The Mythos Brief: Vulnerability Discovery Just Went Exponential

If you saw the Mythos headlines over the weekend and filed them under “another AI safety story,” close that tab. That’s not what this is.

Mythos is not what you think it is.

Mythos isn’t a story about AI misbehaving or going rogue. It’s a story about how fast vulnerabilities in real software can now be discovered. Anthropic’s Mythos demonstrated zero-day discovery at previously impossible scale. Project Glasswing took that capability and gave fifty critical-infrastructure companies a head start on patching what they were about to be attacked through.

Thousands of novel zero-days, surfaced in weeks, against codebases that had been professionally audited. That’s the actual headline.

This is a race between defense and attack, not a safety story.

The asymmetry just flipped the wrong way.

Before. A skilled human attacker needs weeks, sometimes months, to find a usable zero-day in a serious codebase. Your dependency tree gets audited once a year, if that. Your pen test is quarterly, scoped, and tells you what was broken the day the pentester ran it. SAST catches the obvious stuff, misses the rest, and nobody triages the backlog.

After. A model can discover a zero-day in minutes. The fifty Project Glasswing companies got a courtesy window. Everyone else is now on the public clock — because the same capability, or a close-enough fork of it, is going to end up in the hands of people who aren’t sending disclosure emails first.

Be honest about where this lands hardest: it lands on companies that ship fast, have a real code surface, and don’t have a dedicated security team. That’s most of the AI-native SaaS market right now, and it’s almost certainly you.

What “defense at attacker speed” actually looks like.

Three shifts. None of them are optional anymore. All of them are tractable.

If your current stack doesn’t do all three, that’s the gap. Mythos-class tooling compresses all of it to the same clock the attacker is on.

What GLACIS does.

In plain English: GLACIS is an autonomous AI defender that covers the two places you actually get hit — your code and your models. Two surfaces. One evidence layer.

Both surfaces write signed OVERT 1.0 receipts. Same open standard. Same verifier. The receipt chain is the evidence. The moat, the thing that compounds, is that every receipt makes the next one more valuable — to you, to your customer, to the auditor you’re going to face.

The first scan is free. It’s a Glasswing-grade assessment of your stack: we show you what Mythos-class tooling would find, and we open the first fix as a PR. You don’t pay for the finding. You don’t pay for the fix. You pay — later, if at all — for the receipt chain.

Why the receipts matter more than the scan.

Here’s the part most vendors skip because it’s inconvenient to their pricing model: scans go stale. The report you got last month doesn’t prove anything about your system this week. The dashboard screenshot proves even less.

Receipts don’t go stale. Every time GLACIS fixes something, or stops something, it writes a cryptographically signed receipt. The receipts are chained — tampering is detectable. They’re externally verifiable — any third party can check a receipt without us in the loop. And they’re exportable — your SOC 2 and ISO 42001 evidence trail builds itself while you work.

This is why the real product is attestation, not scanning. Scanning is the ticket in. The receipt chain is what you’re actually going to need when a customer asks, an auditor arrives, or a regulator subpoenas the question: what was running, on what day, under what policy?

What to do on Monday.

One clear action, and it’s free. Start a scan. We’ll run a Glasswing-grade assessment against your stack, show you what we find, and open the first fix as a PR on a branch you own. Thirty minutes of your time.

The Mythos headlines will keep coming. Your weekend shouldn’t.