Exposure Management After Mythos: 4 Urgent Changes Security Leaders Must Make Now

The National Vulnerability Database (NVD) grew by nearly 50,000 CVEs in 2025, and every year sees more “high” or “critical” CVEs than the year before. When Anthropic disclosed that Claude Mythos could unearth decades-old vulnerabilities in major web browsers and operating systems considered particularly hardened – and exploit them in minutes – an already overwhelming risk landscape became exponentially more daunting.

Mythos and Glasswing Show why Today’s Exposure Management Approaches Will Fail Us

Claude Mythos is hardly the first model capable of discovering CVEs and generating exploits, but unlike its predecessors, it demonstrates autonomous exploitability at scale. As CSA cited in its recent strategy briefing, Anthropic showed that Claude Mythos generated 181 working exploits on Firefox, whereas Claude Opus 4.6 created only two under the same conditions.

Mythos can also chain vulnerabilities together into a single exploit path, expanding the risk associated with previously minor CVEs.

At the same time, initiatives like Project Glasswing aim to grant trusted access to critical infrastructure providers, industry partners like Zscaler, and open source maintainers in an effort to discover and remediate vulnerabilities in popular products. The security advantages are, of course, time limited to the early access period. During that period, security teams should expect a massive influx in CVEs disclosed along with available patches – piling onto an already overwhelming queue of vulnerability findings.

Proactive security is evolving in real time, and no one has all of the answers yet. But security leaders have four concrete actions to take now to meet the new challenges.

1 – Adjust Your Definition of Exploitability

In a post-Mythos world, you must distinguish between generic exploitability and exploitability in your specific environment. As the number of CVEs disclosed and POC exploits increase dramatically, security teams will be overwhelmed if they rely on generic, static scoring and “theoretical exploitability.”

Whether you apply agentic, analyst-driven, or a combination approach to risk mitigation, you must first identify which vulnerabilities are exploitable in your environment, mapped against your controls.

Historically, security teams have correlated risk signals and mitigating controls manually, usually in spreadsheets, because they could not achieve holistic assessment and contextualization across a diverse set of tools. Today, teams have no time for manual, resource-intensive analysis of risk severity.

Before graduating to agentic exposure management or machine-speed response, security leaders must lay the foundation with a program that automatically contextualizes risk in the following ways:

• Account for mitigating controls, de-prioritizing findings where attack paths are blocked (e.g., vulnerabilities mitigated by zero trust policies or protected in unreachable locales)
• Correlate with real-time SOC alerts to diagnose root causes and block threats
• Deploy custom risk scoring models that provide security leadership with complete control of the methodology
• Apply threat signals to elevate low- or medium-priority findings that attackers might chain together

It has never been more critical to stop chasing false criticals. Vulnerability management teams must begin their work with a complete understanding of critical exposures, or they will be buried by an avalanche of “exploitable” findings on the horizon.

2 – Fight AI with AI: Neutralizing Risk at Machine Speed

Vulnerability management has often focused on process as the means to improve efficiency. Triage fixes faster. Schedule patch jobs sooner. Scan. Patch. Confirm. Repeat.

The gap between AI-led exploitation and human-led remediation can no longer be overcome with more efficient patching workflows. Critical gaps cannot wait for maintenance windows in the post-Mythos world. When attackers move at machine-speed, security teams must neutralize risk at machine-speed, which requires a larger toolkit of responses and critical thought around how to deploy them responsibly.

Teams have understandably been trepidatious about applying autonomous actions in exposure management. One wrong patch can cause a business outage that does as much damage as a breach. Attackers don’t worry about tapping automation because they don’t suffer consequences for mistakes – they simply don’t succeed in their attack. 

Defensive AI can assist with foundational parts of your exposure management program like data mapping and contextual analysis without putting business operations at risk. It can also analyze your environment to suggest fixes and keep a human in the loop to confirm. It’s also time to start thinking about which tools in your response toolkit could be leveraged in agentic workflows – or at the very least, automated response playbooks.

Here’s a starting point. Are the following response actions available in your exposure management program today?

• Deploy patchless configuration changes
• Isolate assets
• Restrict network or application access
• Close ports
• Suspend logins
• Require re-authentication
• Validate controls

From Priority Action #11 in its most recent strategy briefing, CSA recommends “building automated response capabilities” within the next 90 days that are “systemic and, to the degree possible, autonomous,” specifically citing response playbooks that execute at machine speed. While playbooks are often applied to incident response, they should be leveraged in proactive risk reduction to avoid over-reliance on patches and upgrades that may not be available upon proof of exploit.

3 – Reduce Your Attack Surface with Zero Trust

Mythos showed faster and more diversified attacks that can chain together vulnerabilities before threat intelligence can catch up. In an AI-driven landscape, the best way to harden security posture and avoid compromise is to make services undiscoverable.

A Zero Trust architecture makes invisibility a primary security control. By decoupling applications from the network and removing them from the public internet, organizations effectively eliminate the "reachable" attack surface. In this new era, the most effective response to a vulnerability isn't a faster patch—it is ensuring the vulnerable asset "goes dark" to the attacker. Zero Trust isn’t just an access model; it is an architectural shield that buys the one thing humans cannot manufacture: time.

Security leaders should enforce segmentation and Zero Trust, and of course, account for their controls in risk scoring models to block out as much noise as possible.

4 – Converge Your Exposure and Threat Management Programs

The future of security is not found in siloed tools or better scanners but in a converged platform where Exposure Management and Threat Management function as one. 

This approach replaces periodic, isolated assessments with a continuous model where every exposure is constantly evaluated against known vulnerabilities, active SOC alerts, and live telemetry to determine true reachability. For example, a zero-day vulnerability on an asset with an Intrusion Prevention System (IPS) in place should be treated with far less urgency than the same finding on an asset without IPS and a critical threat signal.

This convergence enables a more resilient architecture that automatically hardens itself, closing the gap between discovery and defense while ensuring the attack surface remains as small as possible with a Zero Trust architecture.

Zscaler’s Commitment to Advancing AI Capabilities for Defenders 

We can help you take action on these four urgent changes you need to make.

1 - Adjust your definition of exploitability

As AI models exponentially increase the volume of “theoretically exploitable” CVEs, it is imperative the security teams understand how vulnerability findings and potential attack paths map to their mitigating controls. With customizable risk scoring models and a unique view of your ZIA/ZPA protections, Zscaler Exposure Management is uniquely positioned to understand what’s truly exploitable in your environment.

2 - Fight AI with AI: Neutralize at machine speed

Expand the breadth of response capabilities available to your exposure management program, including mitigating controls and playbooks that move beyond patching. Part of Zscaler’s commitment to SecOps includes building the response playbooks to mitigate risk and close attack paths at machine speed upon discovery of a critical exposure–even if no patch is available.

3 - Reduce your attack surface with zero trust

Threat actors can’t attack what they can’t see. Zscaler hides apps, locations, and devices from the internet, minimizing the attack surface. Zscaler ensures your Zero Trust protections are accounted for automatically in your exposure prioritization. As a result, teams stop spending valuable time chasing fixes to findings that are already mitigated – instead focusing on what’s truly exploitable.

4 - Converge your exposure and threat management programs

By analyzing real-time data from ZIA/ZPA alerts and logs, Zscaler helps customers move beyond theoretical risk to validate the actual security posture of an asset. We no longer just identify a flaw; we determine if that application is visible to a threat actor or if it is currently being exploited based on live event data. 

Through our participation in Project Glasswing and our partnership with OpenAI, we are better positioned to provide customers with a clear understanding of how AI-driven discovery impacts their specific environments. These collaborations allow us to help organizations prioritize their most critical exposures based on the exploit-chain reasoning and discovery patterns used by frontier AI.

By integrating these insights, the Zero Trust Exchange enables customers to immediately reduce their attack surface by making vulnerable applications invisible to the public internet. This ensures that even if a flaw is discovered, it remains unreachable and unexploitable by external threats.

Zscaler Exposure Management uses this intelligence to prioritize the highest-risk vulnerabilities and facilitate closed-loop remediation through automated mitigating controls. This functional approach provides security teams with the time and visibility needed to secure their environment at the speed of modern discovery, providing a path forward in the post-Mythos era.