The news that Anthropic’s Claude Mythos AI discovered thousands of zero-day vulnerabilities — including a 17-year-old unauthenticated RCE in FreeBSD NFS, a 27-year-old denial-of-service in OpenBSD, and a 16-year-old memory corruption flaw in FFmpeg — should not surprise anyone who thought carefully about where AI-assisted vulnerability research was heading. We knew this was coming. What we did not do was prepare for it.
The security industry has spent the last decade getting much better at finding vulnerabilities. We have not spent the same decade getting better at fixing them.
The Half-Solved Problem
CVE publication rates have grown every year since 2020. Better fuzzing, more capable static analysis, expanded bug bounty programmes, and now AI-assisted code reasoning have all made the vulnerability discovery pipeline more productive. The result is a well-functioning machine for generating security debt.
What we built alongside this better discovery pipeline is an enterprise patching process that has not materially improved in a decade. The average time from critical patch release to deployment at scale in enterprise environments remains measured in weeks to months. The 2025–2026 CISA KEV additions document this repeatedly: vulnerabilities from 2023 and 2024 still appearing in the actively-exploited catalogue because patches were never deployed to a substantial portion of the exposed install base.
Claude Mythos does not change this dynamic. It amplifies it. An AI model that finds thousands of zero-days in the time it would take a human research team years does not accelerate remediation — it accelerates the rate at which the industry falls behind.
Project Glasswing Is a Triage Mechanism
Anthropic’s response to this problem — private early disclosure to Microsoft, Google, Apple, AWS, Cisco, and others through Project Glasswing — is rational given the constraint. If you have discovered more vulnerabilities than the industry’s coordinated disclosure infrastructure can process in standard 90-day cycles, you must triage. Private disclosure to the vendors most capable of acting quickly is the least-bad option available.
But it is explicitly a delay mechanism, not a remediation mechanism. Project Glasswing gives major vendors more runway before public disclosure. It does not change the median enterprise patching cycle for their customers. A Windows vulnerability that Microsoft patches in February is still running unpatched across a third of enterprise endpoints in June — a pattern documented in every Patch Tuesday retrospective for the past five years.
The vendors in Project Glasswing are not the organisations most likely to be compromised by the vulnerabilities Mythos finds. Their internal security and patch management practices are exceptional. The organisations most likely to be compromised are the mid-market financial institutions, NHS trusts, municipal governments, and regional manufacturers that apply patches on quarterly maintenance windows when they apply them at all.
Glasswing protects the vendors. It does not protect their customers.
What the 17-Year-Old Bug Actually Reveals
CVE-2026-4747 — a FreeBSD NFS RCE present since 2009 — is not a failure of recent development practices. It is evidence of something the profession has known intellectually but resists acknowledging operationally: software security posture cannot be inferred from code age, review history, or audit count.
This matters because a large share of enterprise risk conversations begin with some version of “we’ve been running this for years without incident.” Legacy stability is treated as evidence of security. The Mythos findings make that inference empirically indefensible. Seventeen years of correct operation does not mean seventeen years of absence of exploitable flaws. It means seventeen years of not yet having found them.
The security profession has argued this point abstractly for a long time. Watching an AI find dozens of such vulnerabilities in systems that have been audited repeatedly gives the argument a weight that abstract reasoning never managed.
The Asymmetry That Actually Matters
If AI vulnerability research scales to the point where models can continuously scan major codebases and surface critical findings faster than the disclosure and response ecosystem can absorb them, we have a structural crisis that private programmes and responsible disclosure frameworks will not resolve.
The asymmetry that matters is not between AI researchers and human researchers. It is between the speed at which exploitable vulnerabilities can now be discovered and the speed at which they can be patched across the heterogeneous, compliance-driven, change-management-throttled real-world enterprise infrastructure that constitutes most of the actual attack surface.
Closing that gap requires things the industry has resisted for reasons of cost and operational continuity: automated patch deployment at scale, accelerated security testing pipelines that allow vendors to ship fixes in days rather than weeks, and a fundamental revision of the assumption that software can run indefinitely without active security maintenance as a prerequisite for operational continuity.
None of that is a new argument. But Project Glasswing just made the urgency considerably harder to dismiss.
The question is not whether AI will find more vulnerabilities. It will, in larger volumes, at higher velocity, and eventually in tooling accessible to adversaries as well as defenders. The question is whether the industry’s response to that reality will be structural change or an increasingly elaborate series of delay mechanisms that protect vendors while leaving enterprise customers in an ever-widening exposure window.
The answer so far is delay mechanisms. That answer needs to change.