In eight days this April, two of the three frontier labs shipped models capable of finding and exploiting zero-days at industrial scale, and chose opposite philosophies about what to do with that.Anthropic restricted Mythos. OpenAI broadened GPT-5.4-Cyber. The split is interesting. The fact that we are now arguing about it is the real story.

Nicholas Carlini, one of the Mythos researchers, said in Anthropic's video that he had found "more bugs in the last couple of weeks than I found in the rest of my life combined." That is the quote that should be making its way around CISO Slack channels. Whatever variants are not shipping under identity verification will reach the other side of the table on the same schedule.

I am not optimistic about how the current defensive playbook holds up against this. I am also not writing a call for panic. What follows is what I think the next two years should look like.

The math has already inverted

CrowdStrike's 2026 Global Threat Report put 42% of exploited vulnerabilities in 2025 as exploited before public disclosure, and AI-enabled adversary operations up 89% year over year. Mandiant's M-Trends 2026 found the median handoff between an initial-access broker and a secondary group has collapsed from over eight hours in 2022 to 22 seconds in 2025.

The most telling data point came from NIST. On April 15, the NVD officially gave up on analyzing every submitted CVE. Going forward, only KEV entries, federal software and EO 14028 critical software get full enrichment. Everything else is "Not Scheduled," which translates roughly to "good luck." When the authoritative national vulnerability database concedes it cannot keep up, the rest of the industry runs out of reasons to pretend otherwise.

Every marginal unit of AI capability favors the offensive side. The attacker has to find one way in. The defender has to close all of them. That asymmetry was always there and AI just made it the entire game.

Protecting everything was always a myth

The maximalist promise has been broken for twenty years. What "protect everything" actually meant in practice was patch the top of KEV, watch the perimeter, chase whatever alerts survived triage and hope the gaps weren't the ones the adversary was working on this week. It worked as an approximation because the adversary was human-bound on the other side. Same tempo, similar economics.

That approximation is breaking in public. You can't:

• Patch faster than Mythos can find new bugs
• Staff an SOC against 22-second handoffs between initial-access brokers and secondary groups
• Inventory every agent and MCP server a motivated employee can attach to a corporate AI tenant on a Saturday afternoon

The obvious response is to fight fire with fire: Glasswing, Trusted Access for Cyber, Microsoft Security Copilot, Big Sleep and the whole vendor wave. It helps but it does not rescue the maximalist model.

The defender's Mythos and the adversary's are not running the same search. A defender hunts for the bugs they need to fix. The adversary hunts for the smallest set they need to chain. Different prompts, different objectives and different target selection. Coverage on one side does not produce coverage on the other, and even when defense finds the bug first, AI compresses discovery, not deployment. The patch still has to ship through change windows, dependency trees and the political economy of IT. Marcus Fowler at Darktrace Federal made the operator version of this point: "Faster or deeper analysis does not automatically translate to faster or more effective risk reduction."

Defensive AI is necessary, but it is not a rescue. You still have to prioritize what to protect.

How does one pick? In Part 2 of this 3-part series, I'll lay out the organizing principle that changes the expected loss equation: working backwards from the data.