The release of Claude Mythos Preview by Anthropic demonstrated something the security industry has quietly feared for years: the ability of an AI model to find software vulnerabilities at scale, on its own. According to Anthropic, Mythos autonomously uncovered thousands of previously unknown flaws across operating systems, browsers and widely deployed open-source software – including bugs that had gone unnoticed for more than a decade. 

While the specific vulnerabilities have reportedly been patched, the capability that found them is not going back in the box. Anthropic warns it may be only a 6-12 month window before adversaries develop something equivalent. For anyone responsible for defending an organisation, it reframes what vulnerability management (VM) must become. 

What has changed for vulnerability management 

It would be easy to file this under “AI hype”. But senior security leaders outside the AI industry, the people whose job is to be sceptical, are treating it as a genuine inflection point. The reason is simple: the economics of attack have shifted. 

Until now, turning a newly disclosed vulnerability into a working exploit took skill, time and effort. That friction bought defenders a window of days or weeks to assess, prioritise and patch. AI compresses that window dramatically. The moment a flaw is disclosed, a capable model can help an adversary understand it, build an exploit and chain it with other weaknesses faster than most security teams can even triage the alert. The advantage now belongs to whoever moves first, and increasingly that is a machine. In Anthropic’s testing, an exploit chain that would historically take a skilled researcher days of focused work was built from a single vulnerability identifier in under a day, for less than US$2000. 

Why this breaks conventional VM 

Most vulnerability management programs were designed for a slower world. They run on scan cycles, monthly patch windows and risk registers reviewed in business hours. That cadence assumes you have time. AI-accelerated exploitation removes the assumption. 

This doesn’t create an entirely new problem, but it intensifies one we already had. Unpatched, internet-facing and end-of-life systems have always been the soft underbelly of critical infrastructure, financial services, healthcare and energy. What’s changed is that the grace period between “known” and “exploited” has all but disappeared. Organisations slow to see and slow to act are now exposed in a way they weren’t a few years ago. 

The new paradigm: continuous exposure management 

“Patch everything” is not realistic, while “patch slowly” is now too dangerous. The discipline that replaces both is continuous exposure management: a shift from periodic vulnerability scanning to an always-on understanding of your real risk. 

In practice, that means three things working together: complete and current visibility of every asset you own; prioritisation based on business impact, so effort goes to the weaknesses that threaten the organisation rather than chasing every listed vulnerability; and remediation that operates at the speed attackers now move. By doing those three things right, we stop reacting to noise and start managing genuine exposure. 

Why 24/7 is no longer optional 

If exploitation can happen within hours of disclosure, at any hour, then a defence that only operates during business hours is, by definition, behind. Threats don’t keep office hours, and a vulnerability disclosed at 2am on a public holiday is just as exploitable as one disclosed mid-morning on a Tuesday. 

Continuous exposure management only delivers its promise when there is a team continuously watching and continuously acting. The reality is that moving to a 24/7 model is no longer a luxury for large enterprises or anyone operating critical or high-value systems – it is now the baseline standard of care. 

Making continuous defence a reality 

ctrl:cyber recently stood up a 24/7 managed vulnerability and exposure management service for one of Australia’s national critical infrastructure providers, an environment where downtime and compromise aren’t abstract risks but matters of national consequence. 

The service brings together two complementary strengths:  

  1. Our long-standing risk advisory capacity (drawing on formerly elevenM expertise) in which we map an organisation’s assets, assess exposure and business impact and prioritise what actually matters; and  
  2. Round-the-clock SOC capability that Ctrl is known for through our Risk Operations Centre, delivering continuous monitoring and the people and processes to act on what’s found, at any hour.  

The result is a single service that sees continuously, prioritises intelligently and responds without waiting for the next business day. 

Exposure management: where to start 

You don’t have to rebuild your entire security program overnight. But the direction of travel is clear and the basics still matter: know what you have, understand which weaknesses threaten the business, and shorten the distance between disclosure and remediation as much as you can. For the systems that matter most, that means moving toward continuous, 24/7 defence, because the threat is already operating that way. 

If your vulnerability management still assumes you have days to respond, now is the time to close that gap. Start with a focused exposure assessment: a clear picture of what you’re running, which weaknesses genuinely threaten the business, and how fast you could respond today.  

Talk to a Ctrl expert about what a continuous 24/7 approach could look like in your environment https://ctrl.co/contact/