisations are still defending at human speed
For the last two weeks, the cyber industry has behaved like someone who just watched three disaster movies back-to-back. Apparently the machines are coming, zero-days are infinite and we should all move into a cave with no Wi‑Fi.
To be fair, I understand the reaction.
Anthropic Mythos is a serious leap forward. It can identify vulnerabilities, connect them together into realistic attack paths, generate working exploits and do it at a pace no human team can match.
That sounds dramatic because it is. Yet after reading a mountain of articles, doom-laden LinkedIn posts and more “the sky is falling” commentary than I care to admit, I think we are missing the real lesson.
Mythos did not create a new problem. It simply exposed, very publicly, how outdated many of our current security models have become.
The world before Mythos was already struggling
Long before Mythos appeared, most organisations were already drowning.
- Visibility was fragmented.
- Telemetry was incomplete.
- Tooling overlapped.
- Asset inventories were out of date before the spreadsheet was even saved.
Security teams were expected to correlate thousands of alerts, vulnerabilities and business dependencies manually, often while someone in finance asked why the organisation needed another security tool.
I have seen this across the full spectrum.
At one end are organisations still using Essential Eight maturity as the strategic end goal. That is a bit like saying your long-term fitness plan is being able to walk to the letterbox without collapsing.
Useful, absolutely. Enough for the future, not even close.
At the other end are large financial institutions with sizeable budgets, good people and mature programs. They are doing far better than most of the market. Yet even they are struggling to maintain a complete and current view of:
- What assets they actually have
- Which systems matter most
- How those systems connect together
- Which identities and dependencies create risk
- Where a vulnerability can realistically become a business-impacting attack path
73% of cyber security leaders admit they are not ready to respond to a real cyber incident under pressure. In a post-Mythos world, that number is unlikely to improve without a major change in approach.
Most organisations still cannot answer a very simple question in real time: “If this critical vulnerability is exploited, what breaks, who owns it and how much pain are we in?”
That is the real problem. Mythos has simply made it impossible to ignore.
Why Mythos is such a leap forward
Let us strip away the marketing and the fear.
In plain English, Mythos matters because it can do three things at once.
- It finds vulnerabilities faster.
- It understands how to chain them together.
- It can generate a workable exploit path without needing much human guidance.
Traditionally, finding a serious flaw often required:
- A skilled researcher
- Days or weeks of testing
- Deep knowledge of the technology
- Several failed attempts and large amounts of coffee
Now imagine an AI system doing the same thing thousands of times in parallel.
Imagine it finding:
- One weak identity control
- One forgotten API
- One old library
- One misconfigured cloud role
Then joining them together into a complete attack path.
That is the important bit.
The real breakthrough is not the individual vulnerability. It is the ability to understand relationships.
Attackers have never cared about isolated issues. They care about paths.
- The exposed VPN is interesting because it leads to the old server.
- The old server matters because it contains the service account.
- The service account matters because it reaches the cloud workload.
- The cloud workload matters because it gives access to the data.
Mythos understands this chain.
Unfortunately, many organisations still do not.
Mythos changes urgency, not the CTEM argument
I have been speaking about CTEM for quite a while now.
Not because it is fashionable.
Not because Gartner gave it a nice acronym.
Rather because traditional vulnerability management has been failing for years.
- Quarterly scans.
- Annual pen tests.
- Spreadsheets.
- CMDBs updated every six months.
- Risk registers disconnected from the actual environment.
None of that was ever built for a world where infrastructure changes daily and attackers can discover new attack paths before lunch.
Mythos does not change the CTEM argument. It simply increases the urgency.
We have run out of time.
The organisations that will cope best are the ones that already understand two things:
- Outside-in visibility matters
- Inside-out visibility matters
Outside-in means understanding your exposed attack surface.
- What can attackers see?
- Which systems are exposed?
- Which suppliers, domains, identities and cloud services increase your risk?
Inside-out means understanding what is happening internally.
- What assets exist?
- How are they connected?
- What telemetry exists?
- Which systems matter most to the business?
- Where are the weak controls, missing patches, exposed identities and risky trust relationships?
Most organisations do one reasonably well. Very few do both.
The future belongs to those who can combine them.
Traditional security disciplines are about to morph
There is an uncomfortable truth many people in our industry are trying not to say out loud. Several traditional security disciplines are going to change dramatically. Some may disappear entirely.
Take penetration testing.
Today, most organisations still run a pen test once or twice a year.
A team arrives. They spend two weeks looking around. Three weeks later, a report appears with 47 findings, a few screenshots and at least one screenshot of an open admin portal nobody has looked at since 2019.
By the time the report is finished, half the environment has changed.
That model cannot survive. The future is continuous adversary simulation. Agentic red teaming.
AI systems continuously probing your environment, testing assumptions, identifying attack paths and validating whether your controls actually work.
Human experts will still matter. Very much so.
Their role becomes:
- Setting strategy
- Defining scope
- Challenging assumptions
- Interpreting complex risk
- Making judgement calls
The machine does the repetitive work. The human provides the context.
The same is true for vulnerability management.
Traditional vulnerability management is slowly morphing into something very different.
The future is closer to VulnOps.
- Continuous exposure management.
- Real-time prioritisation.
Constant correlation between:
- Technical exploitability
- Threat intelligence
- Asset criticality
- Business context
- Compensating controls
A critical vulnerability with no path to the crown jewels may not matter.
A medium vulnerability connected to a privileged identity and an exposed application may suddenly become your biggest problem.
We can only fight AI with AI
This is the part many organisations still resist.
They are happy for attackers to use AI. They are far less comfortable using it themselves.
There is still a surprising amount of hesitation.
- Security teams worry about trust.
- Leadership worries about governance.
- Everyone worries about losing control.
Meanwhile, the attackers are not waiting politely for the steering committee to approve a pilot.
The hard truth is simple. We can only fight AI with AI.
Human-only defence no longer scales.
There are simply too many assets, too many vulnerabilities, too much telemetry and too many possible attack paths.
That does not mean replacing people. It means augmenting them.
The future SOC will look very different.
Instead of analysts manually triaging endless alerts, AI will:
- Correlate signals
- Prioritise likely attacks
- Map affected systems
- Suggest likely root causes
- Recommend containment actions
- Draft investigation notes
The analyst still makes the decision.
The difference is that the analyst now operates with the speed and reach of an entire team.
Autonomous SOC is no longer science fiction. It is becoming a necessity.
The same applies to engineering and security teams. AI can already help:
- Review code
- Find vulnerabilities
- Simulate attack paths
- Identify misconfigurations
- Recommend fixes
- Validate compensating controls
Many organisations are still treating AI like an interesting side project.
The reality is that AI is becoming part of the security operating model.
The organisations that embrace this early will gain scale.
The rest will spend the next few years permanently behind.
This is not just a technology change
It would be easy to frame this as a tooling problem.
- Buy another platform.
- Add another dashboard.
- Create another project.
That would be a mistake.
The post-Mythos era is not just a technology change. It is a broader cultural and operating model change. Most organisations still do not have:
- A clear owner for AI
- A common architecture
- A shared understanding of risk
- A strategy for secure adoption
Security is often asked to “make it safe” after the business has already moved ahead.
That rarely ends well.
This is no longer just a CISO problem.
The business, engineering, operations, risk, procurement and executive leadership teams all have to contribute.
Because in practice:
- Developers control the code
- Operations controls the environment
- Procurement controls the suppliers
- Business leaders decide how much risk is acceptable
- Security helps everyone make better decisions
No single team can solve this alone.
The organisations that succeed will not necessarily be the ones with the largest budgets.
They will be the ones that create a common language and a shared sense of urgency.
Five practical things you can do now
If you are reading this and wondering where to start, keep it practical.
You do not need to boil the ocean.
You do need to move.
1. Identify your critical assets and attack paths
Forget trying to map everything perfectly.
Start with the 20 systems that matter most.
Understand:
- What they do
- Who owns them
- Which identities and dependencies connect to them
- Which vulnerabilities create realistic attack paths
2. Build an outside-in and inside-out CTEM view
Most organisations only see one side of the picture.
Combine external exposure with internal telemetry and business context.
That is where prioritisation becomes meaningful.
3. Trial AI-assisted defence now
Pick one use case.
- Code review.
- Threat hunting.
- Exposure prioritisation.
- Agentic red teaming.
Do not wait for perfection. Learn by doing.
4. Re-think how your SOC operates
If your SOC still spends most of its time moving alerts between tools and spreadsheets, that model is reaching its limit.
Start exploring:
- AI-assisted triage
- Better telemetry correlation
- Security data fabrics
- Context-rich enrichment
- More automation
You cannot automate chaos. You need the plumbing first.
5. Make this a business conversation
Explain the issue in business terms.
Do not talk about AI like it is a mysterious robot hiding in the data centre.
Talk about:
- Speed
- Scale
- Business impact
- Operational resilience
- Competitive advantage
Because that is ultimately what this is about.
Final thought
The post-Mythos era is not coming. It is already here.
The attackers have gained scale. The defenders now have a choice.
Continue operating with fragmented visibility, slow processes and human-speed decision making.
Or build something new.
A more connected, more intelligent and more adaptive security model. One that combines CTEM, AI, continuous visibility and a better understanding of how the business actually works.
Because the real risk is not Mythos.
The real risk is pretending the old model still works.