The margin of safety is gone

For a few years, the security industry operated on a quiet assumption: AI could exploit known vulnerabilities, but it couldn't find new ones. That asymmetry gave defenders a workable edge.

On April 7, Anthropic announced that Claude Mythos Preview had closed that gap. The model autonomously discovered thousands of zero-day vulnerabilities — previously unknown flaws — across major operating systems and browsers. Separately, Mythos scored 83.1% on the CyberGym vulnerability reproduction benchmark. In one campaign targeting OpenBSD across 1,000 scaffold runs, total compute cost was under $20,000.

For context: a 2024 University of Illinois study found that GPT-4, given a CVE description, could exploit 87% of a curated 15-vulnerability one-day dataset. Without the description, that number dropped to 7%. The gap between those two figures was the margin of safety. Mythos, according to Anthropic, eliminates the need for the description entirely.

I want to be precise here: Anthropic's announcement is the primary source for the zero-day discovery claim, and independent replication of that specific capability hasn't been published. The benchmark scores and cost figures are from the same announcement. That said, the exploitation timeline data from third parties is independently corroborated and arguably more immediately actionable.

The timeline data is already alarming

Rapid7's 2026 threat landscape report puts the median time from CVE publication to CISA's Known Exploited Vulnerabilities (KEV) listing at five days. Google's M-Trends 2026 report found exploitation occurring before patches are even released in some cases.

Two recent examples make this concrete. Langflow's CVE-2026-33017 (CVSS 9.8, a severity score on a 10-point scale) was exploited 20 hours after disclosure — with no public proof-of-concept available. Marimo's CVE-2026-39987 (CVSS 9.3) was hit in 9 hours and 41 minutes.

Calendar-based patch cycles — the standard enterprise model — were not designed for this.

A better prioritization filter exists and is free

Most vulnerability management programs still rank by CVSS score alone. CVSS measures theoretical severity, not real-world exploitation likelihood. A study validated against 28,377 vulnerabilities proposes a concrete replacement: a three-layer decision tree.

**Layer 1 — Active exploitation:** Check CISA KEV. If listed, patch immediately. SLA: hours.

**Layer 2 — Predicted exploitation:** Check EPSS (Exploit Prediction Scoring System) via FIRST.org. Score ≥ 0.088 triggers escalation to a Tier 0 pipeline. SLA: 24 hours.

**Layer 3 — Severity baseline:** CVSS ≥ 7.0 via NVD follows standard remediation policy.

All three data sources are open and free. The study reports an 18x efficiency gain, 85.6% coverage of exploited vulnerabilities, and roughly a 95% reduction in urgent remediation workload compared to CVSS-only triage. The integration is automatable: a script querying the CISA KEV API, the EPSS API, and NVD against your asset inventory, running on every published CVE.

The agent authorization gap is underaudited

AI agents now hold privileged credentials inside enterprise environments, and most authorization policies haven't been tested against agent-specific behavior.

CVE-2026-34040 in Docker illustrates the problem. Docker's authorization plugin architecture silently bypasses every plugin when the request body exceeds 1MB — before the request reaches the plugin. Common AuthZ tools including OPA, Casbin, and Prisma Cloud are unaware of this bypass. Cyera demonstrated that an AI agent debugging infrastructure could infer the bypass path while completing a legitimate task, without any instruction to exploit anything.

A CSA/Zenity survey published April 16 found that 53% of organizations had already seen agents exceed intended permissions; 47% experienced a related security incident.

The IETF is working on agent authentication standards — draft-klrc-aiagent-auth-01 and draft-prakash-aip-00 are both in progress — but these are months to years from implementation. Of roughly 2,000 surveyed MCP (Model Context Protocol) servers, the IETF draft reports none had authentication.

What to do this quarter

Four actions are worth prioritizing now:

1. **Deploy the three-layer filter.** Automate KEV, EPSS, and NVD queries against your asset inventory. Remove humans from the trigger; keep them as approvers. 2. **Implement event-driven patching for Tier 0 services** — internet-exposed services, AI builder hosts, container orchestration control planes. Target: patch to canary within four hours of a critical CVE. Where that's impossible due to legacy dependencies, apply compensating controls immediately and assign an exception owner. 3. **Test authorization boundaries at agent scale.** Include test cases for request bodies exceeding 1MB, 5MB, and 10MB; burst rates above 100 requests per second; and unusual parameter combinations. Patch to Docker Engine 29.3.1. 4. **Map credential blast radius for AI builder hosts.** Langflow, Flowise, n8n, and custom pipeline instances each hold API keys, database credentials, and OAuth tokens. A compromised host is a credential harvest. Document each credential, classify it by lifespan, and set alerts for anomalous access.