“Mythos is just a blip in a long, constantly growing path to high resiliency.”
Cybersecurity founders say Mythos isn't a watershed moment; it's a signal for CISOs to speed up their solutions.
Anthropic's Mythos, an AI model that excels in detecting software vulnerabilities at scale and speed, will not be landing in most security teams' hands anytime soon. After its initial announcement, Anthropic confirmed it would be made available to just a few select companies. For the rest of the industry, it is effectively a preview of what is coming, not a tool they can deploy today.
That distinction matters. The threat is not Mythos itself. It is what Mythos signals: that automated vulnerability discovery at this level of speed and exposure is now possible, and that it will not stay exclusive for long.
For two Israeli startup founders working at the intersection of AI and security, the release is less a turning point than a pressure spike in a trend that has been building for years, and one that most organizations are still underequipped to handle.
Yair Grindlinger, CEO and co-founder of Surf AI, which came out of stealth with $57 million in funding last month, describes the current moment as a triangle of pressures that security teams have never had to manage all at once. Attackers are using AI, making them faster than ever. Organizations are deploying AI internally, creating a new category of assets that themselves need to be secured. And at the same time, leadership is telling security departments to do more with fewer people, because AI is supposed to make everyone more productive.
"They need to be more efficient with AI, while securing AI in their organization, while attackers attack them with AI," he says. "That's a triangle they've never experienced before."
Within that triangle, Mythos sharpens one specific pressure: speed.
"It's not like now they're going to attack us in ways they didn't attack us before," Grindlinger says. "They're going to find vulnerabilities, like they always have, and take advantage of them. They're just going to find them faster and more efficiently, and therefore we have to find those holes first and close them before they do."’
With that in mind, Grindlinger makes a case for Mythos as a net positive: by making vulnerability discovery more accessible, it levels a playing field that has long been tilted toward attackers. Many vulnerabilities that get publicly disclosed have been known and traded on black markets for years before defenders ever hear about them. Mythos changes that dynamic.
"The fact that you didn't know about a vulnerability for 10 years doesn't mean it wasn't used for the last 10 years," he says. "Now we can commoditize those vulnerabilities. We know about them the same day our attackers do."
But knowing is only useful if you move quickly. And moving quickly is exactly what most security teams struggle with. Ron Peled, co-founder and COO of Sola Security, points to a problem that predates Mythos and will outlast it: teams are buried in alerts from dozens of tools, most of which turn out to be noise. The real risk is not that a threat goes undetected. It is that the detection gets lost in the pile.
Peled pushes the point further. Zero-day vulnerabilities, the kind Mythos is specifically designed to surface, are not actually where most breaches happen. The real culprits are more mundane: exposed settings, missed patches, assets that nobody was keeping an eye on.
"Most security incidents today are due to overlooked vulnerabilities and misconfiguration in settings, bad posture – really boring things," Peled says. "You don't need an advanced model like Mythos to identify those."
Mythos raises the stakes around the boring stuff without solving it. That gap is where most organizations remain exposed.
Both Peled and Grindlinger land in the same place: the answer is autonomous, continuous defense. AI systems that monitor every asset in real time and respond to problems without waiting for a human to notice. As AI takes over more of the code-writing process, new code will come out more secure from the start, gradually shrinking the pool of vulnerabilities that defenders need to chase.
"I imagine a security team a year from today that has their own practitioners, but also a range of very intelligent, context-aware agents that know everything about the environment," Peled says. "Agents that don't hand you a list of findings, but actually solve the problem."
The optimism is genuine, but it comes with a stopwatch attached. Organizations that treat Mythos as a one-time event to react to are already behind the ones that have recognized it as a permanent shift in how security has to operate.
"Mythos is not an event," Grindlinger says. "Mythos is just a blip in a long, constantly growing path to high resiliency."
