The Mythos Hype Index: Is AI really changing vulnerability discovery?

A data‑driven look at whether AI‑assisted vulnerability discovery is delivering on its biggest promises

Takeaways

• The predicted AI‑driven surge in CVEs has not materialized—yet.  2026 CVE growth remains slightly above historical trends.
• Attribution matters, and it is still rare.  Fewer than 200 CVEs currently credit AI or LLM‑assisted discovery.
• Risk management fundamentals still outweigh headline CVE counts.  Patch prioritization, asset visibility and exposure reduction remain better indicators of organizational risk than raw vulnerability volume.

Measuring AI claims against reality

Claims about artificial intelligence (AI)‑driven vulnerability discovery  have escalated quickly over the last two years. Large language models (LLMs) were widely expected to uncover flaws at a scale that would overwhelm existing Common Vulnerabilities and Exposures (CVE) processes. Claude Mythos emerged in that context—as both a technical experiment and a testable prediction: if AI meaningfully accelerates vulnerability discovery, we should see it reflected in CVE volume and attribution data.

The Mythos Hype Index exists to answer a simple question with data rather than anecdotes: is the predicted surge actually happening? By benchmarking daily 2026 CVE growth against historical baselines, the index tracks whether AI’s promised impact is materializing—or whether expectations are outrunning observable results.

That framing follows directly from our earlier analysis on how Mythos could change vulnerability discovery. This post moves from theory to measurement.

Introducing the Mythos Hype Index

Consensus estimates and our own modeling predict a flood of new CVEs due to AI‑enabled vulnerability detection. But what if we are wrong? How will we know?

Our daily tracker compares 2026 CVE growth with prior years to see whether the flood is here. The calculation methodology is included at the end of this article.

In January, we estimated somewhere around 55,000-60,000 CVEs would be published in 2026. Mythos and other LLMs should drastically increase this number, but we have not seen that uptick yet.  And fewer than 200 CVEs credit LLMs.

What this means: signal versus enthusiasm

At a hype score of 94, the Mythos Hype Index reflects a gap between expectations and measurable outcomes. That does not mean AI‑assisted vulnerability discovery is failing—but it does suggest that its real-world impact is arriving more slowly, and more unevenly, than predicted.

There may be practical explanations. CVE publication pipelines remain constrained. Disclosure practices vary widely. Many organizations experimenting with AI‑assisted discovery may not be attributing tooling use at all. And some issues discovered by AI may never reach CVE status.

The implication is not complacency—it is prioritization. Patch management, asset visibility and exposure reduction remain more predictive of risk than headline CVE counts.

What’s next: watching for inflection points, not headlines

The Mythos Hype Index is designed to change over time. If AI‑assisted discovery begins to measurably alter vulnerability economics, the data should show it—first in attribution, then in volume and eventually in exploit timing.

That is what we are watching for:

• Sustained deviation from historical CVE growth curves
• Increased, consistent disclosure of AI‑assisted discovery
• Shorter discovery‑to‑exploitation timelines correlated with AI use

Until those signals appear, bold claims about AI “revolutionizing vulnerability discovery” should be treated as hypotheses, not conclusions.

Mythos gives us a way to test those hypotheses in public, with live data. As the year progresses, the index will either validate the hype—or quietly falsify it.

Both outcomes are useful.

As additional data emerges, we’ll share observations from CVE disclosures along with deeper analysis of how—and whether—these trends matter for security teams and business leaders. In the meantime, keep security controls current and follow the discussion here, and join us on LinkedIn and Reddit.

Methodology: How the Mythos Hype Index score is calculated

The index is the geometric mean of two sub‑scores, each scaled from 0 to 100:

1. CVE Volume Score – how fast vulnerabilities are being published
2. LLM Attribution Score – how often vulnerabilities publicly credit an LLM

Using the geometric mean (the square root of the multiplied data) ensures that one strong signal cannot mask a weak one.

To determine the CVE Volume Score

• Count CVEs published since April 1, 2026
• Count publishing days (calendar days with at least one CVE; zero‑CVE days such as Sundays are excluded)
• Convert to a yearly rate = (CVEs published ÷ publishing days) × 365 

This annualised rate is compared with a baseline (normal historical levels), and an average prediction (the expected surge). The result is converted to a 0–100 score, which is capped to avoid extremes.

To determine the LLM Attribution Score

• Count CVEs since February 2, 2026 that explicitly credit an LLM
• Divide by total CVEs in the same period - 
• The LLM attribution % = LLM‑credited CVEs ÷ total CVEs

The observed LLM attribution is compared with a target attribution of 12.8% (the share that would be expected if predictions were tracking.) The result is again scaled to 0–100, capped at the limits.

Calculating the Mythos Hype Index

The two sub‑scores are combined using the geometric mean and rounded to determine the Index:

The Mythos Hype Index = √(CVE Volume Score × LLM Attribution Score)

Understanding the results:

• Below 50: Observed activity is tracking closer to predictions
• Above 50: Observed activity is tracking closer to baseline expectations
• Closer to 100: Predictions appear increasingly overstated