A few weeks ago the world was exposed to Mythos , Anthropic's new frontier model and the Project Glasswing announcement that came with it. The reaction across the industry was immediate. Cybersecurity stocks fell sharply . The Treasury Secretary convened an emergency meeting with major bank CEOs. 250 CISOs produced a response playbook over a single weekend. Sources: CNBC, Bloomberg, Investing.com That is not a typical announcement or a PR "leak". That is a reckoning. Then, about a week later, I came across MOAK . If Mythos is the earthquake, MOAK, for me, was the aftershock that shows the ground has already shifted. Built by security researchers Yair Saban and Niv Hoffman, MOAK (Mother of All KEVs) is a proof of concept that demonstrates something most people weren't ready to hear: you don't need Mythos to have a serious problem. Using publicly available models, including Claude Opus 4.6 and GPT 5.4, it shows that agentic workflows can already autonomously exploit known vulnerabilities with no human in the loop. No special access needed. No frontier model required. In this post I want to talk about what both of these things are actually telling us, and why I think the industry is at risk of drawing the wrong conclusion. The End of CVE Chasing The instinctive reaction to Mythos is: we need to patch faster. That instinct is understandable. It is also exactly the wrong frame. Security teams have spent years organizing around a model that goes: wait for a CVE, score its severity, add it to the queue, remediate in priority order. It is rational given the volume of disclosures. But it assumes defenders have time to react. According to Google Mandiant , average time-to-exploit dropped from 63 days in 2018 to just 5 days in 2023. As alarming as that is, things are much worse for high-profile vulnerabilities, where the time between disclosure and active exploitation is measured in hours. And this is exactly the issue. The math just doesn't work anymore. The patch cycle was never built for a few-hours window, and it cannot be retrofitted for one. This is not to say that "patching is dead." Such dramatic proclamations have a poor track record, and there is no need for me to add to it. What this is, is an argument about trajectory. As the exploit window narrows and the bar to exploitation drops, CVE remediation covers a shrinking fraction of actual risk. The practice is not irrelevant yet, but it will become less efficient with every passing month, and the direction is not reversing. But the shrinking exploit window is only part of the story. The deeper issue is what CVE lists don't capture: dangerous misconfigurations, expired certificates, and shadow infrastructure that time forgot, but bad actors won't. A security program organized around CVE remediation ignores all of those and optimizes for a subset of actual risk. Mythos doesn't care about your subsets. Neither will any attacker. Zero-Day Exploitation, Democratized Developing a working zero-day exploit has always required serious resources: deep technical expertise, time, and access to private research. That kept the barrier high enough that, until recently, 53% of attributed zero-days came from nation-state actors . The remaining share came from well-funded commercial surveillance vendors and sophisticated criminal groups. The common thread: capability that most threat actors simply couldn't reach. That barrier is gone. To understand what the new frontier looks like, the UK's AI Security Institute independently evaluated Mythos . It became the first model to complete their 32-step corporate network attack simulation end-to-end. The AISI estimated the simulation would take a human professional 20 hours. Mythos completed it autonomously. Source: AISI Mythos made the scale of this visible. But MOAK research makes it actionable. Claude Opus 4.6 and GPT 5.4, models available to anyone with an API key today, already show autonomous exploitation rates of around 80% against real-world KEVs. Source: MOAK So what do it mean? It means that the capability Anthropic is trying to contain in Mythos already exists in in the open market. Good news everyone, zero-day exploitation has been democratized. Beyond CVEs If CVE chasing is the wrong model, what replaces it? Start with a different question. Not "what vulnerabilities do we need to patch?" but "what can actually be used against us right now?" This is the question attackers ask. It is the logic agentic AI follows. A CVE without external reachability is theoretical and largely irrelevant. Real risk is the intersection of what you expose, what is reachable from the outside, what is actually exploitable. Mythos and MOAK don't consult your patch queue. They find what is reachable, confirm what is exploitable, and move in. Defenders have had many wake-up calls to look beyond CVE scores. This might be the final warning. The attack surface that matters includes misconfigurations, expired certificates, services with default credenti...