A few days ago I wrote about Anthropic's Claude Mythos and Project Glasswing. Thousands of zero-days across every major OS and browser, a 27-year-old OpenBSD bug, an autonomous sandbox escape with uninstructed exploit publishing. If you missed that one, read it first. I'm not going to rehash the capability story here.
What's new is that the Cloud Security Alliance just dropped their response: a practical action plan, live-edited by 250 CISOs, co-authored by Gadi Evron, Rich Mogull, and Rob T. Lee, with contributions from Jen Easterly (former CISA director), Bruce Schneier, Heather Adkins (Google CISO), and Katie Moussouris. That's not a typical whitepaper committee. That's the security establishment's consensus view on what to do.
I read it so you don't have to. Here's what actually matters.
The Reframe: Vulnpocalypse Lives in the Deployment Gap
This is the insight from Rich Mogull's follow-up that changed how I think about the problem.
Anthropic frames the solution as patching bugs. And Glasswing partners are doing exactly that. But "fix the code" and "fix the problem" are not the same thing. Over 99% of the vulnerabilities Mythos discovered were still unpatched at the time of the announcement. Patches will eventually arrive. But organizations can't deploy critical patches across their entire estate quickly. Many can't patch at all. Some don't even know what software they're running.
The real Vulnpocalypse doesn't live in GitHub. It lives in the deployment gap: decades of custom enterprise code, legions of unpatchable consumer devices, home routers that will never see an update, and operational technology environments that were already problematic on good days.
This matters because it reorders priorities. If you're thinking about this as a "scan harder and push patches faster" problem, you're missing where the actual risk sits.
The Hopeful Data Point: Defense in Depth Actually Works
Before the action plan, one finding from the Mythos testing that hasn't gotten enough press.
When Anthropic pointed Mythos at the Linux kernel, it found plenty of vulnerabilities: buffer overflows, use-after-frees, double-frees, many remotely triggerable. But after several thousand scans, it could not successfully exploit a single one of them remotely. The kernel mitigations held. Years of unglamorous hardening work converted exploitable vulnerabilities into unexploitable ones, even against a model explicitly designed to find exploits.
Where exploitation succeeded was in local privilege escalation against weaker boundaries. Hardening works. Boundaries work. The floor for exploit discovery is dropping fast, but converting bugs into working attacks is still a function of how much defensive engineering sits between the bug and the asset.
Your existing investments in defense in depth aren't obsolete. They're more important than ever. That's the lens to bring to everything below.
This Week: Get Your House in Order
The CSA structures its recommendations across three time horizons. Not because each item takes that long, but because that's when the value compounds. Here's the immediate triage.
Know what you actually run. You cannot ride the Glasswing patch wave without answering: what versions of what software run where, and who owns them? If your inventory is a quarterly spreadsheet, you already lost. Adopt tooling that stays current.
Get serious about SBOMs. Use dependency management tools to generate and maintain software bills of materials. You cannot fix what you don't know exists inside your code. This was theoretical nice-to-have two years ago. It's survival tooling now.
Fix identity fundamentals. Stamp out static credentials, enable MFA everywhere, establish least privilege. This isn't new advice. But the cost of leaving gaps is about to increase substantially, so finish what you started.
Engage with Glasswing directly if you qualify. If you maintain critical infrastructure or widely-used open source, get in the queue. Beyond the 12 headline partners, over 40 organizations already have access. Anthropic committed $100 million in usage credits.
Next 45 Days: Shrink Your Attack Surface
Shrink your patch cycle. Measure your current critical vulnerability velocity honestly. Count the days from disclosure to full deployment across your estate. If that number is measured in weeks for internet-facing services, your monthly patch cadence is obsolete. The traditional cycle was built for a world where adversaries needed weeks to weaponize disclosures. That window just collapsed to hours.
Stronger dependency management. Pin versions. Track provenance. Eliminate the dark corners where unreviewed libraries became load-bearing without anyone noticing.
Return to deep segmentation. Assume exploitation gets cheaper for everything unpatchable. Segment aggressively. Minimize blast radius. Treat every boundary as load-bearing. The kernel defense-in-depth result is the proof case: hardened boundaries turned bugs into non-events.
Prepare CI/CD for AI security steps. Mythos-class tools will arrive as build pipeline integrations, not quarterly scanners. If your pipelines can't host agentic security steps (long-running, stateful, iterative), start retrofitting now. The pipeline is the new security perimeter.
Migrate workloads to cloud where appropriate. Cloud environments are more defined and deterministic than traditional datacenters. That creates real advantages in inventory, patching, and rebuilding. This is defensive advantage, not just operational convenience.
Next 12 Months: Build for the New Normal
Extend zero trust into the datacenter. Most zero trust programs stopped at user-to-app authentication. The next wave has to cover east-west traffic and service-to-service trust inside your walls. If your services trust each other because they're on the same subnet, a single exploitable bug is all it takes.
Build multiple security boundaries. A single exploitable bug should not collapse your entire perimeter. Layered segmentation and, ideally, multiple firewall vendors at critical choke points. This feels like overengineering until a CVE drops in your edge vendor's SSL stack.
Establish VulnOps as a permanent function. This is the key organizational shift from the CSA briefing. Vulnerability operations can't be a project or a quarterly exercise. It has to be a continuous, staffed capability that can absorb the volume of AI-generated discoveries. Think of it as SRE for security: not an incident response team, but the team that keeps your patch velocity at a service-level objective.
Is This Really Y2K-Level?
Rich Mogull says yes, and emphasizes he doesn't use that comparison lightly. I agree, with an important caveat.
Y2K worked because we treated it as a systemic problem with a hard deadline and deployed national-level resources. Mythos is similar in scale but different in structure. There's no single deadline. The threat is continuous and accelerating. And you cannot wait for government assistance, because this is moving too quickly and governments have competing priorities.
The better mental model: familiar cyber risks, but compressed in time and expanded in scale. The same classes of vulnerabilities, found faster, exploited sooner, at a volume that overwhelms traditional response. Boards should expect their CISO to explain this compression effect in concrete terms, not just repeat the headline stats.
The Priority Order If You Can Only Do Three Things
The CSA is refreshingly clear on this. For most organizations, in order:
Inventory. Everything else is theater if you don't know what you're running.
Patch velocity. Days, not weeks, for critical internet-facing services.
Segmentation. For everything you cannot patch fast enough (which will be most things).
The Bottom Line
None of the CSA's recommendations are revolutionary. That's actually the point. What's new isn't what you need to do. What's new is the cost of not doing it.
Glasswing alone won't save organizations, because the problem isn't just code. It's everything downstream of code. The organizations that start now on inventory, patch velocity, segmentation, and hardening get to use this transitional period productively. Those who wait will experience the storm the hard way.
Start today. Start small if you have to. But start.
Written by
Bruno Bonando
Fractional CTO and technology advisor. 23+ years shaping platforms for many companies across Europe and Latin America. Has had leadership roles at REWE, MediaMarktSaturn, Cazoo, and some others.
