Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more
blog

Mythos Is Hardening Enterprise Security. It's Also Softening Your Supply Chain.

Published

May 26, 2026

Authors

Dr. Ferhat Dikbiyik

In this article

In this article

See Black Kite in action

Book a Demo

Introduction

The most capable AI vulnerability scanner in the world found a 27-year-old flaw in OpenBSD that billions of automated tests had missed. It took Mythos, Anthropic's frontier AI model deployed under Project Glasswing, a matter of days.

That is a genuine step-change in defensive capability. It is also accelerating the vulnerability deluge, a CVE volume surge that is outpacing every reactive program in existence. And if you're responsible for a supply chain, the part nobody is talking about yet is where that deluge lands hardest.

The Capability Gap Is Real and It's Growing

Enterprises with the budget for advanced, AI-powered vulnerability scanning tools are hardening fast. Everyone else is standing still.

Our 2026 Supply Chain Vulnerability Report analyzed what happened to vulnerability detection and remediation timelines as AI-powered scanning became available to large organizations. The numbers are striking.

Tier 1 enterprises, large-cap institutions with $500K–$2M/year to invest in frontier AI capabilities, have reduced or will be able to reduce their average detection window to 14 days and remediation to 21 days. Their perimeters are getting harder.

Tier 2 vendors, mid-market companies, open-source maintainers, and niche suppliers are averaging 197 days to detect and 60 days to remediate. They're still running manual scanners. They cannot afford Mythos. They are not going to be able to.

This isn't a performance gap. It's a structural one. 

AI Risks Are Migrating Downstream

See the full AI risk migration data in the 2026 Supply Chain Vulnerability Report.

Attackers Follow the Path of Least Resistance

When one door hardens, threat actors don't stop. They find a different door.

Attacker migration is not speculation, it is the consistent pattern of every major shift in enterprise security posture. As large organizations fortify their perimeters with AI-powered scanning, attackers adapt. They migrate downstream. They target the mid-market vendors, the open-source libraries, the regional SaaS providers that sit inside your supply chain and outside your direct control.

The 2026 report puts a number on this: 36.7% of discoverable risk now lies in the long tail of niche and mid-market suppliers. That share is growing. And the Tier 2 vendors carrying that risk have an average of 197 days before they even know something is wrong.

Your enterprise perimeter is not your exposure. Your supply chain is.

The Vulnerability Volume Problem Compounds Everything

48,000 CVEs published in 2025. More than 200% growth in AI-related vulnerabilities since 2023. And exploit timelines are now running negative.

Mandiant data shows that as of 2025, attackers are exploiting vulnerabilities an average of seven days before they're publicly disclosed. That window inverted from -1 day in 2024 to -7 days in 2025. As more organizations deploy AI exploitation capabilities, including open-weight models that don't observe responsible disclosure timelines, that window will compress further.

This is the environment your Tier 2 vendors are operating in. They are operating on 197 days to detect. The attacker needs seven days before anyone even knows there's a CVE. 

The Verizon 2026 Data Breach Investigations Report, published last week, confirmed what we've been seeing in threat actor behavior for some time: for the first time in 19 years, vulnerability exploitation is now the number one breach entry point, accounting for 31% of breaches. Third-party breaches jumped 60%, and nearly half of all breaches now involve a vendor. Organizations take an average of 43 days to patch. 

The vulnerability deluge isn't a future scenario. It's the condition your supply chain is operating in right now.

The volume problem doesn't solve itself either. Our research team manually analyzed more than 1,240 high-priority CVEs out of 48,000 published in 2025. Of those, 329 were OSINT-discoverable and received FocusTags®. Only 58 posed what we'd classify as a Code Red threat: high exploitability, high impact, high supply chain exposure. Just 58, out of 48,000.

That's the prioritization challenge. Not the volume itself. The absence of a framework to identify which 58 matter, in which vendors, right now.

What Mythos Does and Doesn't Change for Your TPRM Program

Let's be precise about what we're dealing with here.

Projects like Anthropic's Glasswing and OpenAI's Daybreak demonstrated that AI can autonomously identify zero-day flaws at scale. It scans source code repositories. It finds deeply buried vulnerabilities that have evaded detection for decades. This is a meaningful advance for the organizations deploying it.

What it doesn't do:

  • It doesn't map which of your vendors are running affected software
  • It doesn't tell you which vulnerabilities are actively being targeted by threat actors right now
  • It doesn't monitor your third-party ecosystem continuously
  • It doesn't help your mid-market vendors who can't access it

Glasswing raises the volume of discovered vulnerabilities. It does not, by itself, raise your supply chain visibility or close the gap between your enterprise perimeter and the softer targets in your extended ecosystem.

The Framework Question Is the Right Question

The question isn't whether your organization has access to frontier AI tools. The question is whether your TPCRM program can handle what happens when those tools accelerate CVE discovery across the market.

When vulnerability volume doubles or triples (and our data suggests this trajectory is already underway), programs built on periodic assessments and vendor self-reporting collapse under the weight of it. Reactive management cannot and should not be a strategy. It's a delay.

The programs that will hold up are the ones built around continuous monitoring, intelligent prioritization, and streamlined vendor engagement. Not every vulnerability. The right ones, in the right vendors, with evidence in hand.

The Bridge™ exists precisely for this reason. When a FocusTag® fires (meaning a vulnerability has been confirmed OSINT-discoverable in a specific vendor's exposed surface) the question becomes: how quickly can you send structured evidence to that vendor's SOC and track remediation? Not in days. Not in weeks. Immediately.

That's what automation makes possible. And it's what the gap between 14-day enterprise detection and 197-day mid-market detection ultimately demands.

The Risk Concentrates Where You Depend on It Most

Your supply chain doesn't break at the weakest link. It breaks at the most connected one.

The Tier 2 vendors accumulating risk are not peripheral to your operations. They are your operations: the payroll processors, the logistics platforms, the SaaS tools embedded in every workflow. They're shared vendors across thousands of organizations, which means a successful exploit doesn't affect one enterprise. It cascades.

Project Glasswing and Mythos are accelerating the discovery of vulnerabilities in code. Black Kite's role is different: mapping which of your vendors are exposed to those vulnerabilities, which threat actors are actively exploiting them, and compressing your response window before the 197-day clock runs out.

Glasswing raises the volume. Black Kite raises the signal-to-noise ratio.

Read the 2026 Supply Chain Vulnerability Report to see the full data on how AI is reshaping the TPCRM landscape and what a prioritization framework built for the deluge actually looks like.