On April 7, 2026, Anthropic unveiled Claude Mythos Preview, its most powerful frontier model to date and one that excels at cybersecurity tasks, specifically, vulnerability discovery in code. (I previously wrote about Claude Opus 4.6 and its impact on cybersecurity.)

I’ll spare you the details of the decades-old, zero-day vulnerabilities that Claude Mythos proved capable of finding and exploiting in internal testing, as I’m sure you’re already aware. But suffice it to say the model was so powerful, Anthropic thought it prudent to assemble a group of technology partners in an initiative called Project Glasswing to apply Mythos’ capabilities to defensive security.

And now, with Federal Reserve Chairman Jerome Powell meeting with leaders of the largest U.S. banks to discuss the cybersecurity implications of this mythic new model, you can bet that your board of directors and executive management team will have questions for you about Claude Mythos at the next quarterly meeting — or sooner. 

We’re here to help you provide answers. 

The question every board will ask about Claude Mythos

When it’s time for your 15-minute cyber update, your board of directors will inevitably ask you, “What are you doing about Claude Mythos? How are you preparing for a world in which AI-assisted attackers can find and exploit vulnerabilities in minutes?”

Essentially, your board-friendly answer needs to be, “We’re fighting fire with fire. We’re transforming our security operations with agentic AI so that we can autonomously and preemptively find and fix our exposures at machine speed.” You can then report on the number of security workflows you’ve automated with AI and the increases in efficiency and effectiveness that you’re achieving as a result.

Depending on your board’s security savvy, you may need to address how you’re evolving your vulnerability management function to handle this new reality of AI-driven vulnerability discovery. 

One new approach that forward-leaning security leaders have begun implementing is exposure management, or CTEM. 

What is exposure management? 

Exposure management is a strategic approach to preemptive security designed to reduce cyber risk. It continuously assesses, prioritizes, and remediates your organization’s most critical cyber exposures. Cyber exposures are toxic combinations of preventable cyber risks (such as vulnerabilities, misconfigurations, and excessive permissions) that give threat actors a path to your most sensitive systems and data.

By continually and agentically assessing, prioritizing, and remediating risks, exposure management provides the answer to the question of how to build a “Mythos-ready” security program. It offers the solution to the single biggest challenge associated with AI-vulnerability discovery: how security and remediation teams will address the massive backlog of findings that AI-assisted vulnerability discovery will create. 

Exposure management is a “Mythos-ready” security program

To understand the role exposure management plays in a world flooded with AI-driven vulnerability discoveries, it’s important to understand the difference between frontier models and exposure management solutions. 

What frontier models do: Claude Code Security and Mythos Preview read and reason about source code. They identify logic flaws, memory corruption vulnerabilities, injection weaknesses, and authentication bypasses by tracing data flows and understanding how software components interact. Mythos does this with extraordinary autonomy and can chain vulnerabilities into working exploits. Fundamentally, this is application security: static and dynamic analysis of codebases operating at the source-code layer.

What exposure management does: Exposure management allows you to discover every asset across your environment (IT, cloud, identity, AI, and OT); determine whether they’re vulnerable; prioritize exposures based on business and technical context; orchestrate staged remediation; and validate that fixes are closed. An individual vulnerability may not appear dangerous until it forms an attack chain leading to a critical system. Exposure management helps you see individual vulnerabilities in context and how they combine to create high-risk attack paths.

Bottom line: Frontier models and exposure management operate in categorically different domains and solve fundamentally different problems. 

Exposure management and the preemptive security lifecycle

To put a finer point on the difference between frontier models and exposure management, let’s examine the complete preemptive security lifecycle that enterprises require. Frontier AI — even at Mythos-class capability — addresses only the first stage of this lifecycle. Exposure management addresses everything else.

Stage 1 — Software vulnerability discovery. Identifying that a flaw exists in software. This is where frontier models excel. Mythos has demonstrated extraordinary capability here, finding bugs that survived decades of human review and millions of automated test runs. This capability is genuine and consequential.

Stage 2 — Asset discovery. Employing multiple discovery methods, including scanners, agents, OT-specific sensors, and more, to identify every asset in an enterprise: endpoints, servers, cloud workloads, containers, network devices, OT/ICS assets, identity objects, AI applications, MCP servers. This is something Mythos can’t do.

Stage 3 — Assessment. Determining whether specific deployed assets are affected by specific vulnerabilities. This requires deep interrogation of the asset: connecting to live systems, parsing configurations, checking patch levels, inspecting running services across IT, cloud, OT, and identity environments at enterprise scale — and doing so without impairing the performance of the live asset. A model that found a Linux kernel vulnerability cannot determine which of an organization's 50,000 Linux hosts are running the affected version without sensor-level access.

Stage 4 — Prioritization. This stage becomes more critical, not less, in an AI-accelerated world. When frontier models can discover thousands of new vulnerabilities in weeks and generate working exploits on demand, the volume flowing into the remediation pipeline explodes, but the operational constraints don’t change. Enterprises still have finite maintenance windows, change management processes, compatibility dependencies, and business continuity requirements. Patching 40,000+ CVEs simultaneously across 100,000 assets is not operationally feasible. The math only works with the intelligent prioritization that exposure management provides.

4 steps to building a Mythos-ready security program: How Tenable can help

In a recent blog, Anthropic offered several recommendations to prepare your security program for an AI-accelerated offense. Here’s how Tenable can help you strengthen your organization’s cybersecurity posture and reduce your risk in the age of AI-driven attacks: 

1 - “Close your patch gap.” Anthropic says to patch everything in the CISA KEV immediately, use EPSS to prioritize the rest, and automate deployment. In theory, this advice makes sense. In practice, it’s a bit misguided. 

For one thing, even if you patched everything in the CISA KEV immediately, you’d still have gaps. The CISA KEV catalog operates off of strict inclusion criteria, so just because a CVE hasn’t landed in the KEV doesn’t mean it’s less critical. On the contrary, Tenable Research is currently tracking 201 CVEs that are being actively exploited in the wild, yet that aren’t part of the KEV. The Critix Session Recording Vulnerability (CVE-2024-8069) provides an example of a CVE for which Tenable Research issued a watch designation nearly a full year (286 days) before it hit the KEV.

Then there’s the issue of prioritization. With the vulnerability discovery capabilities of Mythos falling into the wrong hands, the number of vulnerabilities could grow by 10X or more. As Tenable Co-CEO Steve Vintz pointed out in a recent LinkedIn post, “Prioritization is no longer optional. It’s survival.” 

But prioritizing based on EPSS alone will leave you chasing your tail. EPSS prioritizes based only on probability of exploitation. In contrast, Tenable One provides much finer-grained prioritization than both EPSS and CVSS. Through the proprietary Vulnerability Priority Rating (VPR), Tenable uses machine learning to narrow the 60% of CVEs flagged as critical or high by CVSS to the 1.6% that create actual risk for your organization. Tenable One additionally factors other criteria into its prioritization engine, including reachability (is this asset actually exposed through the network topology?), identity context (what permissions does a compromised asset inherit? does it create a path to domain admin?), business criticality (is this a revenue-generating system or a development sandbox?), and attack path analysis. Answering those questions requires cross-domain telemetry at a scale and specificity that no external model possesses and that only Tenable One can provide.

Finally, more vulnerabilities means more to patch, even as your patching constraints remain the same: you still have to sort through compatibility dependencies and business continuity requirements, among other things. Tenable One gives you the speed, scale, automation, and control to manage your entire update lifecycle. You can deploy autonomous patching across 20,000+ products and 250,000+ unique patches spanning Windows, Linux, and macOS while using customizable controls to test patches and prevent deployment of problematic updates. 

And our newly announced agentic AI engine, Tenable Hexa AI, will automate asset discovery, tagging, triage, prioritization, and remediation workflows so that your organization can keep pace as vulnerability discovery escalates. 

2 - “Prepare for much higher vulnerability volume.” Tenable has a proven track record when it comes to developing and releasing plugins to identify new vulnerabilities. We deliver over 100 new plugins each week and, because we use AI to accelerate the speed and scale of plugin development, in general, we can deliver fully automated plugin coverage within 12 to 24 hours. 

When a plugin assesses whether a server is missing a specific patch, it returns a clear, binary, deterministic answer (yes or no) with six-sigma accuracy (0.32 defects per million scans). This precision underpins every downstream decision: whether to open a remediation ticket, whether to take a production system offline, whether to report a finding to an auditor, whether to trigger a staged patch deployment.

In contrast, frontier AI models are probabilistic by design. Anthropic's own documentation for Mythos reveals the model occasionally attempts to conceal its methods, circumvent sandboxes, and produce inconsistent outputs. Running the same prompt twice can yield different results. For code-level security research, this variability is tolerable — a human researcher reviews and validates findings. But for operational vulnerability management at enterprise scale, where tens of thousands of assets are assessed continuously and findings flow directly into compliance reporting and remediation workflows, probabilistic output is not acceptable.

Compliance frameworks like SOC 2, FedRAMP, PCI-DSS, HIPAA, and FISMA require reproducible, auditable assessment results. Cyber insurance underwriters require them. Board-level risk reporting requires them. 

The deterministic scanning foundation that Tenable has built over 24 years — with more than 318,000 plugins — is not a legacy artifact. It’s a structural requirement of the market Tenable serves.

3 - “Reduce and inventory what you expose.” Tenable One sensors — scanners, endpoint agents, passive network monitors, web application scanners, OT-specific sensors, identity directory connectors, and cloud API integrations — are designed to discover every asset across live enterprise environments and deterministically assess whether deployed systems are vulnerable. The Tenable One platform then prioritizes exposures based on runtime exploitability context, orchestrates staged remediation, and validates that fixes are closed. Tenable's sensors continuously discover assets across environments that are heterogeneous, distributed, and often air-gapped. We can even assess your shadow AI footprint. A model cannot discover what it cannot reach.

4 - “Design for breach.” The attack path analysis capabilities of Tenable One provide visibility into how threat actors chain together vulnerabilities, misconfigurations, and excessive permissions to reach your critical assets. This attack path mapping enables you to proactively close those gaps and preemptively disrupt the attacker’s journey. 

Tenable One can also help you implement zero trust by mapping assets and identities across your environment, showing how they’re connected, and where trust boundaries are. It also adds governance for your fastest growing risk surface: AI agents with admin-level access. 

Navigating the new era of AI-driven risk

The arrival of Claude Mythos marks a fundamental shift in the cyber landscape, where the speed of vulnerability discovery is now measured in minutes rather than months. While this “mythic” new model provides attackers with an unprecedented ability to find and chain exploits, it also serves as a catalyst for organizations to modernize their defense.

To stay ahead, security leaders must move beyond traditional methods and embrace exposure management. By integrating the deterministic precision of Tenable One with the automated power of Tenable Hexa AI, your organization will be able to transform its security operations into an agentic, preemptive force capable of moving at machine speed.

Don't let the coming flood of AI-generated vulnerabilities overwhelm your team. By focusing on intelligent prioritization, closing your patch gaps, and gaining full visibility into your attack paths, you can confidently answer your board’s toughest questions and build a truly “Mythos-ready” security program.

Forward-Looking Statements

This blog post contains "forward-looking statements" within the meaning of the federal securities laws, including statements regarding the potential impact of LLMs like Mythos on the cybersecurity landscape and our expectations for the future of Exposure Management. These statements involve risks and uncertainties that could cause actual results to differ materially, including the risks and uncertainties described in our most recent Annual Report on Form 10-K and other SEC filings from time to time. All forward-looking statements in this blog post are based on information available to Tenable as of the date of this post. Tenable assumes no obligation to update any forward-looking statements contained in this post.

Learn more

• What is Exposure Management
• Attack Path Analysis
• Attack Surface Management
• Tenable Patch Management
• Cyber Hygiene Best Practices