Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more
blog

The Vulnerability Deluge: 5 Questions Your Board Will Ask About Mythos and Other Frontier Models

Published

May 28, 2026

Authors

Jeffrey Wheatman

In this article

In this article

See Black Kite in action

Book a Demo

Introduction

Your board doesn't need to know all the details about a CVE, or even what the letters CVE mean. What they do need to know is whether the organization is exposed, whether the CISO has a handle on it, and whether the company is going to end up on the front page of the newspaper because of a vendor nobody ever worried about.

Mythos, Daybreak, and coming frontier models have changed the conversation and created the “Vulnerability Deluge,” a structural, accelerating, and dangerous surge in CVE volume that no team can patch its way out of. If you haven't had this conversation with your board yet, you will.

Here's the briefing.

What Mythos Actually Means at the Board Level

The headline is not the technical capability. The headline is the shift in business risk.

In April 2026, Anthropic announced Project Glasswing, deploying a frontier AI model called Mythos that can find and exploit software vulnerabilities at a scale no human team can match. It found thousands of high-severity flaws across major operating systems and browsers. It did this autonomously. 

Here's what that means in practice. When a software flaw is discovered, there's supposed to be a window (days, weeks, sometimes months) during which the vendor patches it before the public, and attackers, find out. That window is called the exploit timeline, and the entire model of vulnerability management is built on the assumption that it exists.

That window is already gone. According to Mandiant data cited in the 2026 Supply Chain Vulnerability Report, the exploit timeline has already inverted to negative seven days. There is no patch. There is no warning. By the time your security team knows there's a problem, the problem is already active.

Mythos doesn't create this dynamic, but it accelerates it further.

For a board member, the question isn't "how does AI find zero-days?" The question is: "What does this mean for our exposure, and what are we doing about it?"

The 5 Questions Your Board Will Ask

1. "Are we using Mythos? Should we be?"

This question sounds like a technology question. It's actually a vendor strategy question.

The short answer is that Mythos and tools like it are not currently available to most organizations. They are frontier AI capabilities accessible to large enterprises with budgets in the range of $500,000 to $2 million per year. Your mid-market vendors almost certainly do not have access to them.

That matters because the 2026 Supply Chain Vulnerability Report published by the Black Kite Research Group™ found a stark security divide. Tier 1 enterprises using AI-powered scanning have reduced their average detection time to 14 days and remediation to 21. Tier 2 suppliers — the mid-market vendors and open-source maintainers that most large organizations depend on — still average 197 days to detect and 60 days to remediate.

Your board should understand that the value of tools like Mythos is not just that you might use them. It's that attackers are. And the softest targets in your ecosystem are the vendors who can't.

2. "Does this mean our vendors are already compromised?"

Maybe, maybe not! But it does mean your visibility into the question is likely inadequate and the response too slow.

One of the more unsettling facts from Anthropic's own disclosure: more than 99% of the vulnerabilities found by Mythos are currently under a 135-day responsible disclosure embargo. They haven't been published. They don't appear in CVE feeds. Your current vulnerability management process and tooling, whatever they are, cannot see them.

This is not a failure of your security team. It's a practical limitation of how the industry has always worked, and it's now a material gap.

The board-level framing: your vendor exposure is significantly larger than your current risk data reflects. That's not a scare tactic. That's a fact your directors need in order to make informed decisions about risk appetite and program investment.

3. "So do we need to audit every vendor now?"

No. And this is actually the most important thing to get right.

More than 48,000 CVEs were published in 2025 alone, an 18% increase year over year. The instinct to "patch everything" or "audit everyone" is understandable and also completely wrong. It didn't scale before Mythos. It definitely doesn't scale after.

The right answer — and this is where Black Kite's FocusTag® methodology earns its keep — is that the risk remains highly concentrated even as volume increases. Of those 48,000-plus CVEs, the Black Kite Research Group identified just 58 that posed a critical threat to supply chains. Those 58 represent the actual exposure problem.

The board question isn't "are we tracking 48,000 CVEs?" It's "do we have a framework that tells us which of those matter to our specific vendor ecosystem, right now?" That's the standard that should be set.

4. "Where is the real risk coming from?"

Upstream from where you're probably looking.

Here's the dynamic that the 2026 Supply Chain Vulnerability Report makes explicit: as large enterprises harden their perimeters with AI-powered tools, threat actors migrate downstream. They go where the defenses are weaker. That means your mid-market software vendors, your niche SaaS providers, your open-source dependencies.

36.7% of discoverable risk now sits in what friend and colleague, Ferhat Dikbiyik, Black Kite's Chief Research and Intelligence Officer, calls the "long tail," the niche and mid-market suppliers that neither you nor they are monitoring with sufficient rigor.

Your supply chain does not break at the weakest vendor. It breaks at the most connected one. The board needs to understand that concentration risk (multiple critical business functions running through a single under-monitored third party) is the exposure that keeps risk officers up at night right now.

5. "What should we be doing differently?"

Stop asking whether you have enough data. Start asking whether you have a process  to act on it.

The vulnerability deluge is not a future scenario. It's already underway, and Mythos accelerates it further. The structural problem most organizations face isn't a shortage of vulnerability data. It's the absence of a prioritization framework that connects global threat intelligence to their specific vendor ecosystem in real time.

Reactive vulnerability management (waiting for annual assessments, relying on vendor self-reporting, reviewing spreadsheets quarterly) was built for a world where zero-days required rare human expertise and months of effort. That world ended in April 2026.

What boards should be directing their security leadership toward is a shift from reactive assessments to what Ferhat calls "concentration-aware resilience," knowing which vendors carry the most connected risk, monitoring their exposure continuously, and having an automated way to act when something surfaces. Black Kite's The Bridge™ product exists precisely for this workflow. Detect exposure via FocusTag®, send structured evidence to vendor security operations centers, track remediation in real time.

That's the program model that fits the Mythos era.

What the CISO Should Bring to the Boardroom

The board conversation about Mythos is not a technical briefing. It's a business risk conversation, and it needs to be framed that way.

Three things worth putting in front of your directors:

  • The exposure gap is structural, not operational. Your team isn't missing things because they're not good enough. They're missing things because the data pipeline the industry relies on hasn't caught up to AI-accelerated discovery. That's a program architecture problem, not a personnel problem.
  • The concentration question is the right question. Boards understand concentration risk in financial portfolios. The same concept applies here. How many of your critical business processes run through vendors that haven't invested in modern detection capabilities? That's the number worth knowing.
  • Prioritization is the competitive advantage. The organizations that will weather the vulnerability deluge are not the ones with the most security staff or the biggest budgets. They're the ones with a framework that tells them, out of tens of thousands of CVEs, which ones are actively being exploited, which of their vendors are exposed, and what to do about it in hours instead of months.

That framework exists. The board's job is to demand it and fund it. The CISO's job is to deploy it.

The Bottom Line

Mythos is not an apocalypse. It's an acceleration. The rules didn't change — the pace did. Organizations that were already operating reactively just ran out of time to catch up.

If your board hasn't asked about this yet, they will. Walk in with answers, not just context. Show them you have the prioritization framework, the vendor visibility, and the program architecture to operate in a world where exploit timelines are measured in negative days.

If you don't have that yet, see how Black Kite maps your third-party cyber risk in real time.