Mythos is no surprise. Here is what I was saying nine months ago.
99% of the vulnerabilities Mythos found are still open. The patching debt does not date from April 2026, it just stopped being invisible.

The statement Anthropic released on 7 April 2026 announced that one of its models, named Claude Mythos Preview and kept under wraps since it was built, had identified more than two thousand unknown zero-day vulnerabilities in seven weeks of testing, some of which had survived twenty-seven years of human review. More than 99% of these flaws were still uncorrected on the date of the announcement. The industry should have stopped short at that figure, debated its implications, mobilised its committees, and in the days that followed all we heard was a cautious, faintly embarrassed silence, whose political reading probably deserves more attention than the announcement itself, because a collective silence in the face of a revelation of this scale looks less like a reaction than an admission.
July 2025, a phone call
Nine months before that statement, a student in an executive MBA in cybersecurity, Amed Atchamou, a senior consultant, had asked me for an interview as part of his dissertation on technical debt seen from the governance side. I had chosen not to prepare my answers so as to let whatever would come, come, and we spent half an hour drawing up, without realising it, the exact map of the situation that Mythos now makes unavoidable.
Here is what I told him that day, in substance.
On the volume that had become unmanageable, long before AI multiplied it a hundredfold: _"I s_ee scans running every week that return three or four thousand vulnerabilities each time they run. Are we really going to patch three thousand or four thousand vulnerabilities? No, it makes no sense."
On what we really expect from AI, said before Mythos existed: "I no longer need an AI tool to tell me what my vulnerabilities are. It is to tell me what deserves to be patched."
On the root of the problem: "the real problem does not come from a lack of will, but from a lack of understanding of the stakes."
And the one I repeat every time I am given the chance to speak: "95% of problems come from the human factor."
Nine months later, Anthropic publishes a figure that says the same thing in another language. 99% of the vulnerabilities found by Mythos remain open because the human factor in cybersecurity goes well beyond the unfortunate click on a booby-trapped link, and because it above all includes the repeated, organisational, structural decision not to patch, taken by everyone, in silence, on every floor of the company.
What Mythos confirms
The reading error in the media coverage of the April announcement was to treat Mythos as a revelation when the model revealed nothing that the annual reports had not already been saying for years. It merely amplified the obvious until it became impossible to dodge.
The 99% unpatched announced by Anthropic is a remediation statistic, not a discovery one, and it belongs to a long series that the profession has preferred to ignore. The Edgescan Vulnerability Statistics 2025 report documents that more than 45% of the vulnerabilities discovered in large organisations remain uncorrected after twelve months, and sector studies converge on an even heavier finding, with more than 88% of the flaws identified remaining open beyond six months after disclosure. When you switch from the register of raw figures to that of real attacks, the KEV catalogue maintained by CISA, which lists the CVEs currently exploited in ongoing cyberattacks, shows that the majority of the flaws actively used by attackers date from 2018, 2019, 2020 or 2021, that is to say five to seven years old for holes that remain open in production infrastructures in 2026.
The conclusion to draw from this convergence has long been known to anyone willing to look at the figures. The problem was never on the discovery side but on the side of what organisations do, or do not do, once vulnerabilities are identified, and the dubious merit of Mythos is to have made that obvious fact impossible to dodge any longer.
The diagnosis in four points
What the July 2025 conversation made it possible to lay out, and what Mythos brutally confirms, comes down to four organisational observations that we have known for a long time without having managed to treat them seriously.
The first touches on leadership responsibility. Technical debt presents itself as an IT subject when it is fundamentally business, badly translated by the technical functions. As long as a CISO explains to his executive committee that he has fifteen thousand vulnerabilities to patch, the committee politely loses interest, because that figure means nothing to them. When the same CISO manages to say that coverage of the critical vulnerabilities in his scope represents a residual exposure of several million euros, or that the security score of their infrastructure conditions partnership opportunities with other companies in the group, the subject rises to the top instantly. I experienced this with a client recently, where the CEO thanked me personally for having had as many vulnerabilities patched as possible because it was unlocking business discussions for him with sister companies in the same group.
The second concerns the alignment of incentives inside the organisation. Operational teams are rewarded on application stability and patching regularly threatens that stability, which amounts to saying that the organisation itself mechanically punishes the act of patching while at the same time demanding that vulnerabilities be dealt with. No one in this setup is acting irrationally, everyone optimises for the indicators that grade and assess them, and it is precisely this local rationality, perfectly consistent with the incentives in place, that produces the systemic accumulation of debt. As long as the ops team's KPI rewards availability at the expense of posture, the ops team will do its job correctly and the debt will keep growing, regardless of the technical quality of the tools deployed and the number of scans run.
The third concerns prioritisation noise. A scan without contextualisation produces findings of very unequal operational weight, and the criticality displayed by the tool can diverge radically from the real criticality in the audited environment. Last year, on a pentest, the external team had classified a vulnerability as critical because the manual said critical, whereas in context that vulnerability assumed the attacker had crossed an IP whitelisting triggered by an Azure VPN, itself protected by two-factor authentication, with three authorised users. Once that attacker had reached the server where exploitation became technically possible, I had other worries than this specific vulnerability. Patching that finding would have required a maintenance window, engineering time and a risk of regression on a stable environment, and we argued for a week to get it accepted that criticality out of context is not the same as real criticality. You only have to multiply that discussion by the thousands of findings Mythos is going to inject into remediation pipelines to understand that the organisational asphyxiation on the horizon is no fantasy.
The fourth is the most uncomfortable because it moves the problem outside the cyber scope. I had told Amed the story of a Marseille taxi driver I had met a few weeks earlier, who had himself told me he had spent two hours on the phone with one of his colleagues whose online accounts were being emptied in real time, Sony, PlayStation Network, Amazon, one after another, because the poor man used the same password everywhere. When I asked him whether he had changed his own passwords after watching that digital collapse live, he replied that he still used the same password everywhere, with no particular embarrassment, as if his colleague's experience had nothing to do with him. This cognitive inertia in the face of available knowledge and verified consequences works in exactly the same way inside companies, and twenty years of recommendations repeated by the authorities, the vendors and the consultants have done nothing to change the frequency with which default passwords are found on internet-facing servers in production. Mythos adds nothing to this diagnosis, except the useful reminder that repeated education is no substitute for strategy.
What really changes in April 2026
If nothing has fundamentally shifted in the diagnosis, a single element does make the post-Mythos situation qualitatively different from the pre-Mythos situation, and that element is the temporal asymmetry between discovery and exploitation.
Until now, technical debt could be treated as a time bomb whose timer ticked slowly, because the delay between the discovery of a vulnerability and its actual exploitation in a real attack remained long enough for a properly organised team to catch up, prioritise, patch before the blast. That delay has progressively collapsed, falling from 771 days in 2018 to under four hours today for the median time between discovery and a working exploit, and with Mythos, soon followed by the equivalent models other labs will produce, it now tends toward zero.
Anthropic estimates that it will take between twelve and eighteen months for capabilities comparable to Mythos to emerge among other players, including potentially adversaries. This window has more of the countdown than the reprieve about it. Project Glasswing, the closed consortium that brings together AWS, Apple, Google, Microsoft, JPMorgan Chase, the Linux Foundation and some forty other critical players, organises coordinated disclosure on 90-day cycles, which means that thousands of vulnerabilities are going to enter the public domain progressively, in waves, by shared dependency, and that the organisations that consume software downstream of these ecosystems, that is to say pretty much all of them, are going to have to absorb a flow that none of them has sized to absorb.
When I ran a Vulnerability Management engagement a few months ago at a French construction giant, the internal diagnosis was brutal. The entire cycle, detection, prioritisation, remediation, follow-up, was out of sync because the objectives of the different teams were incompatible with one another. Detection had its KPI, prioritisation its own, remediation a third, each team did its job correctly within its scope, and the system, for its part, never converged. That is exactly the kind of organisation that is going to implode under Mythos pressure, and it is representative of what you find in most large structures as soon as you look under the hood.
And that is without mentioning the organisations that have not even started. The ransomware suffered by a company that contacted me afterwards, triggered because their provider, part of an Orange subsidiary, refused to patch a telephone server located at the client's site, with a default password password1, a domain admin account, a Windows Server 2012 never secured or patched, is not an exceptional incident but a preview of what awaits organisations that have stayed behind on the fundamentals.
So what do we do now
The question is no longer how to patch faster, a false trail that leads straight to operational exhaustion, because no team, no budget and no tool will be able to absorb a flow of several thousand findings a week in the artisanal model inherited from twenty years of scanner-centric culture. Three shifts deserve to be started right now, before the window closes.
First, change the question put to the scan, moving from do we have it to is it exploitable in our context, a shift that seems trivial but that requires contextualising every finding with the map of flows, the access posture, the compensating controls and the real exposure. NIS2 and DORA now impose this mapping, the majority of organisations still have not done it, and when I ask them for it they look at me wide-eyed. This mapping has become, in April 2026, the number one prerequisite for operational survival.
Next, redirect investment toward the function that most organisations really lack, namely the capacity to close vulnerabilities rather than to discover them, which goes through automated and tested deployment pipelines, through patching windows contracted with the business lines, and above all through a redesign of operational incentives so that the act of patching stops being punished by the internal grading system. As long as that redesign has not happened, adding discovery tools only serves to swell the backlog.
Finally, treat segmentation as a primary control instead of confining it to the compensating-control role it is assigned by default. If half the findings will never be patched within a useful window, the only strategy that holds up consists in reducing the effective attack surface by combining strong segmentation, conditional access, isolation of critical assets and behavioural detection over the grey zones, that is to say by taking up the doctrine applied for twenty years to OT environments because OT could not patch. The novelty Mythos brings is that from April 2026, IT finds itself in the same operational situation as OT.
Anthropic ultimately announced nothing revolutionary on 7 April 2026, because what would deserve that label is of another nature, that of what has not changed in twenty years despite all the signals the profession has sent itself. Mythos works as a mirror held up to an entire sector, and the image reflected corresponds precisely to what we have collectively refused to look at for two decades, namely that technical debt is a problem of governance, of incentives and of decision-making, whose resolution the industrialisation of discovery tools simply makes more urgent. The real question that now opens is no longer about the moment when we will finally patch, but about what we agree to keep not patching, and about how long that acceptance will hold before someone other than us decides, in our place, to put an end to it.
Main sources:
_ Anthropic, statement of 7 April 2026 on Claude Mythos Preview and Project Glasswing.
_ Edgescan Vulnerability Statistics Report 2025.
_ KEV catalogue maintained by CISA.
_ Cloud Security Alliance, AI Safety Initiative, whitepaper of 13 April 2026.
_ Conversation with Amed Atchamou, July 2025, as part of his executive MBA dissertation in cybersecurity.
Questions fréquentes
What is Claude Mythos Preview?
An Anthropic model, announced on 7 April 2026, which identified more than two thousand unknown zero-day vulnerabilities in seven weeks of testing, some of which had survived twenty-seven years of human review. More than 99% of these flaws were still uncorrected on the date of the announcement.
Why do 99% of the vulnerabilities found by Mythos remain open?
Because the problem lies on the remediation side, not the discovery side. Organisations decide, repeatedly and structurally, not to patch, because of internal incentives that reward application stability at the expense of security posture.
What really changes with Mythos in April 2026?
The temporal asymmetry between discovery and exploitation. The median delay between discovery and a working exploit, down from 771 days in 2018 to under four hours, now tends toward zero, which removes the window teams once had to prioritise and patch before the attack.
How can a CISO make technical debt heard by the executive committee?
By stopping presenting a raw number of vulnerabilities and translating the stake into business terms: residual exposure in euros, or the impact of the security score on partnership opportunities. The subject then rises to the top instantly.
What should you actually do in the face of the flood of findings?
Three shifts: contextualise every finding (is it exploitable in our context rather than do we have it), redirect investment toward the capacity to close flaws rather than to discover them, and treat segmentation as a primary control, drawing on OT doctrine.
Sources & méthodologie
- Anthropic, statement of 7 April 2026 on Claude Mythos Preview and Project Glasswing
- Edgescan Vulnerability Statistics Report 2025
- KEV catalogue (Known Exploited Vulnerabilities) maintained by CISA
- Cloud Security Alliance, AI Safety Initiative, whitepaper of 13 April 2026

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
