In the past, online attackers were forced to make a choice to either go hard against one target or spread the impact and gather more data with tactics that worked across many. Time and resources forced that trade-off, because a person who spent a week understanding one organization could not spend that same week on a hundred others. As described in the first article of this series, new AI capabilities are reducing or removing the need for the expertise and the labor, so that limiting factor disappears. That change will rewrite the process to identify victims, and it is the part of the AI shift that defenders aren’t focusing on—yet.
By starting our analysis from where our previous post left off, we remember that AI systems have collapsed the cost of building a working exploit. Whether measured in a skilled researcher's weeks or a machine's hours, that collapse in cost is the starting point.
This shift is especially impactful to organizations that have spent years acquiring, developing, and deploying software they have not fully catalogued or don’t fully understand. AI-accelerated exploitation isn’t going to arrive as an isolated threat against a clean, well-understood attack surface. It will land and exploit the consequences of technical debt that remains Unresolved, and against application estates whose full scope most organizations can’t enumerate.
A Constraint that No Longer Binds
In the current environment, with recently released tools, an AI-assisted attacker can analyze many public-facing applications at once. They will know the open-source libraries those applications depend on and will generate a tailored attack chain for as many as they need to succeed. The consequences of a single vulnerability are no longer determined by how many targets a human team has time to pursue, but on how far the attacker cares to look.
The production data already shows what that expansion looks like. In the seven weeks after the Glasswing launch, Mythos and its partner organizations identified thousands of high- and critical-severity vulnerabilities from real production codebases at organizations including Microsoft, Cloudflare, and Mozilla. The figure previews the scale of exposure that the new automated scanning produces when pointed at the actual application estate rather than a test set. Adversarial systems will be operating against a much larger population and will likely produce proportionally larger results.
"…AI systems have collapsed the cost of building a working exploit."
Volume that Was Already Rising
The historical trend confirms that an increase was already in motion before this capability arrived. Rapid7 found that exploited high- and critical-severity vulnerabilities more than doubled in a single year, rising 105% from 71 confirmed cases in 2024 to 146 in 2025. CrowdStrike recorded a 42% year-over-year increase in the exploitation of zero-day vulnerabilities, the flaws that attackers discover and weaponize before the rest of the world knows they exist. NIST catalogued 48,244 tracked vulnerabilities in 2025 alone, a 20% increase over the prior year, and fell behind its own analysis backlog in the process. The volume was already climbing. Machine-speed discovery poured fuel on a fire that was already burning.
When Disclosure Becomes a Targeting Mechanism
A widely accepted security process is likely to provide another source of data for this new methodology, because motivated attackers with new tooling will be able to turn the vulnerability fix process into an offensive weapon. The reason is the transparency of that effort. When a vendor identifies a vulnerability and responsibly commits a security fix to a public repository, that commit triggers two separate activities: it closes the vulnerability for everyone who applies the fix, and it describes the vulnerability in precise detail for every application that has not yet received it. A modern AI system or agent that watches those repositories can read the commit information and have plenty of information to begin generating targeted exploits against the unpatched population within hours, well before any formal advisory reaches the organizations that depend on it. The public disclosure cycle, built to help defenders, will now be a dinner bell for the attackers it was meant to frustrate.
The Sequence Reverses
Put these pieces together and the usual order of an attack turns inside out. The old sequence started with a target. An adversary chose an organization, then searched its systems for a weakness to exploit. In the new sequence, an adversary scans public code for an exploitable condition first, and the target list assembles itself from every organization running the affected component. In the case of open-source projects, many of those organizations’ domains may well be in the pull request, comment, and merge records, providing a ready-made list of attractive targets. Not only will companies become targets, but because their solution is known to leverage the vulnerable code, all of their clients will be vulnerable as well. Organizations will find themselves targeted by attackers who never considered them by name.
"Organizations will find themselves targeted by attackers who never considered them by name."
When the Attack Lands
An attack that selects its own targets in this way will land on whatever component or implementation of vulnerable code an organization is carrying. For defenders, the threat surface is no longer dominated by obvious high-value targets or widely exposed applications. Every exploitable component that an organization runs and exposes is now a potential element in an AI-constructed exploit chain, and is, in principle, visible to any automated system that chooses to look.
Response requires more than a faster version of the quarantine, disablement, and disruption that defenders already employ. For organizations that can name their applications but not the application composition or supply chain, they are carrying exposure they can’t see or address. Closing that gap is a visibility problem, and the next article in this series will help define a path to seeing what needs to be done.
Sources
Anthropic red team, “Assessing Claude Mythos Preview's Cybersecurity Capabilities,” red.anthropic.com, April 7, 2026; corroborated by Help Net Security, April 8, 2026, and VentureBeat, April 10, 2026.
UK AI Security Institute, “Our Evaluation of Claude Mythos Preview's Cyber Capabilities,” aisi.gov.uk, April 13, 2026; corroborated by Codersera Mythos guide, May 2026.
OpenAI GPT-5.5-Cyber and Microsoft security-system disclosures are first-party vendor announcements, presented here as disclosed and not independently evaluated.
