SANS and Cloud Security Alliance Publish Mythos-Ready Security Framework as Exploit Timelines Collapse to Hours

SANS Institute and the Cloud Security Alliance published “The AI Vulnerability Storm: Building a Mythos-Ready Security Program,” a free strategy briefing that gives CISOs a concrete framework for responding to AI-driven vulnerability discovery. The document was produced by more than 60 named contributors from SANS, CSA, [un]prompted, and the OWASP GenAI Security Project, and reviewed by over 250 CISOs before release, according to the official press release.

The Timeline That Forced the Briefing

The briefing responds directly to Anthropic’s Claude Mythos (Preview) and Project Glasswing, which autonomously identified thousands of zero-day vulnerabilities across every major operating system and web browser, including a 27-year-old flaw in OpenBSD, according to PNI News.

The escalation over the past 12 months is documented in the briefing itself. In June 2025, XBOW became the first autonomous system to top HackerOne’s US leaderboard. In August 2025, DARPA’s AI Cyber Challenge found 54 vulnerabilities across 54 million lines of code in four hours. By November 2025, Anthropic disclosed a Chinese state-sponsored group using AI to run full attack chains autonomously across approximately 30 global targets. In February 2026, Anthropic reported more than 500 high-severity vulnerabilities in open source software using Claude Opus 4.6, according to the PNI News report.

Mythos represents the sharpest acceleration. In internal testing, the model generated 181 working exploits against Firefox vulnerabilities where the previous best model produced two. The 72% exploit success rate and the ability to chain multiple vulnerabilities without human guidance set a new benchmark for autonomous offensive capability.

“The window between vulnerability discovery and weaponization has collapsed into hours,” said Rob T. Lee, Chief AI Officer and Chief of Research at SANS Institute, in the press release. The briefing cites the Zero Day Clock, which puts the mean time from vulnerability disclosure to confirmed exploitation at less than one day in 2026, down from 2.3 years in 2019.

The Framework

The briefing includes four core components:

A 13-item risk register mapped to OWASP LLM Top 10 2025, OWASP Agentic Top 10 2026, MITRE ATLAS, and NIST CSF 2.0. Each row frames the risk as an acceleration of an existing threat, not something Mythos created from scratch, according to the SANS advisory page.

An 11-item priority actions table with start dates and completion horizons. Priority Action 1: point AI agents at your own code this week. Priority Action 11: stand up a permanent Vulnerability Operations (VulnOps) function within 12 months, staffed and automated for continuous AI-driven discovery across the entire software estate.

10 diagnostic questions for CISOs to triage their current security program before building new capabilities.

A board-ready executive briefing section with talking points, a 90-day plan structure, and a specific framing for CFOs: “The security program this board has funded is what makes the AI strategy viable,” per the SANS page.

The Capability Gap and the Compliance Clock

Two findings from the briefing carry immediate operational weight.

First, the capability gap: defensive teams without AI agents face a widening disadvantage against AI-augmented adversaries regardless of existing technical skill. The briefing frames this as a cultural challenge as much as a technological one. SANS faculty report 15 months of real-world experience using current AI models to find critical flaws in code that human reviewers had already cleared.

Second, the compliance clock: the EU AI Act takes effect August 2, 2026, introducing automated audit, incident reporting, and cybersecurity requirements. The briefing argues that when AI can find vulnerabilities at accessible cost, the standard for “reasonable defensive effort” shifts, creating direct governance and liability exposure for organizations that do not adapt.

“We built this in three days because CISOs needed it now, not when it was perfect,” said Gadi Evron, CEO of Knostic and CISO-in-Residence for AI at CSA, in the press release. “The organizations that build the muscle now will be the ones that meet the next wave on their own terms.”

The Operational Question

The briefing’s first priority action skips governance entirely and starts with direct testing. For organizations that have not yet pointed AI tools at their own codebases, the practical gap between them and adversaries who already have is measurable in days, not months. The full briefing is available free from CSA Labs.