Technical description
The SANS/CSA/OWASP emergency briefing released April 14 quantifies the systemic impact of AI-driven vulnerability discovery: mean time from disclosure to confirmed exploitation has fallen to less than one day in 2026, down from 2.3 years in 2019. Anthropic's Claude Mythos (Preview) and Project Glasswing demonstrated autonomous discovery of thousands of zero-day vulnerabilities across every major OS and browser, including a 27-year-old OpenBSD vulnerability. The briefing warns that every patch now functions as an exploit blueprint, as AI tools accelerate patch-diffing and reverse engineering at scale. This is classified as a systemic risk condition rather than a single CVE.
Attack vector
AI-driven vulnerability discovery tools can generate working exploits at a rate exceeding organisational patch cycles. AI-accelerated patch-diffing converts every published patch into a near-instant exploit roadmap for attackers. Traditional 30-day patch windows are now dangerously obsolete for critical systems.
Affected systems
All enterprise systems with publicly disclosed but unpatched CVEs; organisations with patch cycle times exceeding hours for critical vulnerabilities are exposed. Special risk for organisations running AI agent infrastructure (expanded attack surface).
Mitigation
Run the 10 CISO diagnostic questions in the SANS/CSA Mythos-Ready briefing. Accelerate patch SLAs for critical vulnerabilities to sub-24-hour targets. Implement automated vulnerability-to-patch orchestration for AI agent infrastructure. Apply the 13-item risk register to current security program gaps. Establish real-time threat intelligence feeds cross-correlated with your asset inventory.