From the desk of the CISO: How will Mythos change vulnerability discovery?
Why AI‑driven vulnerability discovery shifts advantage toward attackers and what security leaders should prepare for next
Takeaways
- AI changes the economics of vulnerability discovery. Large language models can surface flaws at a pace and scale that removes discovery as the primary constraint, fundamentally altering how vulnerabilities enter the ecosystem.
- Attackers gain first‑discovery advantage over time. Modeled scenarios show attackers discovering the majority of new vulnerabilities within a few years, meaning defenders increasingly respond to issues adversaries may already know about.
- Remediation speed matters more than detection. In an AI‑accelerated landscape, security outcomes depend less on finding vulnerabilities first and more on how quickly organizations can assess, prioritize and patch exposed systems.
| From the desk of the CISO is written by Arve Kjoelen, Chief Information Security Officer (CISO) at Barracuda. It focuses on the strategic implications of security trends, not just the technical mechanics behind them. These posts are intended for security leaders who need to understand what is changing, why it matters, and where to focus next — often before there is clear industry consensus. |
Anthropic’s Mythos research (April 2026) demonstrated AI models can find software vulnerabilities and generate working exploits faster than human researchers. State-sponsored groups are already using these capabilities. As AI models improve, so will every attacker’s access to them.
No public analysis has modeled what this means for the CVE landscape over time. Will there be a dramatic and sustained increase in the number of published CVEs? More importantly, who will discover the vulnerabilities first — defenders or attackers — and how will that balance change over time?
Four scenarios predicting how large language models (LLMs) will impact CVE discovery, data from ai-hype.ai, May 6, 2026
We address these questions with a five-year model across four scenarios, varying LLM capability (60–80%) and the share of the vulnerability backlog discovered each year (10–30%). Even the most conservative scenario produces a surge in published CVEs in the first year as AI rapidly uncovers the enormous backlog of flaws already present in deployed software.
The most important finding is not the volume — it is the shift in who finds the vulnerabilities. Across all four scenarios, the attacker share of CVE discovery rises from one-in-three today to between 55% and 72% by year five. Defenders will increasingly be reacting to vulnerabilities that attackers already know about. The core challenge shifts from finding vulnerabilities faster to fixing them faster.
Next steps
My last post on this topic covered the operational risks presented by these AI capabilities. Readers are encouraged to revisit that article to review the recommended action steps for improving remediation speed, exposure management and resilience. These are increasingly important in an environment where attackers may have first discovery advantages.
To support continued scrutiny and debate, we’ve also published the underlying model and assumptions behind this analysis as an interactive experience. Visit https://ai-hype.ai/ to explore the scenarios, challenge the inputs, and track how AI-driven vulnerability discovery evolves over time.
This is an ongoing area of research. Follow the Barracuda blog for upcoming posts in this series, including updates to the model, real-world signals from CVE data, and deeper analysis of what these shifts mean for security leaders.
Subscribe to the Barracuda Blog.
Sign up to receive threat spotlights, industry commentary, and more.
