Landmark announcements by some of the biggest names in artificial intelligence (AI) have upended how defenders must think about cybersecurity, vulnerability management and threat detection.

In April 2026, Anthropic detailed Mythos Preview, a frontier large language model (LLM) equipped to autonomously find and fix cybersecurity vulnerabilities at scale. Upon launch, Anthropic said that Mythos had already identified thousands of previously undiscovered zero-days.

Just days later, OpenAI unveiled GPT-5.4-Cyber, an updated variant of their own GPT-5.4 model fined-tuned to specifically work on cybersecurity problems. The company has since gone onto release an updated version of the model, GPT-5.5-Cyber.

For now, both AI companies have restricted their cybersecurity frontier models to a limited audience of approved partners.

Mythos Preview is only available to participants of Anthropic’s Project Glasswing. Those confirmed as part of the scheme included some of the biggest names in technology like Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks.

Meanwhile, OpenAI has limited use of GPT-Cyber to members of its Trusted Access for Cyber (TAC) program. This scheme is based around individual cyber defenders, who must be verified and vetted by OpenAI to gain access.

Both Open and Anthropic believe their tools are the future of cybersecurity, but both have been reluctant to go as far as publicly releasing their models.

One core consideration is how these AI tools could be exploited in the ‘wrong hands’. Cybercriminals and threat actors are already using AI tools to develop sophisticated phishing campaigns, write malicious code and deploy automated attacks.

The same hackers could quickly find ways to abuse these new frontier AI models for their own gain.

How Cybercriminals Exploit the Explosion of Vulnerabilities

Frontier AI models like Mythos and GPT-Cyber are likely to drive a potentially overwhelming number of security vulnerabilities.

Experts in cybersecurity managemen have warned that this impending ‘vulnpocalypse’ will be abused by cybercriminals.

The public disclosure of a security vulnerability, plus the resulting security update to patch it, is designed to help users keep their systems safe from attackers who could actively exploit the vulnerability.

This is also potentially a double-edged sword: when publicly disclosed, a vulnerability becomes known to all potential attackers and some will rush to abuse it before organizations have patched it.

Ideally, security teams would apply the most critical security updates within hours. In reality, it can sometimes take months for organizations to apply even critical patches.

This has led to fears that organizations could be overwhelmed by frontier AI models uncovering vast swaths of vulnerabilities, which require a surge in security patches.

The UK’s National Cyber Security Centre (NCSC) has warned businesses that they should start planning now for the anticipated spike in security updates.

Those responsible for vulnerability management, corporate cybersecurity and IT teams will be forced to significantly accelerate their patch cycles. 

“Cybersecurity teams are going to be under a lot of pressure, for sure. But this is not that different to how they have to adjust and adapt to threats every single day,” said Katie Moussouris, founder and CEO of Luta Security, a vulnerability disclosure and bug bounty program management company.

“You will not be able to patch everything in as timely a fashion as you’d like, but it’s not an achievable goal and it wasn’t before all this,” she told Infosecurity.

Patching Vulnerabilities in a Post‑Mythos Cyber Era

Patching all software vulnerabilities has always been a difficult task. Doing so a post-Mythos and GPT-cyber future will be even harder.

That doesn’t mean the war is lost. But it does mean that cybersecurity teams will need to think harder about what battles they pick when it comes to applying security updates.

This risk is heightened by the shift away from predictable monthly or quarterly patch cycles toward more frequent updates issued in response to newly discovered CVEs, a pace and pattern of remediation that many security teams are not used to managing.

“The real problem isn't that Mythos exists, it's that your defensive deployment process was designed for quarterly software releases. The way patches will be updated now won’t be a quarterly or monthly thing, it's going to be a process of continual updates,” said Rob T. Lee, Chief AI Officer and Chief of Research at SANS Institute, speaking during the Infosecurity AI Security and Governance Virtual Summit 2026.

It is vital therefore for cybersecurity teams to understand what the infrastructure of their network looks like, what software is deployed and what assets are connected to the network.

Only with a full picture of what their own landscape looks like can they plan for what software and applications should be the key priorities for updates. For instance, a critical bug in a widely used operating system should be prioritized over a specialist application used by three people.

This is especially the case as the window for patching critical vulnerabilities against exploitation is getting smaller as attackers use AI to help identify and exploit vulnerabilities at rapid speed.

“The time to exploit has also reduced from what used to be months down to less than 24 hours. So, the threat of this is quite extreme because if you find a vulnerability and you discover it and becomes public, it can be exploited much faster than you were able to deploy a patch,” said Lee.

The speed of patch deployments will become a critical problem around security management. If left unaddressed, security teams risk becoming overwhelmed by the need to apply updates to vulnerabilities uncovered by AI.

“We need to prepare ourselves for a very difficult one to two years in terms of catastrophic cyber events. And we already see the markers on the wall for that,” Kara Sprague, CEO of HackerOne, told Infosecurity, referring to the number of vulnerabilities which AI-assisted cybersecurity researchers – and some cybercriminal threat actors - have already uncovered in open source software in the last year.

“These have become more common as we go through this period in which the attackers are equipped with these [commercially available AI] models and defenders are trying to retool their operations,” she added.

The Vulnerability Backlog Risk

The real risk of a slew of vulnerabilities uncovered by AI is the potential backlog to patches this creates, Sprague highlighted. Left waiting to be patched, software is vulnerable to exploitation by cybercriminals.

“That backlog should be considered by business leaders as a real liability. Because it’s just a race for an attacker to identify one of those exploits in the backlog and take advantage of it,” she said.

The introduction of cybersecurity-focused frontier models like Mythos and GPT-cyber look set to change how organizations approach how they approach cybersecurity and vulnerability management. However, as has been the case with other technological innovations, the first step to securing the ecosystem against any vulnerability, even those uncovered by Frontier AI, is to get the foundations of cybersecurity correct.

Moussouris told Infosecurity, “Honestly, the best thing to do is reduce your attack surface. Everything you’ve been putting off with Zero Trust, now is your time to do it. That will reduce your attack surface as you brace for a wave of new patches coming in.”

“Certainly, apply the patches and mitigations as fast as you can, but patch faster is not a viable solution for most organizations, especially if you do not have a hardened down, locked down, reduced attack surface,” she added.

The fact that many organizations already struggle with patch and vulnerability management as things stand and in a post-frontier model future, this challenge will become harder.

Doing Something is Better Than Doing Nothing

Organizations ought to start to plan for this future right now. With plans in place on how to manage and prioritize vulnerabilities, they can reduce the potential negative impact the explosion of newly discovered vulnerabilities will have.

Even if you start slowly, doing something is preferable to doing nothing. Lee likened it to starting a fitness regime.

“If you've been sitting on the couch for years and someone says you now need to run a 10k, the first step is getting off the couch and walking. You may not be able to walk more than 1k, but you’ve got to start somewhere,” he explained.

“Don't look at the end result of needing to run 10k because that might seem impossible to start with. But at least start with something. That's what I recommend to organizations: don't wait for the perfect solution. Work on what you can do now.”

For now, the frontier AI models have only been released to a small number of trusted partners of the AI companies.

However, it is only a matter of time before Mythos and GPT-cyber are released to a wider audience. When this happens, even with guardrails in place to prevent it, cybercriminals will find ways to experiment with the models themselves, like they have with more freely available commercial LLMs.

One way or another, organizations must make sure they are prepared to deal with the fallout of the ‘vulnpocalpyse’.