Ronan Lavelle, Founder & CEO of Validato.gettyI'm the founder of offensive security firm Validato, and ​​having worked in the enterprise software and cybersecurity space for over 25 years, I believe we're about to witness a sea change in how we assess and manage cyber risk. The rapid evolution of specialized AI frontier models, like Anthropic's Claude Mythos, trained to identify software vulnerabilities, will fundamentally change the cybersecurity landscape as we know it.Anthropic recently published its initial findings from Project Glasswing, an industry collaboration with 50 technology firms and enterprises, that showed that its Mythos preview was able to discover over 6,000 high or critical vulnerabilities that were previously undisclosed. Furthermore, Mythos was able to "chain" together vulnerabilities and demonstrate how they could be exploited—all within a fraction of the time that traditional vulnerability management programs take.Furthermore, Anthropic has indicated that to respond to this, IT and information security teams will need to increase their vulnerability patching cadences, but even then, it's unlikely to be enough. This article explains how vulnerability management is changing and what organizations will need to do to adapt.Vulnerability Management​Vulnerability management has been the cornerstone of cybersecurity strategies for the last 10 to 15 years, but it's also one of the main causes of stress and burnout in security teams. This is because it can sometimes feel like a never-ending battle. Almost as soon as a list of vulnerabilities have been patched, new ones emerge. This is only going to get worse with Mythos-era frontier AI models.​Ultimately, AI models, like Mythos, will lead to a world with fewer vulnerabilities, but in the short-to-medium term, there's likely to be what the U.K.'s National Cyber Security Centre (NCSC) calls a "patch wave" that threatens to overwhelm all but the largest and best resourced IT and security teams.How To Best PrepareThe U.K.'s NCSC recommends that in addition to attempting to patch vulnerabilities, organizations should focus their attention on the external attack surface—externally visible assets and infrastructure that are often the initial compromise points in cyberattacks.​ There are a range of tools and services that organizations can use to assess their external attack surface risk and then monitor it for changes that might affect their risk posture. Where core services or data processing has been outsourced to third-party vendors, it's necessary to monitor their cyber risk profile as well.​Anthropic reinforces the recommendations from the NCSC, but goes further, suggesting that in addition to increasing software patching cadence, organizations should look to restrict and harden system configurations, enforce multifactor authentication and maintain comprehensive logging for better detection and response.​​At the time of writing, the U.S. government has restricted access to Anthropic's Mythos 5 and the newly launched Fable 5 models for all foreign nationals. This means that for non-U.S. organizations and citizens, access to these models will be prohibited. Therefore, non-U.S. software developers won't be able to use these AI models to identify vulnerabilities. For enterprise IT and security teams, I advise following CISA's guidance for identifying known exploited vulnerabilities that have a high likelihood of gaining control and focusing on patching those first.​​Moving At The Speed Of AI​While external attack surfaces and third-party cyber risk can be assessed manually, AI-powered vulnerability discovery and potential exploitation is going to move too fast for cyber defenders to not employ automation to help them.​Some in the cybersecurity community say that you need to "fight AI with AI" in order to keep up with the rapidly changing threat landscape, but that's if cyber defenders try to detect and protect against every aspect of known attacks. The traditional focus on indicators of compromise (IoCs)—the digital fingerprints of an attacker, like the IP addresses and malware hashes that are used—was previously effective at detecting and blocking attacks. That can't be assumed in the future.Cyber defenders were already exhausted keeping pace with everchanging IoCs and vulnerabilities—that's just set to get worse.​Behavioral Cyber Defense​What's needed is a change in defensive thinking from being reactive to proactive and from focusing on IoCs and vulnerabilities to adversarial behaviors.Thankfully, there's an almost universally adopted framework that maps out adversary behaviors already, called MITRE ATT&CK. By aligning defenses according to MITRE ATT&CK techniques, defenders stand a better chance of detecting and preventing attacks in the future. The techniques revolve around hardening or restricting access to functionality that threat actors would otherwise have exploited. When Anthropic talks about system hardening and improving system log data fidelity, the best way to implement this is using the MITRE ATT&CK framework as your reference point.Anthropic also recently released an analysis by its security team on cyber adversary groups that use LLMs to automate attacks. The interesting thing to note about this analysis was that the top 25 adversarial behaviors still map directly to the same ATT&CK techniques in Windows, Linux and Mac environments that more traditional human and bot-based attacks exploit. The good news for cyber defenders, therefore, is that for the time being, there's still scope to harden and restrict these system configurations to prevent LLMs, bots and humans from using them in your environment.​Conclusion​Since Claude Mythos was announced to the world earlier in 2026, other frontier AI models that are trained on discovering software vulnerabilities, from OpenAI, Google and others, are emerging.The time required to scan, identify and potentially exploit vulnerabilities has shortened dramatically from weeks to days or hours with frontier AI models. IT and information security teams will need to prepare themselves to increase their vulnerability patching cadences, but also to look at alternative ways to protect their networks, assuming that more vulnerabilities will be exploited by threat actors.​​Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?