Mythos Changed the Game: The Shift to Exposure Management

The defender’s clock has changed. AI can now uncover unknown flaws at machine speed, exposing the limits of traditional vulnerability management.  

Security teams need to move toward continuous exposure management—prioritizing exploitability and reducing exposure before attackers can turn discovery into compromise.

posted on
July 8, 2026
Transcript

Brian Moody: Super interesting topic. And I've got my notes on this one because I want to make sure that I get these points right today. This was actually a topic that Shahin had called out for us to speak with you about back kind of in the April timeframe. And then, as you know, if you've been coming to our SoundBytes, we kind of dove a little bit more into agents and API and some of the threats around this. But this was a continuing developing topic really around Anthropic's Mythos and Fable 5 and what the threat behind that is.  

So I've got a couple of key things because this is a scary topic. And if we talk about Anthropic's release, or initial attempt release of Mythos, but a couple of key things that Mythos did. Is one around zero-day discovery. Upon its pre-release, Mythos identified thousands of previously unknown zero-day threats, like right outta the chute, immediately. Legacy code mastery. So it successfully uncovered critical flaws that survived millions of previous security scans that companies didn't know anything about.

 

Shahin Pirooz: Decades of scans.

 

Brian Moody: I mean, millions of threats. And then the final piece that I think is most frightening for me, that just set me back in my chair a little bit when we were talking about this and I read this, was exploitation creation. It was able to create exploits across the components that it found for 83%, 83% across all operating systems.  

So when Anthropic brought this out and started to release it, well, our federal fellows said nope. And they stopped it because they started initially from a Glasswing perspective, because responsibly I think Anthropic recognized the potential impact and risk of this. So they pulled it back in the Glasswing and they tied it back to key technology companies really in the effort to help them with respect to what they were doing. But then the federal government stepped in and said, nope, right? That's just far, far too great of a risk. And then ultimately Fable 5 came and federal government, again.

 

Shahin Pirooz: Well, it was both of those. Glasswing project was basically the top, let's say, sub-200 companies in the world were part of a technology engagement to evaluate Mythos. And during that time, they released a lesser model, the small brother or sister of Mythos called Fable 5.  

Both of those models came out, and in that same time frame after Fable came out, the federal government did an experiment with Mythos and it found zero-day vulnerabilities that the federal government was not aware of. And they put the brakes on. That was the trigger that snapped and said, no, this isn't happening. We need to shut this down. And Anthropic took both models offline.

 

Brian Moody: Right. So, I mean this is a little bit of the oh shit factor. There's no question here.

 

Shahin Pirooz: Now fast forwarding to today, Anthropic has re-released Mythos. And opened it up to about 100 of the Glasswing partners. So it's still restricted, still very restricted, but slowly taking steps to try to figure out how to manage restrictions, how to control it. And the federal government has approved that re-release.

 

Brian Moody: So the question that I want to unpack with you today—so think about today the vulnerability report that you're pulling from your environment. If you are a security professional and you're managing a major environment and you're pulling a vulnerability report, based upon kind of what Mythos is capable of, what does that report really mean if you don't understand what's truly reachable?

 

Shahin Pirooz: Right. So, vulnerability management is now kind of dead. Kind of been saying this for months now, more than months. It's been a couple of years that we've been saying vulnerability management in the way it's been built is an archaic solution, just like SIEMs, the way they've been built, are an archaic solution. Those two technologies do not solve the security problem. They do not close the security gap.  

What does vulnerability management do? It starts with an asset discovery, fingerprinting of those assets, it creates CPEs from those fingerprints and then runs those CPEs against the National Vulnerability Database to determine what vulnerabilities are on that operating system, application stack, and so on and so forth. Now, that vulnerability list ends up becoming a massive list for a company that they have to go and patch.  

What's the problem with that? There is zero understanding of prioritization. Zero is probably not fair. There's the CVSS or CVS scoring model. So it is a vulnerability scoring solution that gives you these are highs, these are lows, these are mediums. And the idea is these are critical. You need to address these.  

But it doesn't take into account anything in context of the company's operating environment. It doesn't tell you, for example, these are critical systems versus not really a big deal. This thing runs the fish tank. If it's got a vulnerability, it's not a huge problem, or it could be because it could be in the room with some serious critical infrastructure. But it doesn't take any of that into account. It simply looks at that fingerprinting model and says, this operating system, this application stack has these vulnerabilities, patch them, the specific vulnerability is a criticality level of high, medium, low, or critical.  

Also doesn't cover, is it accessible? Is that system isolated in a room that can't be reached from the external environment, and therefore the level of criticality is lower. So prioritization or criticality of the environment is not something that traditional vulnerability management and CVSS scoring really addresses.  

And that's the problem today, compounded with those are all vulnerabilities that we're aware of. Those are what have been reported into the National Vulnerability Database. Mythos found thousands of vulnerabilities that have not been reported into the vulnerability database.

 

Brian Moody: So, how has this really changed, in practical terms, how partners and/or security professionals are approaching this?

 

Shahin Pirooz: I don't know that anybody's approaching this in a solid way today because it hasn't been opened up to the public. So not everybody has access to Mythos to evaluate what it does and what it's capable of. Today it's those top 100 companies that were part of the Glasswing initiative.  

But I can tell you the example of one company. I know Zscaler, for example, communicated to the world that it found 400 vulnerabilities that were not documented, were not in any vulnerability databases, and were previously unknown to them, not just in the operating systems but in their own application stack, that they effectively turned on, not just a tiger team, but a team of tiger teams to go on. It was a platoon of tiger teams sent in to close these gaps.  

So it really created a lot of work for those companies that decided to test this because it was the oh my God, holy cow moment of how could these things have been sitting here and we didn't know about 'em? We've been doing all the right things all these years. And the challenge is all the right things with the wrong tools gets you the outcome we have.

 

Brian Moody: Well, you and I for months now have been talking about AI. We've been talking about AI offense that the hackers have access to. In fairness, maybe not access to Mythos, but the number of frameworks and models that are out there that may not have Mythos capability but have substantial capability.

 

Shahin Pirooz: So let's think about it this way. What's the difference between a bad actor and a software engineer? One does bad things with the skills they have. One tries to do things that are positive with the skills they have. They have the same skill set.  

So the folks at Anthropic that created Mythos aren't the only people on the planet who know how to do that. The bad actors oftentimes are some of the smartest developers out there. Not all of them, to be fair. There's a lot of script kiddies. There's a lot of people who are taking advantage of riding on the coattails of the people who are very skilled and talented and using that talent for wrong purposes. And sometimes they have this context of we're doing something for the greater good by exposing these things.  

But let's put all of the politics aside for a second. There are very skilled engineers that are creating technologies that bad actors are taking advantage of. There are large language models that when ChatGPT came out, there was a ChatGPT equivalent that was released on the dark web for bad actors to be able to take advantage of. If we don't already have a Mythos-like large language model out there, there will be one soon.

 

Brian Moody: That's in development or being developed.

 

Shahin Pirooz: Yes. So we have to shift. We have to shift our thinking and can't continue to do vulnerability management and patch management the way we've been doing it.

 

Brian Moody: So great segue. So, what do you see as the next step? What is the flaw today in the current exposure models?

 

Shahin Pirooz: The issue is it's not continuous. It's we're doing scans.

 

Brian Moody: Great point.

 

Shahin Pirooz: We're not doing scans on a consistent and continuous basis. We're doing a pen test once a year. We're doing vulnerability scans once a month. If we're aggressive, we're doing it once a week. But it's the vulnerability scans alone.  

The problem in the vulnerability management space is everybody is doing what I just described. We came to the conclusion that that was broken years ago, and our platform does that. It does the asset discovery, fingerprinting, CPEs, and National Vulnerability Database matching. So we have vulnerabilities to give our partners, customers, and expose what vulnerabilities in the environment, classified by CVSS scores, just like any vulnerability management platform out there.  

We took it a step further and we actually run exploits. We have a database of exploits that are based on the MITRE ATT&CK matrix and the OWASP framework that let us check to see if those systems are, first of all, exploitable, and if that exploit is there so that we can take advantage of it. So it's a thumbs up or thumbs down, it's exploitable or not.  

It's very simple, and very clearly articulates these are the things that you need to close the gap on, not the 10,000 vulnerabilities you have in your environment, but these 10 things that are exploitable put your energy into those.  

There's a problem. It's based on a known database of exploits. It's based on a known threat model. It's based on known paths from the attack matrix. It's based on the OWASP Top 10. Those things are known things.  

And what has Mythos done? It said, you don't know what you don't know. And all of a sudden we're dealing with the backlash of, oh my God, there's all these other things.  

Good news is all that data is going to end up in the databases.

 

Brian Moody: Ultimately.

 

Shahin Pirooz: So we will have templates and frameworks and things like that we can take advantage of. So the positive outcome of a Mythos is Mythos can now feed the vulnerability databases, the exploit databases, so that we can take advantage of those things.

 

Brian Moody: Well, I think the interesting term is reachable. When we run these scans, it's what we know, right? It's going against the infrastructure that we know. And Mythos has shown us that there's so much that exists currently in that infrastructure today that's reachable that we don't get.

 

Shahin Pirooz: Exactly.

 

Brian Moody: Talk a little bit about— well, I'm not going to go there just yet because you kind of jumped ahead a little bit, kind of because I was going to guide you to what's WhiteDog doing about this. But what needs to change?

So, you've talked about the model a little, you know, the tools and things that we're using today and why maybe it's not [enough]. But for MSPs or security professionals watching, what needs to change right now? I mean, where does their head need to go around what they're doing to address this?

 

Shahin Pirooz: A lot of our competitors are going to hate this because I'm going to tell you that the vulnerability management solutions out there, and go ahead and throw a dart and pick anyone that's out there, are doing what I suggested you shouldn't do. They're simply identifying vulnerabilities and giving recommended remediations. That's simply not enough because you can argue that those vulnerabilities are reachable because their scans found them.  

So it's not reachability. It's more about is it exploitable? Just because the vulnerability is there doesn't mean it is exploitable. And that's the missing piece in vulnerability management today. There are no synthetic attacks run. So think of that as the breach and attack simulation. So there are no simulated attacks run to determine if those vulnerabilities are in fact exploitable. That is really the key difference that needs to happen.  

We need to move, the industry, we've historically called it CPT, continuous pen testing. The industry has picked a new terminology for it. It's CTEM, continuous threat exposure management. So that's what has to happen. The shift has to happen into this continuous model of finding the exposure and closing the exposure.  

Now what's that mean? Bad actors are finding the exposure and taking advantage of the exposure, leveraging large language models that will be similar to—or Mythos itself if they don't lock it down properly. And so in order for us to stay ahead, it's no different than it has been, it's just now at the speed of light. So the time of discovery and closure has to be shrunk down to the speed of light. So find the exposure and close the exposure via agent.  

So we now are going to have a surge of service industries that are being created by software companies. Patching will no longer be a human-based management solution. Patching will be there are agents that know how to patch, know what to do, know the operating systems. And when we find an exposure, that exposure is going to have instructions for the agent to say, here's how you close this gap. And that agent will be able to close that gap before the bad actors can find it and take advantage of it.

 

Brian Moody: So, caution here too, because the other aspect of this, and you and I have been talking about this, you are a huge advocate of this. We've talked about the AI SOC doesn't really exist or shouldn't. We've talked about what needs to change and what we're seeing more and more is you folks are doing this. You're implementing AI into your operations, you're utilizing it, but we have to keep the human the loop, right?  

So, you know, we just talked about the agentic MSP and deploying agents and connecting into MCPs, but that needs to be assigned to a human. So the term is to keep the human in the loop. Expand a bit more, because again, you just said agents are going to be doing this, but agents don't have human intuition, right?  We know generative AI still hallucinates and it's not always right, but I think from the standpoint of where and how, and you speak to this so much, and I think it's such an important point.  

And so you just said, well, they're going to tell us we're vulnerable and they're going to tell us what the solution is. Okay. That's pretty linear, right? Where does the [human] intuition come in? And you talk about this so much. I just love to hear your thoughts again on why that's so important.

 

Shahin Pirooz: Yeah, for all you agentic SOC or AI SOC solutions out there, I just wanna make one point of clarification. We think AI in the SOC is a powerful capability. So we don't think that there should be no AI SOC. It should not be strictly an AI SOC.  

There's a lot of players out there that are coming out saying you don't need to staff a SOC because we have an AI-based SOC that can do all the things an analyst would do. And the reason that is a fallacy, the reason we stand so aggressively against that—by the way, if that were true, that would be amazing. I could refocus my people to do other things to create technology, develop more solutions, but we built a SOC behind our product platform because we think that you have to have that human engaged because the curiosity, the intuition, the intelligence to ask the why questions don't exist.  

And the things that are problematic in AI models, as we all know today as we're interacting with them, is they're bound to hallucinate because they have so much of a buffer for memory. And the hallucinations are things they come up with to try to answer a question. They're bound to sycophanty, which is telling you what you're doing is perfect and super smart. And so if you've got two AIs talking to each other and one says, "You're brilliant," the other one says, "Thank you," and then starts hallucinating.  

You've got a fundamental problem, so you need to have that human to say, "Hold on a second. Something's not right here. Something smells funny. I need to slow this thing down."  

The reason it's so important to have that human in the middle is because you need that authorization button that says, "Yes, go ahead and patch this." Same thing we do with our employees. Since when have you let any single employee go and patch systems without validating and going through change control boards and so on and so forth? Same thing applies. It just has to happen a lot faster now.  

So if you have a system that is identifying the exposure, the exploit, identifying the fix, the resolution to that, creating the change control and requesting approval before it does its job in microseconds, you've shaved a ton of time off of the exposure gap, the exposure to closure gap. And that is really what we have to do.  

That is the shift to your question earlier that has to happen in the industry. We have to get to a point where from the time we discover an exposure to the time we close that exposure has to be minimized as much as possible.

 

Brian Moody: That's what I was trying to get you to. Thank you. So now from WhiteDog's perspective, how are you and the team, how is the WhiteDog platform addressing this now?

 

Shahin Pirooz: What I just described requires partnership with our customers, our partners, to do the closure part of it. WhiteDog is really identifying the exposure side of it. We're not closing the gap on patching those solutions, not today. That's on our roadmap. It's something we're evaluating, is something we're heavily considering. How do we solve this problem so that it becomes a part of the ecosystem system that simplifies the operations of a secure environment.  

The short answer is it ties back to that exploit—exploitable system—versus just the set of vulnerabilities. We've built from the ground up our external security posture and our internal security, network security posture management solutions. Our continuous pen testing platform, they run breach and attack simulation inside and outside of the network and they do the standard vulnerability management we talked about. But above and beyond that, they're doing the exploit evaluation and simulated attacks against those exploits and letting you know this thing is actually exploitable. You really need to put energy and time into it. And because we've built our platform API first, it's very easy to get that information and tie it into an agentic workload that goes and patches that or creates the change control or whatever flow you want.  

What WhiteDog has fundamentally developed is a mechanism for solving the front end of that. And today we don't have a mechanism for closing the back end other than the integration points through our API layer that allow partners to integrate with it and do patch management and whatever else they need. So I would say that the shift to CTEM, so Continuous Threat and Exposure Management, is something we took, I would say, 3 or 4 years ago, and we started playing that.

 

Brian Moody: Did you just create a new acronym?

 

Shahin Pirooz: No, no, no. This is the industry. I did not come up with this. I called it CPT, and the industry now likes CTEM. So we might rebrand our product to match.  

But the CTEM approach is all about you can't do this once in a while. It has to be continuous. You have to keep scanning and you have to keep evaluating. Now, I'm not saying, by the way—I don't want people to walk away from this and say I can shut down my vulnerability management. You should not. It's a really bad idea because you need to understand what vulnerabilities you have and close those gaps because those are known vulnerabilities that you ought to close.  

Having the exploitable visibility on top of that gives you a little more control in terms of how do I prioritize, and that's important. And then having the ability to go the next level, and we're trying to figure out what is our best approach to take this exploit model and build— take our templated solution for running simulated attacks and synthetic attacks against this environment to include those things that Mythos is discovering. Is that going to be an exploit database, or do we need to subscribe to a Mythos exploit detection solution so that we can pull those things into our platform?  

But leveraging and integrating with those solutions are what are on the roadmap to continue to stay ahead of this game. The cybersecurity space is really a whack-a-mole game. You feel like you got the mole and it pops up somewhere else and you continue, it's continuous—so if you don't have the word continuous in any part of your stack, that component is probably a bad thing in your stack.  

At this point, if you're not continuously doing stuff, continuous incident response, continuous pen testing, continuous exploit management, all of these continuances are critical to make sure that you are protected on a day-to-day basis, not just month to month or year to year.

 

Brian Moody: Well, I think it comes back to the term that we're using is AI offense. You know, as soon as a patch comes out, again, even with the frameworks that the hacking community has access to, it takes them no time to produce the ability to circumvent that patch.  

So, what's Nirvana? I mean, I have been around this man now for many, many years and you just constantly drive for how to improve the platform. So you've hit on a couple of points, but what's on the roadmap? Where are you going? Where's the product team going?

 

Shahin Pirooz: So Nirvana is that full loop management, which is discover it, identify it, create the change control for it, and create the ability to close it with agents and have the end customer, partner, be able to push an approval button and initiate the correction.  

And those corrections might not always be a patch because as you often know, if you've been in the IT space, sometimes there is no patch from the manufacturer. So there has to be a workaround. And so those closures might be a workaround solution in place and articulating that just like any—change management boards go from being a weekly or monthly thing to being a continuous let the board see the recommendations and solution and have 1 or 2 people who are approving it and that patch goes into production. And ideally, customers have a dev stage and production environment so they can test in each of those layers.  

But the nirvana is that closed loop, find it, give a recommendation for a solution, have the capability to close the gap and approval for that closure.

 

Brian Moody: So, you know, it seems like we talk about MITRE CVEs and common vulnerabilities. Everybody always produces the vulnerabilities. But what I'm hearing you say is we've got to move away from the vulnerability testing to exploit management.

 

Shahin Pirooz: We do. And it has to be— what's missing in the SIEM world, what's missing in the vulnerability world is—what are the paths to exploitation? So determining how people will exploit something and protecting those paths is that layered security approach, but also being able to create remediations that block those paths is an answer to those vulnerabilities or exploits that don't have a fix today.  

Brian Moody: But it's understanding what exploits we have in our environment today. I mean, back to my point earlier. I got a vulnerability report, but what does that really mean? And so I think one of the important pieces that you talked about of our ESPM capability is, is we don't just come back and give you a list of vulnerabilities. We'll give you that list of vulnerabilities. But what we're doing is we are understanding that we can exploit a portion of those vulnerabilities in your environment. So we understand what's exploitable.  

So where are you going to focus the time of your team, right? Because time's our most important piece, right? And how quickly we can respond. So what exploits do we prioritize to shut down immediately versus say we have a vulnerability, but it might not be exploitable at the moment. Well, Mythos might say that it's exploitable. So I think the shift really is to now is exploit management and where you prioritize your team.  

Shahin Pirooz: 100%.

 

Brian Moody: So that's the takeaway from a standpoint of the challenge. As you said, it's whack-a-mole. There's no endgame. And I think that is going to continue to be the case with cybersecurity; it just is constantly evolving daily. And I think, in the last multiple years, we've moved into a whole different universe from a standpoint of how we're keeping the enterprise secure capabilities that we have at our fingertips to do it.

 

Shahin Pirooz: Three things have really shifted. The generative AI models allowed people to do things they'd never done before by being able to have a conversation with something whose database is the web.  

The agentic outcomes that have come out have allowed people to build the things that they're having conversations about. So now we have a lot of people who are not developers who are doing vibe coding and creating applications and stacks that they're selling to customers as an enterprise solution. And they are not enterprise solutions. They have not gone through proper vetting and testing and QA to make sure there's no holes in it.  

And people are operating their businesses on these platforms which have even more exploits—and these are not, like we're not talking about these are zero-day exploits. These are platforms that have created bugs because they have paths that are open that shouldn't be open. Mostly, it's because of the hallucination and sycophancy that I talked about that creates these open paths.  

As a consumer of technology, we now have to be even more careful. Are we talking to a professional firm who is a software development firm? Or is this somebody who figured out how to use Claude code and develop a vibe application that has no proper QA or testing or anything?

 

Brian Moody: So like we always do, we'll have a data sheet or component that you guys will be able to take away, that you guys will be able to grab at the end of the conversation. We'll make sure we'll get a link out to you. You can always reach out to us at any time. We'd love to have this conversation. But I think the challenge continues to—I wouldn't say become impossible, but a substantial challenge.

 

Shahin Pirooz: Yeah, we'd love to talk to you about how we address this exploit management approach and how we've done that for years.

 

Brian Moody: And move to exploit management from purely vulnerability management. Well, thank you for joining us today. Again, we would love to chat with you. If you have any questions or concerns, love to talk about how we can help.

Let's talk!

We’ve Got a Shared Goal, To Secure Your Customers