Lisa Umberger is the CEO of Sicura.gettyIn April 2026, Anthropic stated that Claude Mythos Preview could vastly outperform humans at finding vulnerabilities in commonly used software platforms. With one set of prompts, agents found vulnerabilities that hadn’t yet been exposed, known as zero-days. These openings were discovered in every major operating system and web browser. Many were 10-20 years old. The platforms had been sitting ducks for years. With another set of prompts, those agents also wrote exploits to break in. Anthropic Engineers who did not have any formal security training asked Mythos Preview to "find remote code execution vulnerabilities overnight" and woke up to a complete exploit. In other cases, they noted that they had "researchers develop scaffolds that allow Mythos Preview to turn vulnerabilities into exploits without any human intervention."This was only testing, so fortunately, the humans prompting these agents did not steal data. But the implication was clear: agentic AI will give attackers an incredibly powerful weapon. When attackers get their hands on these weapons, they won’t hesitate to overwhelm our defenses. This is a wake-up call. There are vulnerabilities in places we haven’t looked, and they will be found quickly. It’s time to take a hard look at our systems. Anthropic’s report gives us clues where to look. By not releasing Claude Mythos Preview, they’re giving us time to prepare now.AI is a powerful tool, but it doesn’t change the rules of the game. Vulnerabilities are exposed, exploits are developed, defenses are evaded, an attack is executed and chaos ensues.Stopping this cycle has been the goal of defensive cybersecurity from the beginning, and the focus of my career as a technologist in the intelligence community and as an entrepreneur. With AI, stopping the cycle could get harder. Attackers always benefit from moving faster, adding sophistication and staying hidden. AI will supercharge their ability in each of those categories.But let’s not forget that defenders also have powerful automation capabilities. We have a strong foundation for sound cybersecurity hygiene that was laid over the years across the public sector, private sector, research and academia.We know how to harden systems. From CIS benchmarks to DISA STIGS to NIST 800-53, the cybersecurity community has developed frameworks to help everyone strengthen their posture. We also know what leads to the gaps that get exploited: misconfigurations, missed patches and the drift from a secure baseline that results from attacker, technology and user evolution.The problem is that we’re still too slow to fix them. An embarrassingly large number of attacks are the result of actions that could’ve been taken. Look through any forensic report, and you’ll find the issues listed above. They’re the basics of cybersecurity, but we’ve never gotten them right.The reason often comes down to people and process, not technology. Today, implementing standards and plugging these gaps is the province of compliance. Only when a certification or audit cycle arrives are the proper fixes made.In many ways, I can understand why compliance isn’t the first priority. It has a reputation for being boring. It is also a pain and a drain on resources for organizations. Compliance requires untold hours of tedious tasks, and teams that don’t speak the same language to work across siloes. This was true a decade ago when I worked to harden IT infrastructure inside the National Security Agency, and it’s true today. But as we enter the AI era, the foundations of compliance give us important building blocks. Cybersecurity standards provide a roadmap. A secure baseline provides a starting point. Patching cycles help us correct our course along the way. Layer on the automation of modern software development, and the above could become a cycle that updates continuously. Imagine all of the latest patches identified and automatically implemented right alongside the code that’s shipped with every release.Suddenly, the standards of compliance are enshrined among the best defenses that deliver true security. There are fewer gaps for agents to find. Passing an audit becomes a formality along the way.On the front lines of cyber warfare, the federal government is signaling that this transformation must take place. Continuous ATO is emerging in several key programs. In 2025, the U.S. Department of War released the Cybersecurity Risk Management Construct, replacing the largely manual Risk Management Framework with a process that is automation-ready and always-on.These are promising developments, but everyone who works in cybersecurity knows these frameworks take time to move from plans to action. We need to show organizations across the public and private sectors what is possible when compliance is no longer a box-checking exercise. Attackers will get the tools, and they won’t hesitate to use them.Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Does Mythos Have You Worried About AI Attacks? Get The Basics Right
Agentic AI will give attackers an incredibly powerful weapon that they won't hesitate to use.











