You have 29 minutes. You are already losing 20 of them. And Mythos is not the problem
You are a CISO. It is 9:14 on a Tuesday morning. Your SIEM has just flagged a lateral movement alert. Twenty minutes later, you launch your first containment action. The attacker, meanwhile, needed only 29 minutes to move across your network.

You are a CISO. It is 9:14 on a Tuesday morning. Your SIEM has just flagged a lateral movement alert on a domain controller. You open the ticket. You look for context. You call the tier-2 analyst. You reread the logs. You waver between false positive and escalation. At 9:34, twenty minutes later, you finally launch the first containment action. Except the attacker needed only 29 minutes to go from initial access to lateral movement. Twenty-nine minutes is the average measured by CrowdStrike in 2025. The record observed: 27 seconds. In one documented case, data exfiltration began four minutes after the initial compromise. Four minutes. Your first reflex was to open a ticket. His was to steal your data.
This gap is not a technical problem, nor is it Mythos's fault. It is a decision problem.
What Mythos reveals about you
On 7 April 2026, Anthropic unveiled the results of its Claude Mythos Preview model. Within a few weeks of testing, the model autonomously identified thousands of unknown vulnerabilities across every major operating system and every major browser. Some of these flaws had existed for more than twenty years. One of them, in FreeBSD, allowed anyone on the Internet to take full control of a server, without authentication, remotely. The model found it, built the attack, and validated it. Without any human intervening after the initial request.
That is not what should keep you awake at night.
What should keep you awake at night is what comes next. The organization AISLE took that same FreeBSD flaw and submitted it to cheap AI models, accessible to everyone. Eight out of eight found it. The ability to discover critical flaws is already no longer the preserve of elite labs or intelligence services. It is available, today, to anyone who can phrase a question in English to a consumer tool. Anthropic estimates that models with capabilities comparable to Mythos will be widely available within six to eighteen months. OpenAI is developing a direct competitor.
And you, in the meantime, what exactly are you waiting for?
The real wall is not technological. It is in your head.
Back in January, I wrote in Siècle Digital that AI is above all a cognitive wave to absorb. That it changes not only what we do, but how we decide, how we delegate, and how we get things wrong. Mythos has just made that claim brutally concrete.
The problem is not that you lack access to Mythos. The problem is that you are not even using the tools already sitting on your desk. You have a coding agent. You have a subscription. You have code to audit. And yet you do not do it. Not because it is complex. Not because it is expensive. Because you have not yet decided that it was your job.
This is exactly the mechanism I have observed in the field across forty NIS2 assignments throughout Europe: identifying a risk and deciding to act are two radically different mental operations. The first is analytical. The second is existential. It engages your professional identity, your relationship to competence, your comfort with uncertainty. And that is precisely where the majority of defenders stay stuck.
You know these tools find things your commercial scanners miss. You have read it. You may even have tested it once, on a Friday afternoon, in exploratory mode. Then you went back to your usual processes. Because the usual process does not ask you to change who you are. It just asks you to keep doing what you already do.
That is human. That is understandable. And that is exactly what the attacker is counting on.
The comfort of process against the urgency of the real
There is a word to describe what most security teams do in the face of AI: they procrastinate structurally. Not out of laziness. Out of protection. Integrating a tool that challenges your way of working means accepting that your way of working was perhaps not good enough. It means admitting, implicitly, that flaws had been slipping through your nets for years. Nobody wants to make that admission. Least of all a CISO whose legitimacy rests on the idea that he controls the perimeter.
Except the perimeter has ceased to exist. Attackers no longer force doors. 82 % of the intrusions detected in 2025 involved no malware. Attackers log in with stolen credentials and use your own administration tools. They come in through the front door with your key. And while you look for a malicious signature that does not exist, they are already in your Active Directory.
The question is no longer whether your tools are up to date. The question is whether your defensive reflex is still suited to the speed of the attack. And the answer, for the vast majority of the organizations I work with, is no.
What it changes concretely
I am not going to give you a five-point checklist. That is not my register, and if you need a list to get started, the problem runs deeper than a list can solve.
What I will tell you is this: take a coding agent. Point it at a file you own. Ask it to look for exploitable vulnerabilities and write you a report. Read the report. Challenge it. Start again. That is all. One file. One question. One report.
Then compare the results with what your commercial tool found on the same scope. Look at the gaps. I guarantee there are some. Not because the agent is better. Because it is different. And because the combination of the two produces something that neither produces on its own.
This is not magic. This is not advanced research. It is professional hygiene in 2026. You do not need to understand the code to do it. You need to understand that your job has just changed.
The question nobody is asking you
AI will not replace you. But a defender who uses it will make you invisible. In cybersecurity, invisibility has a measurable cost: exfiltrated data, compromised systems, paralyzed organizations. This is not a career metaphor. It is an operational consequence.
So the question is not: do you have access to the right tools? You do. The question is not: do you have the budget? A subscription is enough to get started. The question is not even: do you have the technical skills? You need to know how to phrase a request in English.
The question is: are you capable of governing a system that moves faster than your usual reflexes?
If the answer is no, you have 29 minutes to think about it. The attacker needs only 27 seconds.
Questions fréquentes
Why does defense lose to attack according to the article?
Because the gap is not technical but decisional: while the defender opens a ticket and looks for context, the attacker has already moved forward. CrowdStrike measures 29 minutes on average to go from initial access to lateral movement, with a record observed at 27 seconds.
What did Claude Mythos Preview reveal?
Unveiled by Anthropic on 7 April 2026, the model autonomously identified thousands of unknown vulnerabilities across the major operating systems and browsers, including a FreeBSD flaw more than twenty years old allowing full remote takeover without authentication.
Is this capability reserved for elite labs?
No. The organization AISLE submitted the same FreeBSD flaw to cheap, consumer-grade AI models: eight out of eight found it. Anthropic estimates that models comparable to Mythos will be widely available within six to eighteen months.
What is the real obstacle to adopting these tools?
A mental obstacle, not a technical one. Teams procrastinate structurally, as a form of protection: integrating a tool that challenges their way of working would amount to admitting that flaws had been slipping through their nets for years.
Where do you start concretely?
Take a coding agent, point it at a file you own, ask it to look for exploitable vulnerabilities and write a report, challenge that report, then compare the gaps against those of the commercial tool on the same scope.
Sources & méthodologie
- Anthropic, Claude Mythos Preview (
- Christophe Mazzola, Siècle Digital, 14.01.2026 (
- CrowdStrike, Breakout time measurements 2025

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
