The findings document a significant step in AI-assisted offensive capability. They also fit a pattern that several major threat intelligence reports had already identified.
Mythos Preview found thousands of high and critical-severity vulnerabilities across every major operating system and web browser. It produced 181 autonomous Firefox JavaScript exploits, compared to two from the previous model. Complex multi-vulnerability exploit chains were developed for under $2,000. On CyberGym, the cybersecurity benchmark, it scored 83.1% against the previous model’s 66.6%. The Bank of England, the Federal Reserve and the UK AI Security Institute each issued formal responses within days of the announcement.
What the Breach Data Shows About Identity and Credential-Based Attacks
The public response to Mythos has focused heavily on zero-days and exploit chains. The breach investigation data from 2026 points somewhere else.
Palo Alto Networks Unit 42 analyzed more than 750 high-stakes incidents for its 2026 Global Incident Response Report. Identity weaknesses were exploited in 89% of investigations. 65% of initial access was driven by identity-based techniques, primarily credential misuse and social engineering. Vulnerabilities accounted for initial access in 22% of attacks.
The Verizon 2026 Data Breach Investigations Report found stolen credentials involved in 32% of all breaches. 88% of web application attacks used stolen credentials. Phishing initiated 16% of breaches directly.
CrowdStrike’s 2026 Global Threat Report documented that 82% of detections were malware-free, with intrusions moving through authorized identities and trusted systems rather than traditional attack tooling.
Across all three reports, identity and credential-based access was the dominant initial vector by a significant margin. AI-assisted vulnerability discovery will change the volume and speed of vulnerability weaponization. Whether it shifts the initial access picture is a question the incident data will answer over time.
The IBM 2025 Cost of a Data Breach Report adds one relevant data point: generative AI has reduced the time to craft a convincing phishing email from 16 hours to 5 minutes. The social engineering picture is likely to become more complex regardless of what happens at the vulnerability layer.
Why Proactive Threat Detection Requires More Than Patching
Mandiant’s M-Trends 2026 report puts mean time to exploit at negative seven days. In a growing number of cases, exploitation is occurring before a patch is released. The median time from vulnerability publication to active exploitation has dropped to under five days. In 2020, the average time-to-exploit was 745 days. By 2025 it had fallen to 44 days.
CrowdStrike recorded an average eCrime breakout time of 29 minutes in 2025, with the fastest observed at 27 seconds.
For context: 60% of breaches in 2025 involved known vulnerabilities where a patch was available but had not been deployed. 32% of identified vulnerabilities remained unpatched for more than 180 days.
Most enterprise patch cycles operate on timelines longer than five days. Patching remains a necessary layer of defense. Given the Mandiant data, it is unlikely to be sufficient on its own.
The Preemptive Security Automation Framework
Gartner named preemptive cybersecurity one of its top strategic technology trends for 2026. We covered how Gartner defines the category in detail in an earlier post. Gartner identifies four security postures, each describing a meaningfully different operational approach:
| Posture | When It Acts | Current Limitation |
|---|---|---|
| Reactive | After compromise | Operates after the fact by definition |
| Preventive | Before threats materialize, manually | Patch velocity cannot match discovery rates |
| Proactive | Before incidents form, continuously | Intelligence requires automation to produce action |
| Preemptive | Before the attack lands, automatically | Requires operational depth, context and integrations |
Continuous monitoring and threat hunting surface meaningful signals. The challenge is connecting those signals to action quickly enough to matter. In most security operations, threat intelligence and security operations run as separate functions with a manual handoff between them. That handoff introduces delays.
Preemptive security automation is about shortening or removing that handoff. When threat context meets a defined threshold, the system acts: blocking, containing, isolating, triggering defensive workflows, without waiting for a human review step.
Gartner projects preemptive cybersecurity will represent 50% of all security spending by 2030, up from under 5% in 2024. Global information security spending is projected at $244.2 billion in 2026. The AI-amplified security market is projected to grow from $49 billion in 2025 to $160 billion by 2029.
Three Security Automation Capabilities for Preemptive Defense
Our guide to AI security operations workflows covers this in more depth. The Mythos findings, read alongside the Unit 42, CrowdStrike and Verizon data, make three capabilities worth examining.
Proactive Threat Detection with Attacker Context
Indicators of compromise are a starting point, not a complete picture. What drives accurate decisions is understanding adversary TTPs: how a specific threat actor combines phishing with credential abuse and cloud misconfiguration, and which assets are exposed in the specific customer environment. This requires continuous correlation between external threat intelligence and internal context, not periodic scanning.
Automated Containment
When threat context meets a defined threshold, the system acts without waiting for analyst review: automated blocking, isolation and containment triggered directly by the intelligence layer. Our incident response automation guide covers the implementation for security teams and MSSPs.
Continuous Threat Exposure Management
Treating exposure as an ongoing operational program rather than a periodic audit. Continuous threat exposure management (CTEM) connects what exists in the environment to what adversaries are actively exploiting, and initiates response at that intersection without waiting for a scheduled review cycle. As Zynia Labs has documented, credential harvesting and phishing infrastructure operate through design patterns that sit outside the software vulnerability layer. A complete CTEM program needs to cover both.
Security Automation for MSSPs: Changing the Unit Economics
For MSSPs, the Mythos findings add weight to conversations many are already having with clients about AI-accelerated threats. Organizations in financial services, government and regulated industries are asking practical questions about operational readiness, and the quality of those conversations has sharpened.
When alert volume rises faster than analyst capacity, the cost of delivering each client engagement increases. That is a business problem as much as an operational one. Preemptive security automation can change that relationship. When automated workflows act on threat intelligence before incidents form, alert volume falls and analyst time shifts toward work that requires human judgment.
The IBM 2025 Cost of a Data Breach Report found that organizations using AI extensively in security operations saved an average of $1.9 million per breach and reduced the breach lifecycle by 80 days. The efficiency gain on the defense side is measurable.
Higher-margin services become viable when analyst capacity is freed from reactive triage: threat intelligence operationalization, credential monitoring and offensive security simulation.
The operational prerequisite is an integration layer that works across the existing client stack, without requiring clients to replace deployed tools and without locking the MSSP into a single vendor. Security orchestration across a fragmented stack is what makes this transition commercially viable for most MSSP operations.
For Enterprise Security Teams in Financial Services and Government
Two things stand out in the Mythos findings for these sectors.
The first is exposure. The vulnerabilities Mythos identified span the operating systems, browsers and virtualization infrastructure in use across both sectors. The Mandiant data on negative mean time to exploit makes it harder to rely on patch schedules as a primary protective measure. The IBM 2025 report puts the average breach cost in financial services at $5.56 million.
The second is regulatory. Organizations operating under NIS2, DORA or equivalent frameworks face increasing requirements to demonstrate security posture improvement in practical terms. Preemptive security automation produces outcomes that can be documented: reductions in mean time to detect, fewer escalated incidents and records showing the security operation acted before impact rather than after.
On AI Capability and the Security Automation Platform Layer
Mythos has already prompted a response across the security market, and more AI-native security products will follow.
At Zynap, we think the more useful question is not which products use AI, but which systems have the operational context to act on what the AI surfaces. Knowing a vulnerability exists is one thing. Knowing which assets in a specific client environment are exposed, mapping that to relevant adversary behavior, and triggering an appropriate response requires integrations, workflow ownership and threat intelligence context that vary significantly by environment.
Anthropic’s own approach with Glasswing reflects this. The $100 million in model credits went to organizations that already had the operational depth to act on what the model found. Model capability and the operational capacity to use it are two separate things.
The WEF Global Cybersecurity Outlook 2026 surveyed 804 executives including 316 CISOs across 92 countries. 94% agreed that AI is now the single most significant driver of cybersecurity change. One in three organizations still has no process to validate AI security before deployment.
That gap is where a significant part of current security investment is focused. At Zynap, it is where we are focused too.
Zynap is the cybersecurity automation platform for MSSPs and enterprise security teams. We connect fragmented security operations and turn threat intelligence into automated action across your existing stack, powered by AI agents and built for preemptive security.
Sources