Opinion
The AI cybersecurity boom may be creating a bigger problem than it solves
"The gap between when a vulnerability is understood and when you can actually eliminate it from your systems is about to become more visible, more frequent, and more operationally expensive," writes Eilon Elhadad, co-founder and CEO at Echo.
Over the last two weeks, both Anthropic and OpenAI made their most significant moves yet into offensive and defensive cybersecurity. Anthropic released Mythos Preview - limiting access to roughly 40 organizations precisely because the model was considered too dangerous to release widely. OpenAI followed days later with GPT-5.4-Cyber, a purpose-built cyber-permissive variant of GPT-5.4, rolled out through its Trusted Access for Cyber program. Meanwhile, Anthropic launched Project Glasswing, an industry coalition including Google, aimed at coordinating the ecosystem's response to what these models make possible.
The security community's reaction wasn't excitement - it was alarm. And for good reason. We're entering an era where AI doesn't just help developers move faster, it fundamentally changes how vulnerabilities are discovered and exploited. This shift is already playing out in real attacks: the wave of supply chain compromises that started with Trivy in March is a preview of what happens when the attack surface expands faster than the ecosystem can respond. Mythos and GPT-5.4-Cyber are about to accelerate that dynamic significantly - in both directions.
To understand why this matters, it's important to take a step back and understand who has actually been holding open source security together up until now – a group that's well known inside cybersecurity, but almost invisible to the outside world: maintainers.
Open source maintainers are the leaders of open-source software projects, responsible for reviewing code, fixing issues, and establishing a project's direction. They ensure projects remain functional, secure, and sustainable, often volunteering their time alongside their full-time jobs. When it comes to vulnerabilities in the images they're supporting, there are two key elements they need to handle: detection (finding the issues) and patching (fixing them). As you can imagine, this talented group of individuals is limited in one essential resource: time. So, even when vulnerabilities are known, it takes time to effectively fix them.
Mythos is about to change both the detection and fixing parts, as AI will detect more issues - faster than ever before, reasoning across entire systems rather than just scanning for known patterns. Any issue detected will have a fix generated much faster. The barrier to adoption is falling - both Anthropic and OpenAI are offering access to vetted security teams and open source maintainers.
Project Glasswing is designed to complement this by preparing and coordinating the broader ecosystem around these fixes - bringing together package ecosystems, CI/CD platforms, cloud providers, and open source maintainers to respond more cohesively when vulnerabilities are identified.
After a fix has been found, it must still go through a long process before the end user can actually use it. This process takes ~80 days on average. That's 80 days that end-users are still exposed to a vulnerability that was already fixed, due to process complexity. And with Mythos and GPT-5.4-Cyber accelerating discovery at a pace the ecosystem has never handled before, that gap is only going to grow.
Glasswing doesn't change this core constraint. Fixes still need to be adopted, rebuilt, and propagated into production systems. And that's where the real pain is today.
Your exposure window is about to widen, not shrink. More vulnerabilities will be discovered faster than ever - but that doesn't translate to faster protection in your environment. Instead, you'll face a growing backlog of "known-but-not-yet-consumable" fixes, increasing noise in your scans, and mounting pressure on your teams to triage issues they can't immediately remediate. We're already seeing this pattern with the March supply chain attacks: Trivy, LiteLLM, Axios - all widely trusted tools, all compromised through the same playbook of poisoned updates propagating silently through automated systems.
In other words, the gap between when a vulnerability is understood and when you can actually eliminate it from your systems is about to become more visible, more frequent, and more operationally expensive. So, if your security strategy still depends on reacting to CVEs after they surface, you're about to fall further behind.
Eilon Elhadad is the Co-Founder & CEO at Echo.
