From the desk of the CISO: How will Anthropic’s Mythos change vulnerability discovery?
Why AI‑driven vulnerability discovery shifts advantage toward attackers and what security leaders should prepare for next
Takeaways
- Advanced AI models outpace humans in the discovery and exploitation of software vulnerabilities.
- Our five-year model predicts a sharp spike in CVE discovery in the first 12 months, followed by a sustained but slower rate.
- Within five years, attackers are projected to discover more vulnerabilities than defenders.
| From the desk of the CISO is authored by Arve Kjoelen, Chief Information Security Officer (CISO) at Barracuda. It examines the strategic implications of emerging security trends — not just the technical mechanics behind them. It is written for IT and security leaders who need to understand what is changing, why it matters and where to focus next — often before there is clear industry consensus. |
How advanced AI will impact the CVE ecosystem over five years
Anthropic’s Mythos research (April 2026) demonstrated that advanced AI models can now discover software vulnerabilities and generate working exploits faster than human researchers — and state-sponsored groups are already using these capabilities. As models improve, so will attackers’ access to them.
Yet no public analysis has examined what this shift means for the CVE ecosystem over time. Will we see dramatic and sustained surge in the number of published CVEs? More importantly, who will find them first — defenders or attackers — and how will that balance evolve as AI accelerates both sides?
Four scenarios predicting how large language models (LLMs) will impact CVE discovery, data from ai-hype.ai, May 6, 2026
We address these questions with a five-year model built across four scenarios, varying LLM capability (with models between 60–80% effective in finding vulnerabilities) and the share of the vulnerability backlog discovered each year ranging between 10–30% of the total number of existing but unidentified bugs.
Across all scenarios, even the most conservative, the first year produces a sharp surge in published CVEs as AI rapidly exposes the enormous backlog of latent flaws already present in deployed software.
More vulnerabilities will be found by attackers
The most consequential finding is not the volume — it is the shift in who finds the vulnerabilities. Across all four scenarios, my data analysis shows that the attacker share of CVE discovery rises from one-in-three today to between 55% and 72% by year five. That means defenders will increasingly be responding to vulnerabilities that attackers have already identified and potentially weaponized.
The center of gravity moves from finding vulnerabilities faster to fixing them faster — with patch velocity, exposure management and automated remediation becoming the decisive control points.
Next steps
My previous post outlined the operational risks presented by these emerging AI capabilities. I encourage readers to revisit that article to review the recommended action steps for improving remediation speed, exposure management and resilience. These actions are increasingly important in a world where attackers may have first discovery advantages.
To support continued scrutiny and debate, we’ve also published the underlying model and assumptions behind this analysis as an interactive experience. Visit https://ai-hype.ai/ to explore the scenarios, challenge the inputs and track how AI-driven vulnerability discovery evolves over time.
This is an ongoing area of research. Follow the Barracuda blog for upcoming posts in this series, including updates to the model, real-world signals from CVE data and deeper analysis of what these shifts mean for businesses.
2026 Email Threats Report
Learn how AI and phishing-as-a-service are reshaping the email threat landscape and how to stay protected
Subscribe to the Barracuda Blog.
Sign up to receive threat spotlights, industry commentary, and more.
The Managed XDR Global Threat Report
Key findings about the tactics attackers use to target organizations and the security weak spots they try to exploit