When AI Finds in Seconds What Hackers Once Searched for Years

On 14 April 2026, SANS Institute, Cloud Security Alliance (CSA), [un]prompted and the OWASP GenAI Security Project published a joint emergency briefing: “The AI Vulnerability Storm: Building a Mythos-Ready Security Program.” The document was created in a single weekend by more than 60 contributors and reviewed by over 250 CISOs worldwide — including Jen Easterly (former CISA), Bruce Schneier, Chris Inglis and Phil Venables (former Google CISO).

The message: the time between a security vulnerability becoming known and its active exploitation has dropped to under 24 hours — in 2019 that figure was still 2.3 years. This changes the rules of the game for every company, including in Switzerland.

What exactly is happening right now?

Until recently, software security was a game of hide-and-seek. Hidden somewhere in millions of lines of code was a flaw — it often took months or years before a specialist found it.

That is changing fundamentally. In early April 2026, Anthropic introduced a new, non-public AI model called Claude Mythos (Preview). In internal tests, this model found and exploited zero-day vulnerabilities in every major operating system and every major web browser it was pointed at — including a 27-year-old flaw in OpenBSD, a system specifically known for its security architecture.

The numbers cited in the briefing are sobering:

• Against Firefox 147’s JavaScript engine, Mythos generated 181 working exploits — the best previous model produced only 2 under the same conditions.
• The success rate for generating working exploits is 72%.
• In a simulation of a 32-stage enterprise network attack (from reconnaissance to full takeover) that takes humans around 20 hours, Mythos outperformed all other AI systems tested.

What previously required weeks of expert work now runs autonomously in hours.

Is this just fearmongering?

No — but there are bright spots. Alongside Mythos, Anthropic has launched Project Glasswing: access to the model is deliberately restricted and is being given first to critical infrastructure partners and open-source maintainers, so they can find and close vulnerabilities before comparable capabilities appear elsewhere.

Concretely: there is currently a window of time. But it is closing.

A second piece of good news from the report: defence in depth works. Mythos identified numerous vulnerabilities in the Linux kernel but, after several thousand attempts, was unable to remotely exploit a single one. The unspectacular hardening work of recent years transformed “exploitable flaw” into “non-exploitable flaw” — even against a model that explicitly tried. Those who have done their homework are not defenceless.

Do I need this if I don’t develop software myself?

Yes. Many executive teams point to their CMDB (Configuration Management Database) and ask whether that isn’t sufficient. The distinction is now critical:

• The CMDB says where your servers are and which programmes are installed (e.g. “We use SAP and Microsoft 365”).
• The SBOM (Software Bill of Materials) reveals which thousands of small building blocks make up the software you have purchased.

Attacker AI doesn’t scan your company — it scans these building blocks. If it finds a flaw in a globally widespread component, you are vulnerable even if your CMDB says everything is “as before.”

What you should do now

The briefing contains 11 prioritised measures and 10 diagnostic questions for CISOs. Here are the three most urgent for Swiss SMEs:

1. Harden the fundamentals — use the Glasswing window now

Before Mythos-like capabilities become broadly available, you should get the basics completely in order: rigorous patching, network segmentation, phishing-resistant MFA (not SMS), zero-trust architecture and egress filtering. The Federal NCSC recommendations (BACS) largely align with the CSA briefing here.

2. Introduce SBOM as a procurement criterion

Require an SBOM from every software supplier. Only then can your IT team check in minutes rather than days when a new threat emerges: “Is this component anywhere in our house?” For regulated sectors (FINMA, revFADP) this is in any case increasingly mandatory.

3. From quarterly audit to continuous monitoring

A security review once a quarter is no longer enough when the disclosure-to-exploit time is under 24 hours. Invest in tools that monitor continuously and respond automatically in an emergency — for instance, locking suspicious sessions without waiting for manual approval. Practise these response chains in tabletop exercises before you need them in a real incident.

Conclusion

The CSA briefing puts it plainly: AI-based attacks are a structural shift, not a passing trend. The cost of exploit development is falling, the window between disclosure and weaponisation is shrinking to zero, and capabilities once reserved for nation-states are becoming broadly available.

For Swiss companies, this means: security is no longer a purely IT question — it is a matter for the C-suite. Those who don’t get basic hygiene in order now and don’t know their software supply chain are taking on a risk that can barely be quantified any more.

The good news: the tools and frameworks are there. The briefing is freely available — and it is worth having the executive team and IT read it together.

Original document: “The AI Vulnerability Storm: Building a Mythos-Ready Security Program”, Cloud Security Alliance / SANS Institute / [un]prompted / OWASP GenAI Security Project, 14 April 2026. Freely available at labs.cloudsecurityalliance.org/mythos-ciso.

Want to know where your company stands on the Mythos-Ready maturity scale? Contact us for a no-obligation initial consultation.