After Mythos: Are You Ready for the Vulnerability Deluge?

A perspective on Mythos from Dr. Ferhat Dikbiyik, Chief Research & Intelligence Officer at Black Kite

I just got back from the SANS AI Cybersecurity Summit in Arlington. Two days, wall-to-wall conversations about AI and security, and a six-minute lightning talk that felt like it needed six hours. But the summit didn't start these conversations. It just confirmed they were happening everywhere. For the past week or so, the same questions have been landing in my inbox, on calls, and in personal conversations. By the time I landed, my inbox looked like a threat feed with a single IOC: Glasswing. Mythos. What is Black Kite doing about it?

Honestly, I get it. I've been bombarded with these questions from our customers in the last week. And after two days at a summit where this was essentially the only topic.

Two keynotes naturally captured the mood of the event.

Jacob Klein, Anthropic's head of threat intelligence, broke down exactly how adversaries have adopted AI. They started using it as a basic chatbot in May 2025, but by September, advanced persistent threats (APTs) had shifted to 80% automated and 20% manual attack chains. The crucial takeaway is that old methods still work. Stealer logs, leaked credentials, open RDP and SMB ports—AI is now accelerating the exploitation of those existing weaknesses, not replacing them. 

Then, Sounil Yu showed that with the right architecture, existing LLMs without Mythos can already discover many of the same vulnerability classes. The real limiting factor is compute, not access to frontier models. The Vulnerability Deluge — I keep seeing people try to coin a term for this, "Vulnpocalypse," "Vulnsplosion," and I'll just say it, I prefer Vulnerability Deluge — is already underway at some scale, regardless of whether Mythos ever sees a broad release.

The hype question: how much will CVE volume actually increase?

Will CVE volume go 10x this year? 3x? I genuinely don't know, and I'd be skeptical of anyone who tells you they do. There's real hype wrapped around this moment, and it's worth acknowledging. But here's what isn't hype: directionally, more vulnerabilities will be discovered, and more of them will be exploited, faster than before. That trajectory holds whether the multiplier is three or ten. Plan accordingly.

What customers are asking - and the bigger question behind it

A lot of you are asking whether Black Kite is incorporating these latest AI models into our platform. Honestly, I get why people are asking. It is a fair question, but the framing is often misleading. Claude Mythos is available to only a handful of large technology companies through a strictly controlled program. Other newly announced cyber-focused models were published just days ago. No serious vendor can responsibly integrate a model that just launched into a production environment at that speed. Well…that's not quite how it works. That is not how responsible AI deployment works. Black Kite uses frontier AI models and incorporates new capabilities as they become publicly available and production-ready, not as a marketing response to headlines. That's a deliberate choice, not a limitation.

But here's what I keep coming back to: the question "which AI model are you using?" is the wrong question. It always was.

What teams really need to know 

The real question is: when vulnerability volume increases past the baseline of 48,000+ CVEs we saw in 2025, when the volume doubles or triples, or goes 10x, does your TPCRM program have a framework to filter, prioritize, and act—or does it drown? That's the question. And it's the one Black Kite was built to answer.

Among all the CVEs published in 2025, around 800 of them were exploited in the wild. With AI-powered acceleration, both the number of vulnerabilities discovered and the number exploited will increase. 

Think about it this way: in 2025, roughly 800 out of 48,000+ CVEs were actually exploited in the wild. That's only about 1.6%. Even as discovery volume surges, that exploitability percentage is unlikely to jump dramatically. The challenge isn't the 48,000. It's finding the 800. And when AI accelerates discovery to 100,000 or 200,000 CVEs a year, finding the 1,600 or 3,000 that actually get weaponized across your specific vendor ecosystem is exactly the problem Black Kite is built to solve.

The Vulnerability Deluge is not a future scenario. It's the direction we're already moving in. Glasswing accelerates it. It doesn't solve it. And no AI model — however capable — solves the ecosystem problem of knowing which of your hundreds of vendors are exposed right now, which ones threat actors are watching, and what you're going to do about it before the weekend.

That's the work. And that's what we're here for.

Dr. Ferhat Dikbiyik is Chief Research & Intelligence Officer at Black Kite and a regular contributor to Black Kite Threat Research.