The Mythos Inflection Point: Dealing With the Upcoming Vulnerability Disclosure Avalanche and Compressed Exploitation Window

Summary

Anthropic released Project Glasswing in April 2026, a frontier AI model capable of autonomously finding and exploiting vulnerabilities at unprecedented speed and depth, now available to major software vendors. This acceleration is collapsing the window between vulnerability disclosure and active exploitation from weeks to hours, while remediation timelines remain stalled at 37+ days, creating a dangerous exposure gap. Organizations must shift from CVSS-based prioritization to context-aware, machine-speed remediation and autonomous response systems to survive the coming disclosure avalanche.

Full text

Table of ContentsA New Threat Landscape: What Mythos ChangesWhat is ChangingHow to AdaptCustom Software Is Not Exempt: Extending Detection to Your Own ApplicationsQualys Enterprise TruRisk ManagementThe Bottom Line Having spent years at Qualys working on vulnerability risk and remediation management, I have watched the disclosure and remediation cycles from every angle. I have seen vulnerability researchers find a critical flaw in OpenSSH and the industry scramble to respond. I have seen organizations patching Log4Shell when it is not even applicable in production environments. But, more and more, I am watching the gap between when something is known to be exploitable and when it gets fixed stay stubbornly, dangerously wide. A New Threat Landscape: What Mythos Changes In April 2026, Anthropic released a frontier AI model — as part of Project Glasswing — that can autonomously find and exploit vulnerabilities in production software at a depth and speed that previously required experienced human researchers. Major software vendors now have access. The result: a surge of vendor advisories, patches, and CVE disclosures is coming — on top of a backlog that was already strained. The harder part of vulnerability management is what comes after: figuring out which findings represent real, exploitable risk in your specific environment — with your mitigation controls in place and against your most critical business services — and closing them before someone acts on them. That gap has always been the harder problem, especially as attackers started to use AI-assisted exploitation. The current moment makes it more urgent than ever. A vulnerability found by any tool does not automatically make it a risk in your environment. A critical flaw behind a WAF that fully blocks the attack vector is not your urgent problem. A moderate-severity flaw in an exposed, unpatched internet-facing service with active exploit code in the wild very much is. That gap between “vulnerability found” and “real risk in your environment” is where most remediation capacity gets wasted. What is Changing A Vulnerability Surge and an Exploitation Window That Has Already Closed Most security teams already carry a backlog of known, unresolved exposures — not because they are negligent, but because volume has always outpaced remediation capacity. Now layer on two things: Mandiant’s 2024 data shows exploitation timelines have reached minus one day — attackers weaponize before the patch exists. With attackers deploying agentic AI to automate reconnaissance and exploit development, the window from disclosure to in-the-wild exploitation has collapsed from weeks to hours. And AI-assisted research will now accelerate new disclosures arriving on top of everything already in your queue. Attackers exploited a risky exposure on average within 17 days, and now it’s even shorter. The industry average remediation time is 37+ days. That is a 20+day window of known, confirmed, open exposure. More disclosures arriving faster widens the intake side of that gap. Nothing about AI-assisted discovery closes the output side. How to Adapt Dashboard Tourism Is Over. Prioritization and Remediation Must Run at Machine Speed. Every organization has some version of this: security dashboards shared, reviewed in meetings, handed off across teams. When exploitation windows collapse to hours, the time spent reviewing and discussing risk is time during which the exposure is open. Every handoff between detection tools, prioritization tool, ticketing system, IT team, and change management is a delay. The seams between siloed tools are where risk lives. Detection has always been the relatively easier half of the vulnerability management problem. The harder half is what comes after: figuring out which findings represent real, exploitable risk in your specific environment — with your mitigation controls in place, against your most critical business services — and closing that risk before someone acts on it. That gap has always been the harder problem, especially as attackers started to use AI-assisted exploitation. The current moment makes it more urgent than ever. The harder truth: If everything is critical, nothing is! The only viable response is prioritization that is genuinely context-aware: not theoretical or CVSS scores, but what is exploitable in your environment, against your assets, with your compensating controls in place. Business context is not optional — it is the difference between managing real risk and counting theoretical vulnerabilities. The Only Metric That Matters NowAverage window of exposure (AWE), not compliance-centric MTTR, 30-day SLAs. Patch counts, etc. These were designed for a world where you had time to operate them. In an environment where exploitation timelines are measured in hours, only one metric maps to real risk reduction: time between a confirmed exploitable exposure entering your environment and validated closure. That is the one most organizations currently cannot measure. Manual Remediation Is Dead. Operationalizing Fast Remediation, Beyond Patching, Is the Need of the Hour. I want to be direct about this. The phrase “autonomous remediation” generates more skepticism than almost anything else in security operations. Security teams have been burned by automated patching that broke production. They have watched “auto-deploy” systems create incidents worse than the vulnerability they were trying to close. That skepticism is earned. But here is the other side of that equation: manual remediation at the speed the current environment demands is not operationally viable. The human-in-the-loop for every remediation step — approval, scheduling, deployment, verification — is the structural bottleneck. It was already too slow before AI-accelerated discovery. It is untenable after it. The answer is not to eliminate human judgment. It is to build the trust infrastructure that makes autonomous action safe enough to deploy at scale. Three things are required: 1. Validate before you remediate with attackers’ techniques in your production environment, beyond just attack paths Remediation resources are finite. Committing them to theoretical risks and attack paths stays in the failure mode. It is more important to drive autonomous validation of the exploitation of these risky exposures by running through an attacker’s actual entry path in the production environment, not a simulated environment, without disrupting production. Binary answer: exploitable or not. Not probable. Confirmed. Qualys’ Threat Research Unit (TRU) team has found <1% of the theoretically risky exposures are confirmed validated, which become p0 to fix. 2. Options beyond patching – mitigate risk until downtime Patching is not always immediately possible. Production windows, legacy systems, operational constraints, and competing priorities are real. The security teams that get overwhelmed are the ones whose only remediation lever is “wait for the patch and deploy it.” That is not a resilient posture. The lever most organizations under-invest in is policy and control improvement: crafting custom rules for your EDR, WAF, firewalls, and CSPMs that buy protection when the patch does not yet exist or cannot yet be deployed. Leveraging the full spectrum of virtual patching, mitigations, etc., in an adaptive manner when the patch reliability score is low, from mitigation to virtual patch, WAF rule, host isolation, service disablement, compensating control — helps balance business continuity with timely risk reduction. 3. Trust comes from operational evidence, not promises Autonomous remediation is not a feature you deploy on faith. It is a capability you earn through accumulated evidence: deploy patches leveraging the AI-based reliability score which predicts operational risk before deployment runs, based on the errors found by the community and success/failure observed by your industry peers; the wave-based deployment architecture that builds confidenc

Indicators of Compromise

• malware — Project Glasswing

Entities