Beyond Mythos: Why Cyber Defense Has to Accelerate
A foundational view on AI-accelerated vulnerability detection — and the high-speed responses required.
Executive Overview
Anthropic's Mythos is the headline. The real insight is about speed.
First, the speed of regulators. Financial regulators in five countries — the U.S., U.K., India, Japan, and Australia — moved publicly within weeks of Anthropic's announcement. That kind of coordinated regulatory response, that fast, is rare.
Second, the technology itself. AI is not just about intelligence — Mythos is making vulnerability detection dramatically faster, surfacing software flaws in days that lay dormant for decades. That means threat actors have many more ways to attack companies.
Both speeds point to the same conclusion: the threat operates on a new clock, and the tempo of business and regulatory response, and of technical response, need to improve now.
The current model of cybersecurity was not built for this clock. It assumes threats emerge, are detected, and are addressed on human timescales. That assumption no longer holds. As AI accelerates vulnerability discovery and attack preparation, a defense model built on patching and post-entry detection cannot keep pace.
The bottom line on the technical issue. It's Accelerated Vulnerability Detection (AVD). Vulnerabilities have always existed — AI is accelerating the rate at which they are discovered.
There are three lines of defense in cybersecurity. Two of them warrant quick attention given the speed of AVD.
The first line of defense is patching. Prioritized patching of critical vulnerabilities has to continue. But broadly accelerating patch management isn't viable — the volume is beyond capacity, and patches themselves carry operational risk.
The second line of defense is disrupting attacks before exploitation. A vulnerability isn't really a threat until an attacker breaks into corporate systems and exploits it. If patching can't keep up, the second line of defense has to interfere with the attack before it succeeds. Done well, this can be deployed in days — buying time for the longer work of patching, segmentation, identity, and endpoint protection to continue.
Regulators, the media, and corporate leaders should be advocating for both lines of defense — and pressing hardest on the second, because it is the one that can be deployed at the speed AVD demands.
The threat operates on a new clock. The pages that follow lay out the framework, and one tangible way to deliver on it: Celerium's DIB CyberDome and Cyber Interceptor.
"The threat is not the existence of a vulnerability. The threat is an attacker reaching it."
The Speed of Global Impact
When Anthropic announced in April 2026 that it would withhold Claude Mythos from public release and form Project Glasswing with JPMorgan Chase and a small list of technology partners, the financial sector mobilized within days.
Global financial regulators are moving — fast. Within weeks of Anthropic's announcement, financial regulators in five countries had moved publicly. In the U.S., Treasury Secretary Bessent and Fed Chair Powell convened the CEOs of the largest banks. In the UK, Bank of England Governor Andrew Bailey — also chair of the Financial Stability Board — called Mythos "a very serious challenge for all of us". In India, Finance Minister Sitharaman convened bank chiefs and the RBI on systemic AI risk; Japan and Australia followed. A single AI model has drawn direct, named attention from financial regulators in five countries in a matter of weeks. The coverage has been substantial. The clarity has not. Regulators rarely move this fast. They are moving this fast because the threat itself moves fast.
The Speed of AI-Powered Technology
What Mythos demonstrates — and what other AI systems from U.S. and Chinese laboratories will demonstrate over the months ahead — is the ability of advanced AI to dramatically compress the timeline of vulnerability detection. Software flaws that lay dormant for fifteen or twenty-five years are being surfaced in days. The pace at which these flaws are found is accelerating in a way that human-driven security research cannot match.
This is not a question of whether AI is smart enough to find vulnerabilities. The question is how fast AI is finding them. The term Accelerated Vulnerability Detection (AVD) focuses attention on what matters: the speed.
The scale matters. In 2025, before any meaningful AI acceleration, the National Vulnerability Database recorded approximately 48,000 new software vulnerabilities — nearly triple the 2019 figure. The current backlog of unpatched flaws across the U.S. economy exceeds 320,000. These numbers describe the pre-AVD baseline. They are what the cybersecurity profession was already failing to keep pace with before AI began compressing detection timelines further.
The First Line of Defense — Patching
Patch management is the obvious first step, and reprioritizing patches under AVD pressure is the right instinct. But to what degree can patching actually be accelerated? The starting point is the scale of what patching is already failing to keep up with — before any AVD acceleration.
"Annual published CVEs have nearly tripled since 2019 — and this growth occurred before any AI-driven acceleration in vulnerability discovery."
Chart 1 shows the multi-year trajectory. Chart 2 shows that 2026 is already on pace to extend it.
"Cumulative published vulnerabilities in 2026 are already running ahead of 2025 across the year to date." (Solid line: 2026. Dashed line: 2025.)
These charts describe the scale problem. They do not yet describe the harder problem.
The harder problem is velocity. For three decades, cyber defense has operated on human timescales. AVD changes the clock. Adversaries can now discover and weaponize at machine speed — speeds human-driven defense was never designed to match. Combine that with a backlog the industry has never been able to close, and the conclusion follows.
Patching alone cannot keep up.
The instinct under AVD pressure is predictable: a Manhattan Project for patching. The instinct is reasonable, and it fails — for three reasons. First, the 320,000 known unpatched vulnerabilities represent a backlog no organization has been able to close, even at current detection rates. Second, patches themselves carry operational risk; Microsoft patches alone have, on multiple recent occasions, broken production systems for thousands of enterprises. Third, and most important, accelerating patching solves the wrong problem. The threat is not the existence of a vulnerability. The threat is an attacker reaching it. That is where the second line of defense comes in.
A Second Line of Defense: Disrupting Attacks Before Exploitation
A vulnerability, in itself, is not a threat. It is a possibility — a flaw that could be exploited. It becomes a threat only when an attacker reaches it and exploits it. This distinction has always mattered in cybersecurity. Under AVD it becomes the central strategic point.
If patching cannot keep pace with detection — and it cannot — then the operational question shifts. The question is no longer "how do we eliminate every vulnerability before it can be exploited?" The question becomes "how do we prevent attackers from reaching and exploiting vulnerabilities while the longer-term work continues?"
This is a different category of defense — one that doesn't yet have a settled name in the industry. We propose Accelerated Exploitation Defense (AXD). As AI compresses the timeline of vulnerability detection, defense must compress the timeline of exploitation interference. The work of patching, segmenting, hardening, and structuring must continue. But it cannot continue alone. It needs a faster layer in front of it — one that buys time by interfering with attacks before they succeed.
What Accelerated Exploitation Defense Looks Like
Speed of deployment. A defensive measure that takes months to install cannot meet a threat that operates in days. In the current AI-threat environment, any Accelerated Exploitation Defense must be deployable in days, not months or quarters.
Speed of operation. Once deployed, the capability must respond to attacks in real time and adapt to threats that change in shape and origin during the engagement. AXD requires automated, adaptive response that updates continuously as attacks evolve.
Speed within the attack lifecycle. Defense applied late in the lifecycle — after attackers have entered systems and begun moving toward objectives — is inherently more difficult and more costly than defense applied early. AXD requires intervention at the earliest stages of an attack: at the reconnaissance phase, when adversaries are studying targets, and at the initial access phase, before they have entered the environment.
These three speeds are not aspirational properties of an ideal solution. They are the operational floor for any defensive capability that can credibly meet AVD-era threats. A defense that meets all three buys time. A defense that meets only one or two does not.
A Third Line of Defense: Post-Exploitation Containment
Patching vulnerabilities and disrupting exploitation attacks are both pre-exploitation defenses. A third line of defense operates after exploitation, working to contain what an attacker who has already gotten in can do, see, move to, or take. Many essential capabilities support this domain: endpoint detection and response, identity and access management, multi-factor authentication, network segmentation, encryption, and scope reduction. Under AVD pressure, none of these disciplines should be reduced — but none can absorb additional load without help, either. That is the case for putting a faster pre-exploitation layer in front of them.
A Tangible Way to Accelerate Exploitation Defense: DIB CyberDome and Cyber Interceptor
The capability we have built at Celerium is designed to meet each of the three speeds AXD requires. The solution family in the defense sector is called the DIB CyberDome — the Defense Industrial Base CyberDome. Within it, the initial specific solution is called Cyber Interceptor.
Speed of deployment is the first.
Cyber Interceptor can be deployed in approximately ninety minutes per firewall — often in thirty — and begins automated defensive operations within minutes of activation. There is no hardware to install, no agents to deploy on protected systems, no integration with security information platforms required. The capability is operational the same day a decision is made.
Speed of operation is the second.
Cyber Interceptor is built for high-speed operations. We have observed customer environments where attack volume escalated from approximately 2,000 attempts per month to more than 200,000 in a single month — a hundredfold increase that is only possible at machine speed. Cyber Interceptor scores incoming traffic against open-source and commercial threat intelligence, examines the specific threats each customer firewall is experiencing, and reoptimizes that firewall's defensive blocklist on average every fifteen minutes. The defense is adaptive, customized to each environment, and operates on the same clock as the threat. The underlying technology has been deployed to the Department of Defense for several years to support selected defense contractors, in partnership with the Department of Defense Cyber Crime Center.
Speed within the attack lifecycle is the third — and the most consequential.
Cyber Interceptor focuses on the earliest stages of an attack — the stages that happen before adversaries reach the systems they intend to exploit.
The logic is the same as missile defense. When a ballistic missile is launched, it travels along an arc toward its target. The defender's task is not to wait for impact. It is to detect the launch, track the trajectory, and intercept the missile before it reaches its destination. Modern missile defense is layered — it engages threats at multiple points along the arc, because no single layer catches every threat under every condition.
The DIB CyberDome is built on the same principle. Cyber Interceptor is the layer that does the actual interception.
Cyber attacks have an arc too. To make this concrete, consider a U.S. company with data centers at six locations. The arc of an attack on that company unfolds in stages — and Cyber Interceptor is designed to intervene at the earliest of them.
Stage 1: Reconnaissance — the adversary studies the targets
Long before any attack is launched, adversaries study their targets. From overseas, a threat actor probes all six U.S. data center locations — testing defenses, mapping access points, and trying to determine which sites are the most promising to attack.
Reconnaissance activity probes all six locations to identify the weakest points of access.
This phase can last hours, days, or months. It is quiet, persistent, and almost always invisible to the organizations being studied.
Stage 2: Cyber Interceptor disrupts the reconnaissance
This is where the first layer of the DIB CyberDome engages. Cyber Interceptor detects reconnaissance activity in progress and blocks much of it before the adversary can complete the picture they are trying to build.
Cyber Interceptor disrupts reconnaissance activity before the adversary can finish profiling the targets.
Disrupting reconnaissance has a compounding effect: the less an adversary learns, the harder the next stage becomes.
Stage 3: Initial access — the attack narrows to the highest-value targets
Some reconnaissance inevitably gets through. Based on what they learn, the adversary narrows their focus. Of the six locations they studied, only four are selected as the most promising to attack.
The adversary now shifts from studying to acting — launching initial access attempts against those four locations, attempting to slip past the perimeter and enter company systems.
The adversary concentrates the attack on the four locations identified during reconnaissance as most likely to yield successful access.
Stage 4: Cyber Interceptor blocks initial access attempts
Cyber Interceptor engages a second time, identifying the sources of these access attempts and blocking them before they reach company systems.
Cyber Interceptor blocks the initial access attempts before adversaries can enter the environment.
The combined effect: pre-exploitation defense.
By disrupting both reconnaissance and initial access, Cyber Interceptor deters and stops a meaningful portion of the threats that would otherwise reach internal systems and attempt to exploit vulnerabilities there.
The strategic value is straightforward. Every attack interrupted at reconnaissance or at initial access is an attack that never reaches the vulnerability behind it. Every hour of buying time is an hour the organization can use to advance the longer-horizon work — patch management, segmentation, identity systems, endpoint protection, encryption, and scope reduction — that AVD has made more essential, not less.
All three lines work together; under AVD, the second is the one that has to move fastest. For a fuller treatment of the third line and a capability-by-capability survey of all three, see the companion piece, The Third Line of Cyber Defense Under AVD: Capabilities and Limits.
The bottom line.
The accelerated speed of vulnerability detection requires an accelerated speed of exploitation defense. AXD is the response category. The three speeds — deployment, operation, lifecycle — are the operational requirements. The DIB CyberDome and Cyber Interceptor are designed to deliver on those requirements, and the underlying technology has been doing so in the defense sector for years.
The threat will continue. Mythos is the visible instance. Other AI systems, from American and Chinese laboratories, will follow. The category of threat is established. The category of response now needs to be as well.
Vince Crisler has more than 25 years of IT and cybersecurity leadership across the Department of Defense, federal government, and private sector. He previously served as White House CISO and was Founder & CEO of Dark Cubed, acquired by Celerium in 2022.
