AI Industry Reckons with 'Vulnpocalypse' as Frontier Models Match Best Human Hackers

AI models have crossed a threshold that security professionals have been debating for years: they are now competitive with the best human offensive security researchers at finding and exploiting software vulnerabilities. Claude Mythos, Anthropic's withheld frontier model, reportedly discovered weaknesses that had survived decades of human code review and millions of automated tests. The industry is divided on what this means — but the division itself reflects how fast the situation has changed.

What "matching human hackers" actually means

Finding software vulnerabilities requires a combination of skills that were, until recently, assumed to require human intuition: understanding how code is supposed to work, recognizing subtle deviations from expected behavior, reasoning about how multiple systems interact, and constructing inputs that force a system into an unintended state.

Top-tier offensive security researchers — sometimes called "vulnerability researchers" or, in the context of authorized testing, "ethical hackers" — can find these flaws where automated tools fail. The best ones find vulnerabilities in systems that have been reviewed by thousands of people and run on billions of devices.

According to NBC News, Claude Mythos found weaknesses that had survived that kind of scrutiny. That is not an incremental improvement over previous AI security tools. It is a qualitative change.

The defender-attacker asymmetry

Cybersecurity professionals are debating whether this development permanently advantages attackers over defenders. The core argument:

The attacker's case: Finding a vulnerability requires discovering it once. Defending against it requires finding it before attackers do, then patching every affected system, then verifying the patches, then monitoring for exploitation of any systems that weren't patched in time. If AI dramatically lowers the cost and skill required to find vulnerabilities, the number of exploitable flaws actively being hunted goes up — while defenders are still working through the previous backlog.

The defender's counter-argument: The same AI capability that finds vulnerabilities can be used to find and patch them faster. Project Glasswing is the first large-scale test of this thesis: Anthropic is using Mythos's offensive capability defensively, giving big tech companies early access to patch what it found. If that works — if patches can be deployed faster than exploitation — AI may ultimately benefit defenders more than attackers.

Why security professionals are divided

The disagreement is not about whether Mythos is capable. It is about the economics of scale. A single defensive program like Glasswing covers a defined set of systems with a defined set of partners. But Mythos's capability — or something similar — will eventually be available more broadly. When that happens:

• Defenders need to protect every system, all the time
• Attackers need to find one exploitable vulnerability, once

That asymmetry has always existed in security. AI amplifies it, potentially by a large factor.

The "vulnpocalypse" framing

Some security researchers have begun using the term "vulnpocalypse" to describe a scenario where AI dramatically increases the number of known exploitable vulnerabilities faster than the industry can patch them — creating a sustained period of elevated systemic risk. The term is hyperbolic; it is also a signal that professionals who track these threats are taking the capability shift seriously.

The concern is not that AI will make every system instantly hackable. It is that the marginal cost of finding vulnerabilities will drop so sharply that the volume of active exploitation attempts increases beyond what defenders can monitor and respond to with existing tooling and staff.

What organizations should do now

If you run systems that could be targeted:

• Patch aggressively and immediately. The window between disclosure and exploitation is shrinking. Any vulnerability with a public patch should be treated as actively exploited until proven otherwise.
• Prioritize asset inventory. You cannot defend systems you don't know you have. AI-powered attackers are increasingly good at finding exposed infrastructure that organizations have lost track of.
• Watch for Glasswing-related patches. Over the coming weeks, major vendors may release patches for obscure or deep vulnerabilities without detailed attribution. Apply them.

What to watch

The first test of whether Glasswing works is whether any of the vulnerabilities Mythos identified show up in active exploitation before patches are deployed. Watch major security incident reporting — particularly from financial institutions, which US regulators flagged as a specific concern — for unusual activity over the next 30 to 60 days.

Source: NBC News