Claude Mythos exposed a hard truth: Your enterprise patching process is way too slow

본 기사는 Anthropic의 Claude Mythos Preview가 주요 OS와 브라우저에서 수천 건의 zero-day 취약점을 자율 발견하며 기존 보안 업계의 ‘안전 여유’를 무너뜨렸다고 전합니다. Langflow와 Marimo 사례처럼 공개 후 10~20시간 안에 악용이 발생하면서, CVSS 점수 중심의 패치 우선순위와 수일 단위 대응 모델이 더 이상 충분하지 않다는 점을 강조합니다.

AI 기반 취약점 발견과 무기화가 저비용·고속화되면서, 기업 보안팀은 패치 주기를 단축하는 수준을 넘어 실시간 노출 관리와 위협 기반 우선순위로 전환해야 합니다. 특히 KEV 등재나 공개 proof-of-concept를 기다리는 방식은 공격 속도에 뒤처질 가능성이 커졌으며, 자산 중요도·악용 가능성·인터넷 노출도를 결합한 자동화된 대응 체계가 핵심 경쟁력이 될 전망입니다.

In 2024, researchers from the University of Illinois found that GPT-4, when provided with a common vulnerabilities and exposures (CVE) description, could autonomously exploit 87% of a curated 15-vulnerability one-day dataset. Without the description, it could only exploit 7%. This provided a “margin of safety” for the industry because while AI could exploit known vulnerabilities, it could not discover them. However, on April 7, Anthropic announced that Claude Mythos Preview had closed that margin, with the model autonomously discovering thousands of zero-day vulnerabilities across major operating systems and browsers. Separately, Mythos scored 83.1% on the CyberGym vulnerability reproduction benchmark. In one campaign targeting OpenBSD across 1,000 scaffold runs, the total compute cost was less than $20,000. Exploitation timelines are collapsing. Langflow’s CVE-2026-33017 (CVSS 9.8) was exploited 20 hours after disclosure with no public proof-of-concept. Marimo’s CVE-2026-39987 (CVSS 9.3) was hit in 9 hours and 41 minutes.The defensive infrastructure most organizations rely on wasn’t designed for this. Rapid7’s 2026 threat landscape report states that the median time from CVE publication to CISA's known exploited vulnerabilities (KEV) listing is five days. Google’s M-Trends 2026 report found that exploitation is happening before a patch is even released. When the Langflow advisory was published, the first exploit arrived in 20 hours. When the Marimo advisory was published, it took under 10 hours. The assumption that your patch window is safe because exploitation takes time is no longer true. Here are your building blocks.Replace CVSS-only prioritization with a three-layer filterMost vulnerability management programs still prioritize by CVSS score alone. CVSS quantifies a vulnerability’s “theoretical” severity without considering whether a vulnerability is being exploited in the wild or how quickly someone could weaponize it. A CVSS 8.8 vulnerability with a history of active exploitation (like Docker’s CVE-2026-34040) gets lower priority than a CVSS 9.8 vulnerability that may never be exploited in the wild.A recent study validated against 28,377 real-world vulnerabilities offers a concrete replacement: A three-layer decision tree incorporating CISA KEV status, Exploit Prediction Scoring System (EPSS) scores, and CVSS, thus forming a singular prioritization filter.Three-Layer Vulnerability Prioritization FilterLayerData sourceThresholdActionSLA1. Active exploitationCISA KEV catalogListedImmediate patchingHours2. Predicted exploitationEPSS via FIRST.orgScore ≥ 0.088Escalate to Tier 0 pipeline24 hours3. Severity baselineCVSS via NVDScore ≥ 7.0Typical remediationPer policyValidated result: 18x efficiency gain, 85.6% coverage of exploited vulnerabilities, ~95% reduction in urgent remediation workload. All three data sources are open and free.The described integration is entirely automatable. It’s possible to build a script to query the CISA KEV API, the EPSS API from FIRST.org, and the NVD, and have that script run against your asset inventory for every published CVE. The human in this process should remain in the loop as an approver, but not as the trigger.Close the agent authorization gapCreating exploits quickly not only changes how patches are prioritized, but how controls are configured for all the agent-driven systems that now possess privileged credentials. Your authorization policies have not been assessed against the behavior of AI agents, and that is now a measurable risk. CVE-2026-34040 showed that Docker’s authorization plugin architecture silently bypasses every plugin when the request body exceeds 1MB. Common AuthZ plugins (OPA, Casbin, Prisma Cloud) are unaware of this type of bypass, which occurs in Docker’s middleware before the request reaches the plugin.When Cyera demonstrated this vulnerability, they showed that an AI agent debugging infrastructure could infer the bypass path while completing a legitimate task, without any instruction to exploit anything.The Internet Engineering Task Force (IETF) is working on authorization models for agents. The document draft-klrc-aiagent-auth-01, published in March by participants from AWS, Zscaler, Ping Identity, and OpenAI, proposes the use of the current Secure Production Identity Framework for Everyone (SPIFFE) and OAuth 2.0 for AI agents to obtain dynamically provisioned and short-lived credentials. Separately, the IETF Agent Identity Protocol draft (draft-prakash-aip-00) reports that out of about 2,000 surveyed model context protocol (MCP) servers, none had authentication. But these standards are months to years away from implementation. For now, security teams must proactively incorporate agent-level test scenarios for all authorization boundaries, such as oversized requests, burst frequency, and multi-step escalation of privileged requests.Map your credential blast radiusIn a survey conducted by CSA/Zenity and published on April 16, 53% of orga