Anthropic’s Mythos preview found ten thousand critical vulnerabilities in a month. None of them are how your enterprise gets breached this quarter.
By Fredrik Lindstrom · ~16 minute read · June 2026
On May 20, 2026, Verizon published its nineteenth annual Data Breach Investigations Report. Two days later, Anthropic published the first one-month results from Project Glasswing, its initiative to deploy Claude Mythos Preview against the world’s most critical software before frontier-grade AI offensive capability spreads to attackers. Read the two reports side by side and the next board governance question gets simpler than most directors have been told.
The capability is real. The threat to your enterprise this quarter is not the capability.
What 2026 has already told us
For the first time in the DBIR’s nineteen-year history, stolen credentials are no longer the leading way attackers break into enterprise networks. Software vulnerabilities are. Thirty-one percent of breaches. Credentials dropped to thirteen percent. (Verizon DBIR 2026; Help Net Security, May 20, 2026.) Nineteen years of telling boards the problem was their users and their passwords. The 2026 report is the one that says the problem is now the vendor.
Two days later, on May 22, Anthropic released the first one-month results from Project Glasswing. Approximately fifty partners. More than ten thousand high- or critical-severity vulnerabilities discovered in systemically important software in one month. Cloudflare ran Mythos Preview against its codebase and identified two thousand bugs, four hundred of them high- or critical-severity, with a false-positive rate lower than human testers. Mozilla fixed two hundred and seventy-one vulnerabilities in Firefox, a ten-fold improvement on the prior Claude model. JPMorgan, Goldman Sachs, Citi, Bank of America, and Morgan Stanley entered rapid patching cycles in response. Anthropic’s own framing in the report: no company including itself has built safeguards reliable enough to prevent the malicious use of a model with Mythos-level capabilities. (Anthropic, Project Glasswing: An Initial Update, May 22, 2026.)
Two messages. Both right. Both load-bearing. The first is that the empirical breach record has shifted: vendor-shipped vulnerabilities are now how enterprises get compromised. The second is that the AI capability to find and exploit those vulnerabilities now exists at the frontier and remains gated by Anthropic alone for the moment. Most board conversations about AI risk anchor on the second message. The first is what is costing your enterprise money this quarter.
To see why, look at how enterprises actually got breached in the last twelve months. Two patterns. Eight cases without AI. Three cases with AI. Both groups settle the same question.
The breaches that didn’t need AI
Eight cases, all from the last twenty-four months, all costing real money, none of which required AI of any kind. Full case detail is in the appendix; here is the board-level summary.
MOVEit Transfer. One SQL injection vulnerability in Progress Software’s file-transfer product. More than 2,700 organizations and 93 million individuals affected. Named victims include the US Department of Energy, the BBC, Shell, Deutsche Bank, PwC, Ernst & Young, and Maximus. Cl0p ransomware. Patch was available May 31, 2023.
Citrix Bleed. A session token leak that bypassed both passwords and MFA. Boeing Distribution. The US branch of Industrial and Commercial Bank of China. DP World. Allen & Overy. Comcast Xfinity, 35.8 million customers, $117.5 million class-action settlement.
Ivanti Connect Secure. A cascade of six CVEs across eighteen months. More than 1,700 exploited appliances. CISA Emergency Directive 24-01 forced federal civilian agencies to disconnect their gateways.
Snowflake. No platform vulnerability at all. Approximately 165 customer environments compromised through stolen credentials. AT&T (109 million customers), Ticketmaster (560 million), Santander (30 million). Targeted accounts lacked MFA.
Change Healthcare. $2.5 billion in cumulative attack costs. One Citrix portal with no multi-factor authentication. Data stolen on roughly one in three Americans.
Salt Typhoon. Cisco IOS XE vulnerabilities. Nine US carriers compromised, including Verizon, AT&T, T-Mobile, Spectrum, and Lumen. Access to CALEA lawful-intercept interfaces. Three-plus years of undetected persistence at one carrier per Cisco Talos.
Colonial Pipeline. One legacy VPN credential. No MFA. Five-day shutdown. Fuel crisis across thirteen US East Coast states.
23andMe. Credential stuffing using passwords from prior unrelated breaches. No MFA enforcement. 6.9 million users’ genetic data exposed. Chapter 11 bankruptcy.
Pattern across all eight: known vulnerabilities not patched, or credentials not protected with MFA. Zero zero-days. Zero AI. Tens of billions of dollars in combined cost. Every named vendor on this list remains on most enterprise renewal cycles this quarter.
The breaches that used AI anyway
Three cases from the last twelve months where AI was confirmed in the attack chain. None of them used a zero-day either. Full case detail in the appendix.
Fortinet, January to February 2026. A Russian-speaking actor described by AWS Threat Intelligence as “unsophisticated” compromised more than six hundred FortiGate firewalls across fifty-five countries in five weeks. No zero-days. No frontier model. Commercial generative-AI services wired against exposed management interfaces with weak credentials. (Dark Reading’s headline put the threat model on the page: “600+ FortiGate Devices Hacked by AI-Armed Amateur.”)
Anthropic GTG-1002, November 2025. A Chinese state-sponsored group used Claude Code inside an agentic framework to autonomously execute eighty to ninety percent of the tactical work in an espionage campaign against thirty global targets across technology, finance, chemicals, and government. The model called the shots. Humans were the optional layer. Anthropic disrupted the operation ten days after detection.
Anthropic GTG-2002, August 2025. A single operator using Claude Code as an integrated attack environment compromised at least seventeen organizations across government, healthcare, emergency services, and religious institutions in one month. Ransom demands exceeded five hundred thousand dollars in some cases. The AI made tactical and strategic decisions. Anthropic called the pattern “vibe-hacking.” One operator. Seventeen enterprises.
Pattern across all three: AI applied to scale, automate, and lower the skill required to execute attacks that targeted the same things that have always been targeted. Exposed services. Weak credentials. Old or no vulnerabilities. None of these campaigns required Mythos. None of them used a zero-day. The state actor and the amateur used the same playbook with different volumes.
Why Mythos doesn’t matter — yet
This is the part of the analysis most boards skip.
Anthropic’s Project Glasswing found ten thousand new vulnerabilities in a month. Mythos Preview’s technical report says it has saturated the standard vulnerability discovery benchmarks. The capability is real. So why is it not showing up in this quarter’s breach data?
Look at the math attackers actually face.
In 2025, Google’s Threat Intelligence Group tracked ninety zero-day vulnerabilities exploited in the wild, a baseline that has held steady for four years. The total CVE volume in the same year was forty-eight thousand one hundred eighty-five. The zero-day share of total CVEs is under two-tenths of one percent. VulnCheck’s analysis of 2025 disclosure data, summarized by CTO Jacob Baines, put it cleanly: “Barely one percent of vulnerabilities disclosed in 2025 were ever exploited.”
Now look at what is being exploited. Vulnerability exploitation accounted for thirty-one percent of all enterprise breaches in 2025, up from twenty percent the year before (Verizon DBIR 2026). Mandiant has reported exploits as the leading initial-access vector for five consecutive years (M-Trends 2025 and 2026). Only twenty-six percent of CISA KEV-listed critical vulnerabilities were fully remediated in 2025, down from thirty-eight percent the prior year. Median time to patch a critical: forty-three days.
Set the two pictures next to each other. A small, slow-growing population of zero-days. A large, stable, mostly-unpatched population of n-days that attackers can rent indefinitely. The math for the attacker writes itself. A zero-day is rare, expensive, single-use, and burns the moment it is detected. An n-day exploit, for a vulnerability disclosed last month or last year, is cheap, reusable, and fits the ninety-nine percent of the enterprise market that has not yet patched it. Spending months developing a frontier-grade zero-day for one target, when the CISA KEV catalog grew twenty percent last year to fourteen hundred and eighty-four unpatched-critical entries, is the economic equivalent of buying a custom luxury car when the same outcome is reachable with a rental.
Mythos starts to matter the day the n-day pool dries up. Today the pool is overflowing. The patch backlog is the moat. AI did not drain the moat. AI built a bigger machine for crossing it.
The board question is not whether to prepare for Mythos-class threats. The board question is whether to recognize that the enterprise is bleeding right now from threats that Mythos does not need to exist for.
The CVE-acceptance argument is finished
The strongest version of the status-quo argument runs like this. Enterprise software has always had bugs. AI will find more of them. The marginal cost of demanding better products exceeds the marginal cost of breaches. Insurance covers the residual. Move on.
Each leg has failed empirically.
Volume. CVE.org recorded 48,185 published vulnerabilities in 2025, a 20.6% year-over-year increase from 39,962 in 2024 (Jerry Gamblin’s January 2026 analysis). On April 15, 2026, NIST formally conceded its National Vulnerability Database could no longer enrich them all and moved to a triage model. The federal authority responsible for cataloging the problem has now admitted the model is unsustainable.
Concentration. Microsoft alone accounts for approximately 24% of cumulative CISA KEV catalog entries: about 350 of 1,484 by end of 2025 (SecurityWeek, January 2026). Ivanti, Fortinet, and VMware appear repeatedly. The “everybody has CVEs” defense disguises the fact that a handful of vendors drive the burden.
Cost-shifting. CISA’s Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design, co-sealed by CISA, FBI, NSA, and partner agencies in the UK, Australia, Canada, Germany, the Netherlands, and New Zealand, is explicit that the manufacturer, not the customer, is the least-cost avoider. The 2023 US National Cybersecurity Strategy formally proposed shifting software liability to vendors.
Liability. The EU Cyber Resilience Act entered force December 10, 2024. Vulnerability-reporting obligations apply from September 11, 2026. The full regime hits December 11, 2027. Fines reach €15 million or 2.5% of global turnover. The reach is extraterritorial. Any product with digital elements sold into the EU is in scope.
Insurance. Beazley’s chief underwriter Paul Bantick told the Financial Times in late 2025 that “there’s more claims, and they’re more expensive” while pricing fails to react. Beazley’s cyber gross written premium dropped 8% in the first nine months of 2025 to $848 million (PYMNTS, November 30, 2025). The residual-risk model is breaking on the insurer side. W.R. Berkley, AIG, and Great American have filed proposed AI exclusions. Verisk’s standardized generative-AI exclusion is slated for the January 2026 commercial general liability cycle.
The CVE-acceptance argument is not defending technical reality. It is defending vendor revenue from the buyer’s accountability question.
Microsoft is the proof
Two years ago, the Cyber Safety Review Board investigated the Storm-0558 intrusion, in which Chinese state-sponsored actors used a forged Microsoft consumer signing key to read US government email, including the Department of State, the Department of Commerce, the US Ambassador to China, and a member of the House Intelligence Committee. The CSRB’s April 2024 report was unsparing: “This intrusion was preventable and should never have occurred. Microsoft’s security culture was inadequate and requires an overhaul.” The intrusion was detected by the State Department, not by Microsoft.
What followed is the proof point every board should study.
Microsoft launched the Secure Future Initiative. As of the April 2025 progress report, the company has dedicated the equivalent of 34,000 full-time engineers to it. One-third of the senior leadership team’s individual bonuses are tied to security performance. Entra ID and MSA signing keys moved to hardware security modules with automatic rotation. Phishing-resistant MFA reached 92% of employee productivity accounts. 6.3 million unused tenants were removed.
Brad Smith, to the House Homeland Security Committee on June 13, 2024: “Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report. Without equivocation or hesitation.”
This is what one major customer (the US federal government, approximately 3% of Microsoft’s revenue) combined with public CSRB findings, federal procurement attention, and customer pressure, produced. The lesson is not that Microsoft is now a model citizen of secure development. The lesson is that demand-side pressure works when it is concentrated, documented, and tied to procurement.
Most enterprises have the same leverage Microsoft’s government customers had. Most boards have never asked their CIO to use it.
What the next board meeting looks like
There is a temptation, after a piece like this, to ask the board to do something dramatic. That is the wrong move. The right move is to make the existing oversight more specific.
One. Ask for mean-time-to-patch on CISA KEV-listed critical edge-device vulnerabilities. Compare it to the Verizon DBIR 2025 finding of zero-day median exploitation. Any MTTR above fourteen days on internet-facing systems is indefensible.
Two. Require a named executive to attest each quarter that every externally exposed system enforces phishing-resistant MFA. Not SMS, not push. FIDO2 or passkey. Senator Barrasso’s question to Andrew Witty is the lens. If the answer is “ongoing,” push for the date.
Three. Update the top-twenty vendor renewal cycle. At each renewal, demand the Secure by Design pledge artifact, a software bill of materials, a vulnerability disclosure policy aligned with ISO/IEC 29147, a Secure Software Development Framework attestation (NIST SSDF), and, for products sold into the EU, a CRA conformity statement. Refuse to renew without them. The market for “we are not going to provide that” gets smaller every quarter that buyers stop accepting it.
Four. Harden help-desk identity verification against the Scattered Spider and ShinyHunters playbook. Out-of-band callback for privileged resets. Video plus badge or in-person verification for executive and administrative account changes. The MGM, Caesars, M&S, Co-op, Harrods, and Twilio breaches all turned on this single failure mode.
Five. Require management to document the use of AI security tooling (Claude Security, GPT-5.5-Cyber under Trusted Access for Cyber, or commercial equivalents) and the disposition of every critical finding. The same documentation defeats the Caremark question if and when it comes.
Six. For EU operations, document board-level AI literacy. Article 4 of the EU AI Act becomes formally supervisable on August 2, 2026. The fine ceiling is 1% of global turnover.
Seven. Add an annual line item in board minutes attesting that the company has identified its top five vendor single-points-of-failure and confirmed the MFA, patching, and credential-rotation posture of each. If management cannot answer the question, that is the answer.
None of this is heroic. All of it has been available since at least 2021. None of it has been universally done.
Where this lands
In June 2016, I published an article titled “Information Security — That’s a Department, Right?” arguing that organizations were treating cybersecurity as a delegation problem when it was a distributed-responsibility problem. The lesson did not stick. We watched ten years of breaches at companies that thought a CISO and a SOC budget closed the question.
The vendor-accountability lesson is the same architecture, one layer up. We have treated vendor security as a vendor problem. We have built procurement processes that audit code only after the breach. We have signed renewal contracts with SLA clauses for uptime but not for vulnerability remediation. We have accepted “all software has bugs” as a closing argument from suppliers whose KEV-catalog incidence rates would, in any other industrial sector, trigger a recall.
Mythos has not changed any of this. Mythos has, in one month, demonstrated that the AI capability to find and exploit those vulnerabilities is here. The race for boards is not to prepare for that capability. The race is to clear the n-day backlog and harden the identity layer before the capability becomes the cheap option.
The boards that renegotiate the deal now will come out of the next decade with their reputations and their organizations intact. The ones that wait for the regulator, the insurer, or the plaintiff will be forced to do it, at great expense to the organization and the board.
Mythos doesn’t matter yet. The deal matters now. Make sure your board knows.
Appendix
A. Breaches without AI, without zero-days
Full case detail for the eight breaches summarized in “The breaches that didn’t need AI.” Each entry names vendor, CVE, attacker, scale, and the primary source most useful for board-level reference.
MOVEit Transfer
One SQL injection vulnerability, CVE-2023-34362, in a Progress Software file-transfer product. Cl0p ransomware. Confirmed victim count exceeded 2,700 organizations and 93 million individuals (Emsisoft; KonBriefing Research). The US Department of Energy. The BBC. Shell. Deutsche Bank. PwC. Ernst & Young. Maximus. Cl0p’s estimated take: $75M to $100M (Coveware). Progress shipped the patch on May 31, 2023. The exploitation continued for eighteen months.
Citrix Bleed
CVE-2023-4966. A buffer-over-read that leaks session tokens, bypassing both passwords and MFA. Boeing Distribution. Industrial and Commercial Bank of China’s US branch, which paid a ransom and disrupted US Treasury market trading. DP World Australia. Allen & Overy. Comcast Xfinity, where 35.8 million current and former customers had data stolen and the consolidated class action settled for $117.5 million on January 21, 2026, preliminary approval, Eastern District of Pennsylvania.
Ivanti Connect Secure
A cascade. CVE-2023-46805 chained with CVE-2024-21887, then CVE-2024-21893, CVE-2024-22024, CVE-2025-0282, CVE-2025-0283. Volexity documented exploitation across more than 1,700 appliances. CISA issued Emergency Directive ED 24-01 on January 19, 2024 ordering federal civilian agencies to disconnect their Ivanti gateways. CISA’s own testing later demonstrated attackers could exfiltrate domain administrator credentials in cleartext, achieve root persistence, and bypass Ivanti’s own Integrity Checker tool. Same vendor. Same architecture. Same federal customer base. Years.
Snowflake
No platform vulnerability. None. Mandiant attributed the campaign to UNC5537, who compromised approximately 165 Snowflake customer environments using stolen credentials sourced from infostealer infections, many dating to 2020 or earlier. The targeted accounts lacked MFA. AT&T disclosed the breach via SEC 8-K on July 12, 2024 after two DOJ-granted national-security delays. Call and text metadata for approximately 109 million cellular customers. Ticketmaster, 560 million. Santander, 30 million. Snowflake did not make MFA mandatory-capable for administrators until July 9, 2024, after the campaign was already public. Mandiant’s clean summary: “Just enabling MFA could have blocked these attacks.”
Change Healthcare
UnitedHealth Group CEO Andrew Witty’s testimony to the Senate Finance Committee on May 1, 2024: “Attackers used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multi-factor authentication.” UnitedHealth has now disclosed approximately $2.5 billion in cumulative attack costs. Data was stolen from “potentially a substantial proportion” of the US population, roughly one in three Americans. Senator Barrasso’s question to Witty during the testimony is the question every board should hear. “Did you lack the financial resources to implement a multifactoral authentication system?”
Salt Typhoon
CVE-2023-20198 and CVE-2023-20273 in Cisco IOS XE. At least nine US telecommunications carriers compromised: Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, Windstream, plus two unnamed. Salt Typhoon accessed CALEA lawful-intercept interfaces, the systems US law enforcement uses for court-authorized wiretapping. Cisco Talos confirmed the actor maintained access in one target for more than three years. As of December 2025, the FCC’s own ruling concedes the vulnerabilities “are still being exploited.”
Colonial Pipeline
One legacy VPN credential. No MFA. A five-day shutdown and a fuel crisis across thirteen US East Coast states.
23andMe
Credential stuffing using passwords from prior unrelated breaches. No MFA enforcement. Genetic and health data on 6.9 million users, half the customer base. Chapter 11 bankruptcy filed March 2025. Sold for a fraction of a former six-billion-dollar valuation.
B. Breaches with AI, without zero-days
Full case detail for the three AI-amplified campaigns summarized in “The breaches that used AI anyway.” Each is named, sourced, and recent enough to settle the question of whether AI-amplified attacks are a future or a present concern.
Fortinet / AWS Threat Intelligence
AWS Integrated Security disclosed the campaign on February 20, 2026, after locating a server hosting the actor’s tooling. The compromise window ran from January 11 to February 18, 2026: more than six hundred FortiGate firewalls, fifty-five countries, with concentrations across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia. The actor did not use a vulnerability. The breach mechanic was scanning for management interfaces exposed to the internet on ports 443, 8443, 10443, and 4443, then brute-forcing weak or default credentials and using AI to automate everything that came after.
The AI tooling has two named components. ARXON is a custom Model Context Protocol server that ingests reconnaissance data and queries large language models — specifically DeepSeek and Claude — to generate structured attack plans, including instructions for gaining Domain Admin, suggested locations to search for credentials, recommended exploitation steps, and lateral movement guidance. CHECKER2 is a Docker-based orchestrator that scanned more than 2,500 potential targets across more than one hundred countries in parallel. AWS attributed the activity to a Russian-speaking financially motivated actor that the report described as “unsophisticated.” Dark Reading condensed the threat model to a headline: “600+ FortiGate Devices Hacked by AI-Armed Amateur.” Notable detail from the actor’s own documentation, recovered by AWS: the actor repeatedly failed when trying to exploit anything beyond “the most straightforward, automated attack paths,” logging that targets had either patched the services, closed the required ports, or had no vulnerable exploitation vectors. Primary source: AWS Integrated Security, February 20, 2026. Secondary: SecurityWeek, BleepingComputer, Dark Reading, The Record from Recorded Future, all February 21, 2026.
Anthropic GTG-1002 / Chinese state-sponsored campaign
Anthropic’s Threat Intelligence team detected the operation in mid-September 2025 and disrupted it within approximately ten days. The actors used the Model Context Protocol to chain Claude Code with open-source pentesting tools (Nmap, Metasploit, and others), bypassing Claude’s safety filters via a role-play prompt that convinced the model it was performing authorized defensive testing. AI executed reconnaissance, vulnerability identification, custom exploit payload generation, credential harvesting, lateral movement, and data classification across approximately thirty targets in technology, finance, chemicals, and government. Multiple intrusions succeeded before disruption. Anthropic’s own framing in the public disclosure: “The attackers used AI’s ‘agentic’ capabilities to an unprecedented degree — using AI not just as an advisor, but to execute the cyberattacks themselves.” Anthropic notes Claude hallucinations created false positives that limited attacker efficiency, and the campaign has not been independently corroborated in public threat-intelligence databases as of disclosure. Primary source: Anthropic, Disrupting the First Reported AI-Orchestrated Cyber Espionage Campaign, November 13, 2025. Secondary: Wall Street Journal, November 13, 2025.
Anthropic GTG-2002 / vibe-hacking
Anthropic’s Detecting and Countering Misuse of AI: August 2025 report disclosed a single operator who used Claude Code on Kali Linux as a complete attack platform. Targets: at least seventeen organizations across government, healthcare, emergency services, and religious institutions, selected opportunistically based on open-source intelligence and scanning of internet-facing devices. Ransom demands ranged from seventy-five thousand to more than five hundred thousand dollars in Bitcoin.
The AI’s role across the attack lifecycle: automated scanning of thousands of VPN endpoints to identify vulnerable systems; credential harvesting and network penetration; malware development sophisticated enough to evade Windows Defender; analysis of exfiltrated financial records to calibrate ransom amounts; and generation of victim-specific HTML ransom notes embedded into compromised systems, each one tailored with the victim’s own financial figures, employee counts, and regulatory threat profile. Anthropic coined “vibe-hacking” for the pattern. The same report disclosed GTG-5004, a UK-based actor selling AI-built ransomware kits on dark-web forums Dread, CryptBB, and Nulled at four hundred to twelve hundred dollars per kit, who Anthropic described as “unable to implement complex technical components or troubleshoot issues without AI assistance” yet still selling functional malware. Both cases share the central pattern: AI removes the correlation between attacker sophistication and attack impact.