Anthropic dropped another bomb with Project Glasswing and whatever myth we had about Vulnerability Management being the core of any Security Program were shattered in minutes.

Mythos can find vulnerabilities, sometimes 100s of them while we finish our morning coffee. By noon, it can exploit most of them and by evening it can lay bare, right in front of you, what you always feared in the first place — your security, or the lack of it.

In my opinion, building a security program purely on/around Vulnerability Management (or Pen Testing) alone was a lost cause 5 years back. But governance and compliance forced us to keep it as a first class citizen. Vulnerability Management was understandable 10-15 years back when the tool sprawl in an organisation was much less and a large part of the organisation was not as digital as it is today.

Today, a mature organisation has hundreds of tools, libraries, repositories and dozens of applications that are running 24X7 utilising an insane number of packages that result in millions and billions of lines of software code. Each of those lines can have a vulnerability that can potentially be exploited. Traditionally it wasn't possible to identify them since it required skilled humans to do the job, and this was scarce. AI models like Mythos have proven that Vulnerability identification and Validation can be automated at scale. And with other models not far behind, adversaries will only have the advantage if an organisation still builds their Security Program on Vulnerability Management, Prioritization and remediation. Its a 1-M problem where an organisation has many vulnerabilities to fix and doesn't know which one the adversary will exploit.

What "might" happen in the next 6 months

The iceberg will show signs of melting but most of the penguins might deny the fact that it is actually melting. In fact they might start pushing more aggressively expanding the colonisation. What I mean to say is traditional Vulnerability Management vendors might try to create a sense of fear and urgency around AI being able to find vulnerabilities at a lightning pace and thus organisations need a much stronger Vulnerability Management program.

This in my opinion will be a mistake — both from the vendors side (who probably will live in denial of the change that is happening and risk missing the time to innovate and pivot) as well as from the organisation side (who will invest their hard earned money into something that can never scale and provide tangible benefits).

What "will" happen in the next 2 years

The iceberg will keep melting and the only penguins that will survive are the ones that accept this reality and do that quickly. Traditional App Sec market will struggle (if not already). We all know it. Vulnerability Management will start to struggle. Buyers will ask difficult questions. But from this struggle, another opportunity will take shape.

Models like Mythos will start getting embedded into SDLC processes, shifting security left (as should have happened long time back), moving from Reactive to Proactive. Think Dependabot but on steroids. Thus in a few years, the software produced will be more secure from day 1 since AI can identify, validate and remediate potential vulnerabilities in an extremely efficient manner. AI Agents will become part of the CI/CD pipeline. Thus when a company ships secure software, the probability of finding new vulnerabilities will actually reduce. The fight will then be between AI Model providers and not between Vulnerability Management Solution providers.

Vulnerability Management will move from a product to a feature in the next 2 years. Organisations that adopt AI Agents like Mythos and plug them early in their SDLC process would not need to have a full blown Vulnerability Management program. A simple feature in a Unified Platform should be sufficient. The premium that traditional vendors demand will vanish and a standalone, pure vulnerability management solution will only become a burden on the vendors. The penguins have to start finding a new iceberg or fear drowning in the cold water.

And what can organisations do to stay secure

The iceberg would have melted in 5 years and penguins who stayed in denial would have vanished. Offsprings (startups that don't carry the traditional baggage and historic context) would have taken over. Organisations would have realised and verified that:

1. Tool sprawl (aka best in breed) was causing them more pain than gain.
2. AI Agents deployed for pre-emptive security (i.e. preventing rather than reacting) provides better value.
3. Visibility across an entire landscape becomes paramount.
4. Connected data model (preferably decentralised) brings huge benefits.
5. AI Agents are a new Attack Vector.
6. Blast radius containment, due to AI Agent crossing their boundary, becomes ever more important.
7. Unification of Security program across ITOps, SecOps and GRC is the only way forward.

Conclusion

AI Agents will keep evolving at a rapid pace. AI companies like Anthropic will keep expanding their TAM with more and more AI first features cannibalising entire companies. Platformisation is the only way forward for organisations. Exposure has to be unified across cloud, on-prem, applications, identity, firewall, workspaces and has to be contextualised with ever evolving threats. Visibility will not be enough. Actionability has to be the core of the offering that can clearly provide, in real time, Security Posture improvement.

Security program has to be Risk Driven and not technically driven. That's the only way how future, virtual SoC, IT and governance Agents will be able to work together in an autonomous manner. A Unified insight into current posture and a clear guidance on what the priority is across the entire environment (and not just vulnerabilities) and fixing them at AI pace should be the short/medium term strategy for every organisation.

At the same time organisations have to realise that while AI Agents may be able to complete multiple tasks at a rapid pace, they are still more like a teenager who has just realised that it can drive a car, but doesn't have the experience of how to react when someone suddenly drives at 200 kmph in a red light threatening a head on collision. In simple terms, having an AI Strategy is important, delegating tasks to AI Agents is great, but blindly trusting them to complete the task appropriately can prove disastrous in the short/medium term.

If you need to talk (without a sales pitch) about how a platform centric approach can benefit you (your organisation) or how you can save huge money on your existing security program or how AI Agents should be working with proper guardrails — or you disagree with me — do message me. Happy to brainstorm it together.