Anthropic’s Mythos reinforced the problem that risk management systems were already struggling to contain: too many risks and not enough clarity about which ones mattered.
What changes with Mythos – and the AI-based class of vulnerability detection systems it represents – is the speed at which software flaws can be found and exploited.
That speed raises an immediate question for defenders: What vulnerabilities require action?
Anthropic pointed out one way. In a directive related to its work on an accelerated AI case, the company recommended using the Exploit Prediction Scoring System (EPSS), a probabilistic model developed by data scientists behind Empirical Security, and published in FIRST, as a way to assess risks as detections increase.
According to Anthropic, “Patching the KEV [CISA’s Known Exploited Vulnerabilities catalog] write first, and everything above the selected EPSS threshold will help you turn thousands of open CVEs into a manageable queue.”
“EPSS uses the same probabilistic models that weather forecasters do,” Michael Roytman, founder and CTO of Empirical Security and one of the original authors of EPSS, told CSO. “It’s a prediction of what vulnerabilities are likely to be exploited somewhere on the Internet in the next 30 days.”
Roytman added, “We don’t mind the rain by always having an umbrella over our heads.
Ed Bellis, CEO of Empirical Security, told CSO that Anthropic’s recommendations stand out because of who made them, not because EPSS is new. According to Bellis, it is the first time, to his knowledge, that a major language modeling provider has publicly endorsed a probabilistic, purpose-built risk prioritization model.
A system that is already under pressure
The Mythos comes as the endangered ecosystem is already under strain.
Recently, the volume of new vulnerabilities forced NIST to scale back the enrichment of the National Vulnerability Database (NVD) for only certain CVEs. NVD improves vulnerability reports with CVSS scores, developed by FIRST, while EPSS provides a different estimate of the likelihood of exploitation.
“The fact that they exist [NIST] reduce the weaknesses they will focus on [for CVSS] it’s because everything is human-driven,” said Bellis.” The EPSS, in contrast, is automated and can be applied to all CVEs, with scores published daily.
“It’s machine-driven, and it’s a machine learning model that ends up finding that vulnerability,” Bellis added. “Common risk management practice today doesn’t think about it from a machine learning, data-driven perspective, but it’s possible.”
According to Zero Day Clock, the average time to exploit a vulnerability after discovery will reach one hour this year, and only one minute in 2028, down from 2.3 years in 2018.
Security leaders balance promises with reality
Security vendors are increasingly incorporating EPSS scores into their systems.
According to Roytman, EPSS is now included in the products of more than 120 security vendors, including CrowdStrike, Cisco, Palo Alto Networks, Qualys, and Tenable platforms.
“I don’t think some CISOs realize that EPSS has been widely adopted, but that adoption is good news for the industry,” James Robinson, CISO at Netskope, told CSO.
“EPSS, when used in [software flaws]it’s an important step to know if this exploitable vulnerability is applicable to your application or operation,” he said, adding that “the role that EPSS can play in identifying non-CVE vulnerabilities identified in Mythos and other future models is very useful.”
Aaron Weismann, CISO at Main Line Health, welcomed the early detection of vulnerabilities but questioned whether the guidance translates into sectors such as health care, telling CSO, “It will be interesting to see how those recommendations work in critical infrastructure – such as health care, utilities, government, and others – where rapid and automated patching can be challenging due to the proliferation of software and legacy software.”
Not all defenders embrace the concept of EPSS or CVSS to address the rapid discovery of vulnerabilities.
“Speaking directly: Both CVSS and EPSS are outdated in the ‘Mythos’ era and need to be reconsidered,” Ramy Houssaini, chief cyber solutions officer of Cloudflare, told CSO. “EPSS relies on delayed, 30-day historical data, but AI has shrunk time consumption to mere minutes. Instead of waiting for predictive analytics to prioritize human-speed patching, organizations must shift to real-time protection.”
Exposure management will go beyond CVEs
While most analyzes of Mythos’ vulnerability detection capabilities focus on common applications where CVEs can be used, the findings may reveal millions of other vulnerabilities that do not meet this definition. “The same process is happening across all clouds and applications, where no one is accounting for all those applications,” says Empirical Security’s Roytman.
“My request looks very different from yours, even if it is written in the same language,” he added. “So, if we think about that in a model that can extend to all exposure management, which may be a bigger problem than the CVEs themselves, we have to think about building predictive models for applications, clouds, configurations, vulnerabilities, and that’s another way to use existing security tools and build small, purpose-built models instead of having people do the work.”
In short, Mythos and competing AI models will soon be able to find millions and millions of vulnerabilities that would not fit into the CVE model. “We’re seeing businesses all the time that may have tens of millions of risk incidents, not to mention a lot of those error categories that will get in front of AI,” Bellis said.
“This is a problem, but the sky is not falling,” Roytman said. “There are ways to control it.”
