Claude Mythos and the collapse of hard-to-exploit assumptions

At a glance

What this is: Claude Mythos showed that vulnerabilities once considered hard to exploit can still be turned into working exploits at machine speed.

Why it matters: IAM, NHI, and autonomous governance teams all have to reassess how they score risk, narrow exposure, and validate assumptions about who or what can act at runtime.

By the numbers:

• In a Firefox JavaScript engine benchmark, Mythos converted known vulnerabilities into working shell exploits 72.4% of the time.
• 27 years.
• Anthropic committed $100 million in usage credits and $4 million to open-source security organizations.

👉 Read Oasis Security's analysis of Claude Mythos and exploitability collapse

Context

Claude Mythos is a general-purpose AI model used in Anthropic’s Project Glasswing to discover and exploit software vulnerabilities at scale. The security problem is not that one model found bugs, but that long-standing assumptions about exploitability, review coverage, and remediation timing no longer hold when reasoning and code execution are accelerated together.

For identity programmes, the lesson is broader than vulnerability management. When attackers can use AI-assisted workflows to chain discovery into exploitation, access models built around slow human response windows, static exception handling, and infrequent review cycles become easier to break.

For autonomous systems, the implication is sharper still. The article suggests a future where the time between finding a weakness and weaponising it may be shorter than the time needed for a normal governance process to notice it.

Key questions

Q: What breaks when a vulnerability is judged hard to exploit but AI can chain exploitation automatically?

A: The assumption that exploitability stays low long enough for normal remediation breaks first. Once AI can iterate quickly through discovery and proof-of-concept generation, a bug that looked safe to defer can become actionable before the queue reaches it. That means exception logic, scoring models, and SLA-based triage all need reevaluation.

Q: Why do low-severity or long-standing bugs become more dangerous in AI-assisted attack scenarios?

A: Because age and prior testing no longer imply safety. The article shows that flaws can survive for years, even through millions of tests, and still be exploitable once a model can reason across code paths and keep trying. Organisations should treat reachability and privilege as stronger risk signals than age alone.

Q: How should teams prioritise patching when exploitability assumptions are no longer stable?

A: Prioritise by exposure, privilege, and business reach, not only by exploitability score. Public-facing assets, shared libraries, and systems with sensitive access should move ahead of less connected services. The goal is to reduce impact potential before attackers can convert latent weaknesses into working exploits.

Q: Who is accountable when an accepted vulnerability exception later becomes exploitable through AI?

A: Accountability should sit with the owners of the risk decision, not the attacker model. If a team accepted a vulnerability because it was thought to be hard to exploit, that decision needs a documented review path, a revalidation trigger, and clear ownership for revisiting the exception when the threat model changes.

Technical breakdown

Why exploitability scoring fails when AI can chain discovery into exploitation

Traditional vulnerability scoring assumes that a bug that is difficult for humans to exploit deserves a longer remediation window. Claude Mythos weakens that assumption by showing that code understanding, exploit construction, and trial execution can be compressed into a repeatable machine workflow. In practice, that means the boundary between discovery and exploitation is no longer governed only by adversary skill. It is also governed by model capability, compute budget, and the ability to automate retries across large vulnerability sets.

Practical implication: Revisit risk ratings for low-severity and low-exploitability findings, especially where public exposure or privileged code paths exist.

What autonomous exploit generation changes for patch management

The article’s key technical point is not just that AI can find bugs, but that it can operationalise them quickly enough to outpace ordinary remediation cycles. That creates a new operational tempo problem. If vulnerabilities can be proven exploitable before defenders finish triage, then patching is no longer a clean follow-on step. It becomes a race against machine-scaled validation and repeated attempt loops. The problem is amplified in software with broad deployment footprints, where one weakness can affect thousands of instances at once.

Practical implication: Shorten patch windows, pre-approve compensating controls, and treat internet-facing systems as high-risk until proven otherwise.

Why blast radius matters more when hidden flaws surface at scale

When AI tools can surface decades-old bugs, the issue shifts from whether a vulnerability exists to how far it can reach once discovered. That is a classic blast-radius problem. Systems with exposed services, embedded secrets, or elevated privileges become disproportionately dangerous because exploitation can move from proof to impact with very little manual effort. This is especially relevant where access tokens, administrative interfaces, or shared infrastructure can multiply the effect of a single successful exploit.

Practical implication: Reduce exposed privilege and sensitive data on public-facing assets before the next wave of AI-assisted discovery arrives.

Threat narrative

Attacker objective: The objective is to turn long-undetected software weaknesses into reliable exploit paths that deliver code execution or privileged access before defenders can respond.

1. Entry begins when an attacker or model operator targets exposed software with latent flaws that are hard for humans to spot but accessible to automated reasoning and repeated execution.
2. Escalation occurs when the model turns a discovered weakness into a working exploit, converting a dormant bug into actionable code without needing exceptional human skill.
3. Impact follows when the exploit yields shell access, code execution, or privileged control over systems that were assumed to be protected by low exploitability.

Breaches seen in the wild

• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Exploitability-based prioritisation is now a shrinking control premise. Vulnerability management programmes have long treated “hard to exploit” as a defensible reason to defer remediation. Mythos shows that this assumption is increasingly fragile when discovery and exploit construction can be machine-driven at scale. The implication is not simply faster patching, but a different risk model for finding, ranking, and accepting exceptions.

Hard-to-exploit is becoming a time-based category, not a skill-based one. The article shows that a bug can remain hidden for years and still become practical in a short AI-enabled window once the right model capability exists. That changes the meaning of exploitability in NIST CSF terms and weakens any governance process that relies on human scarcity as a protection factor. Practitioners should treat exploitability as conditional, not permanent.

Identity blast radius is the right lens when AI-assisted exploitation accelerates. Once a vulnerability is found, the value of the target depends on what the compromised system can reach, impersonate, or sign for. That is an OWASP-NHI and ZT-NIST-207 concern at the same time, because exposed access paths often matter more than the bug itself. Teams should think in terms of privilege concentration and reachable trust chains, not just patch queues.

The named concept here is exploitability collapse. This is the point at which the gap between “possible to exploit” and “practical to exploit” stops being controlled by human expertise and starts being controlled by machine iteration. The concept matters because it breaks exception logic, review cadence, and many remediation SLAs at once. Practitioners need to assume that exploitability can change faster than their governance process can record it.

What this signals for governance is a move from static classification to adaptive verification. Security programmes that rely on one-time scoring, periodic review, or assumed difficulty are already behind the curve. The field now needs governance that can re-test assumptions continuously, especially where internet exposure, shared libraries, and privileged services intersect. The practical conclusion is straightforward: risk acceptance must be revisable at machine speed.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
• Only 44% of organisations have implemented policies to govern AI agents, even though 92% agree governance is critical to enterprise security.
• That governance gap is why OWASP NHI Top 10 and related agentic controls are becoming operationally relevant now.

What this signals

Exploitability collapse: security teams should assume that the distance between “hard to exploit” and “actively exploited” is now measured in machine time, not review cycles. That shifts priority toward exposure reduction, privilege minimisation, and faster compensating controls across systems that can be reached externally.

With 80% of organisations reporting AI agents acting beyond intended scope in our research, the broader governance lesson is clear: runtime behaviour can outrun static policy faster than most programmes can measure it. The result is not just a vulnerability-management problem, but a control-assurance problem.

Practitioners should align vulnerability governance with adaptive trust models from NIST AI Risk Management Framework and OWASP Agentic AI Top 10, because AI-assisted exploit generation turns old assumptions into live exposure.

For practitioners

• Re-score low-exploitability findings against AI-assisted abuse scenarios Review exception queues for vulnerabilities that were downgraded because they were considered hard to exploit. Re-test those decisions against machine-scaled exploit generation, especially for public-facing services and shared libraries.
• Shorten patch approval paths for exposed systems Pre-approve compensating actions such as blocking public access, disabling vulnerable endpoints, or isolating affected services so teams are not waiting for the next change window before acting.
• Reduce reachable privilege on internet-facing assets Remove unnecessary secrets, administrative interfaces, and elevated permissions from systems that can be reached externally, because AI-assisted exploitation turns exposure into a faster path to impact.
• Pressure-test detection for unknown latent flaws Validate whether logging, telemetry, and runtime monitoring can spot exploitation attempts that emerge from old code paths rather than newly disclosed CVEs.

Key takeaways

• The article shows that “hard to exploit” is no longer a reliable reason to defer remediation when AI can turn latent bugs into working exploits.
• The scale signal is material: thousands of zero-days were found, including flaws that survived 27 years of human review and millions of automated tests.
• Practitioners should reduce exposure, shorten patch paths, and revalidate exception logic before machine-scaled exploitation reaches their environment.

Key terms

• Exploitability collapse: The point at which the gap between a bug being present and a bug being practically exploitable shrinks to near zero because machine reasoning and repeated attempts can do the work faster than human review. In practice, it makes old exception logic unreliable and raises the value of exposure-based risk scoring.
• Identity blast radius: The amount of reach, privilege, and downstream access a compromised system or credential can exercise once an exploit succeeds. For NHI and machine-facing systems, blast radius is often more important than the initial flaw because it determines how far compromise can spread.
• Compensating control: A temporary safeguard used when a vulnerability cannot be fully remediated immediately. This may include isolating a system, blocking public access, disabling a service path, or tightening privilege. The control is only useful if it can be activated quickly enough to matter.

Deepen your knowledge

Claude Mythos, exploitability collapse, and AI-assisted vulnerability prioritisation are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are reworking vulnerability and identity governance for machine-speed threats, it is worth exploring.

This post draws on content published by Oasis Security: Claude Mythos and the End of 'Hard to Exploit' Claude Mythos and the End of 'Hard to Exploit'. Read the original.