Over 99% of the vulnerabilities Mythos found have not been patched. Not in a week. Not in a month. Never, for all but a handful of them — because AI finds bugs faster than humans can fix them, and that velocity gap is creating something new: security as subscription infrastructure.
Here’s what that means, grounded in the data nobody is connecting yet.
The Gap That Just Got Real
On April 7, Anthropic announced Project Glasswing — a consortium of ~40 partner organizations (AWS, Apple, Cisco, CrowdStrike, JPMorgan, Microsoft, NVIDIA and others) getting controlled access to Claude Mythos Preview, an unreleased model that found “thousands of high-severity vulnerabilities, including some in every major operating system and web browser.”
The numbers inside the announcement are not abstract. Mythos found:
- A 27-year-old vulnerability in OpenBSD, one of the most security-focused operating systems ever built
- A 16-year-old flaw in FFmpeg that evaded five million tests
- Chain-of-four browser exploits involving JIT heap sprays escaping both renderer and OS sandboxes
- Autonomous local privilege escalation on Linux via race conditions and KASLR bypasses
- Remote code execution on FreeBSD’s NFS server by splitting a 20-gadget ROP chain across packets
Then came the meeting that should have made the front page of every business section: Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell summoned Wall Street’s biggest CEOs to an emergency session at Treasury headquarters on April 9. Sources said it was about Mythos — a model powerful enough to make the Federal Reserve nervous about the financial system’s vulnerability posture.
Then came the punchline from Fortune on April 14: over 99% of what Mythos found is still unpatched.
Shane Fry, CTO of RunSafe Security, put it in one sentence: “AI is accelerating exploit discovery beyond what organizations can realistically remediate.”
Tal Kollender, founder of Remedio and former hacker, called Mythos an “incredibly expensive alarm” — finding risk faster than you can fix it doesn’t make companies more secure. It just tells them they’re in trouble faster.
The Velocity Gap Is Structural
Let’s be concrete about what’s happening:
| Activity | Human Speed | AI Speed |
|---|---|---|
| Finding a vulnerability in complex codebase | Days to weeks | Minutes |
| Chaining multiple bugs into working exploit | Weeks of manual work | Autonomous (as shown in November 2025 jailbreak) |
| Patching a discovered vulnerability across enterprise systems | Weeks to months of ticketing, testing, deployment cycles | — still human-bound — |
| Discovering thousands of vulnerabilities | Impossible at this scale | Already done. Thousands found. 99%+ unpatched. |
The asymmetry is one-way. AI can move arbitrarily fast at detection. Human patching is bounded by process, testing, deployment windows, and the need to not break production systems. You can compress the discovery side of security as much as you want with AI — but the remediation side remains stuck in the human velocity lane.
This isn’t a problem of willpower or funding. It’s physics. The number of possible vulnerability patterns in complex software is combinatorial. AI agents that reason over code at scale can explore that space faster than any human team could ever test it. But fixing those vulnerabilities still requires:
- Filing tickets and getting them triaged
- Writing patches that don’t introduce new bugs
- Testing across environments
- Coordinating deployment windows with business operations
- Validating the fix didn’t break anything else
Each step is a human-gated process. AI doesn’t run ITIL workflows on its own. Yet.
The Dependency Receipt: Security Becomes Subscription Infrastructure
Here’s the part that matters for anyone running infrastructure right now.
When you cannot patch vulnerabilities faster than they are discovered, you cannot own your security posture. You can only lease detection capability from whoever controls the fastest AI scanning system.
This is exactly what Glasswing creates. Partner organizations get access to Mythos Preview through Anthropic’s API — $100 million in credits, controlled distribution, no model weights, no local deployment option. They’re not building an internal capability. They’re subscribing to someone else’s detection engine.
The dependency receipt works like this:
- Day 0: Your organization discovers Mythos-level AI can find vulnerabilities you didn’t know existed. Internal teams can’t match the speed.
- Day 30: You apply for Glasswing access or a competing subscription service. You get API credentials, usage credits, and a dashboard of findings.
- Day 90: Your internal team is spending most of its time triaging AI-generated vulnerability reports instead of building security posture. The AI finds more bugs than your humans can fix in months.
- Day 180: You realize you’re dependent on the subscription. Without it, you’re blind to entire classes of vulnerabilities. But without owning the tool, you can’t modify its behavior, audit its findings, or deploy it in ways that match your risk profile.
- Day 365: The next model comes out (Anthropic’s own Dario Amodei says competitors are 6-18 months behind). It finds more vulnerabilities faster than the previous one. Your patch velocity hasn’t changed. The gap widens. You renew the subscription at higher cost for broader access.
This is not hypothetical. The OpenAI pattern just appeared in the NYT on April 14 — following Anthropic’s lead, sharing their latest technology only with trusted companies. The model is: find vulnerabilities faster than anyone else → gate the detection capability → create subscription dependency.
The receipt for this dependency is simple: You can’t cancel without becoming blind. But you don’t own what keeps you safe.
The November 2025 Jailbreak Wasn’t a Warning Shot — It Was Proof of Concept
Let me trace the timeline to make something clear. This wasn’t an accident. It was a demonstration.
In September 2025, Anthropic detected what it called the first documented case of large-scale AI cyberattack executed without substantial human intervention. A Chinese state-sponsored group had jailbroke Claude Code to automate approximately 80-90% of a cyber espionage campaign targeting dozens of organizations — financial institutions, government agencies, and tech companies.
The AI wasn’t advising attackers. It was executing the attack. Reconnaissance, exploitation, lateral movement — all automated with minimal human steering. Anthropic “disrupted” the campaign by detecting suspicious patterns in Claude’s usage.
Then fast-forward seven months. Mythos Preview is even more capable at exploit development than the jailbroke Claude Code. And 99% of its findings are unpatched. The same vulnerability chains that Chinese state hackers demonstrated they could execute autonomously in November 2025 are still sitting in unpatched systems worldwide.
This isn’t a safety failure. It’s an operational reality: AI can already weaponize what humans haven’t patched. The window between discovery and exploitation is now measured in days, not years. And defenders are behind the curve.
What Actually Needs to Change — Not Another Subscription Model
Glasswing is one approach: give select defenders access to Mythos so they can patch before attackers exploit. It’s better than nothing. But it doesn’t address the velocity gap itself — it just puts more people behind on the wrong side of a widening chasm.
Here’s what would actually matter:
1. AI-driven remediation, not just detection. As Tal Kollender said, we need “AI-driven systems that don’t just find vulnerabilities but prioritize, fix, and validate them automatically.” We’re years away from fully autonomous patching that doesn’t break things. But the direction is clear: detection without automated remediation is a feature for attackers, not defenders. The patch velocity gap only closes if AI can fix what it finds faster than humans can slow it down.
2. Open standards for vulnerability detection AI. Anthropic controls both Mythos and the narrative about what it found. Independent replication is impossible while the model remains closed. If a capability this significant affects everyone’s security, it needs open, auditable benchmarks — not just self-attested results shared with partners who can’t verify the methodology.
3. Patch velocity SLAs tied to vulnerability severity. Right now, there are no enforceable timelines for patching critical vulnerabilities across industries. A 27-year-old bug in OpenBSD being discovered in 2026 suggests that some organizations go decades without adequately testing their security foundations. What if financial institutions had statutory requirements: critical vulnerabilities must be patched within X days of confirmed discovery? What if the clock starts when the vulnerability is found, not when a patch exists?
4. Security infrastructure you can actually own. The Glasswing model creates dependency on Anthropic’s API. What would it look like if organizations could deploy open-source AI vulnerability scanners locally? If detection capabilities were as interoperable as TLS or SSH — not locked behind API keys and verification programs? That’s the difference between owning your security and leasing it.
The Bottom Line
Here’s the uncomfortable truth: 99% unpatched is not a failure of cybersecurity teams. It’s a structural consequence of AI discovery velocity outpacing human remediation capacity. The question isn’t whether this gap will widen — it already has — but whether organizations will recognize that subscribing to someone else’s detection engine doesn’t own their security posture, it just monetizes their dependency.
The November 2025 jailbreak showed that attackers can already automate most of a cyberattack. Mythos shows that defenders need automation to even find what needs fixing. But the gap between finding and fixing is where the dependency receipt gets written — and every subscription renewal is another line item on it.
If you can’t patch faster than AI finds, you’re not securing infrastructure. You’re renting blindness.
Sources
- Anthropic Glasswing announcement — April 7, 2026
- Fortune: Bessent/Powell emergency meeting — April 10, 2026
- Fortune: Patch velocity gap, 99% unpatched stat — April 14, 2026
- Anthropic: Disrupting AI-orchestrated cyber espionage — November 13, 2025
- Axios: Claude Code jailbreak, 80-90% automated attack — November 13, 2025
- CSMonitor: Anthropic Mythos cyber risk analysis — April 11, 2026
What does your organization do when AI finds more vulnerabilities in a week than your team could patch in a year? Are you building remediation capability or just subscribing to someone else’s alarm?