Select your country

Belgium

China

Denmark

France

Germany

Maghreb & West Africa

Netherlands

Norway

South Africa

Spain

Sweden

Switzerland

United Kingdom

Not finding what you are looking for, select your country from our regional selector:

Search

  1. Belgium
  2. Insights
  3. Blog
  4. Mythos AI raises the cyber tempo: 5 points of attention for organisations
| Blog

Mythos AI raises the cyber tempo: 5 points of attention for organisations

Managed Vulnerability Intelligence [watch] Managed Threat Intelligence [detect]

AI models like Mythos quickly find vulnerabilities, scale attack-path testing, and multiply signals for security teams. The challenge: can organisations rapidly evolve their cyber resilience? With these five key considerations, organisations can stay in control, even as AI raises the cyber tempo.

During the webinar ‘Mythos: understanding the phenomenon and its impact on your cybersecurity’, experts from Orange Cyberdefense discussed what this development means for organisations and which measures now deserve priority.

“What sets Mythos apart is not so much that it finds vulnerabilities, as an experienced researcher can do that too,” explains Sebastiaan de Vries, consulting & advisory lead at Orange Cyberdefense. “The difference lies in the scale and speed. A senior expert needs around twenty hours to work through a full attack chain. Mythos does the same work much faster, without breaks, and can try out a thousand variations simultaneously. That changes the conversation.”

This acceleration calls for a different approach to risk management. These five points of attention help organisations make that shift tangible:

1. Look beyond individual vulnerabilities

Mythos is not only about finding individual vulnerabilities. In a controlled test environment, the model was tasked with infiltrating a network and gradually escalating privileges. Mythos succeeded three out of ten times, a remarkably high success rate and a significant step forward compared with earlier models.

The test environment lacked an active SOC, no blue team intervention, and no monitoring capable of detecting unusual behaviour. A well-secured business environment looks different.

Still, the signal is important. AI connects technical steps more quickly, shortening the path from a weak spot to a usable attack path. AI can also lower the barrier for less experienced attackers, including in specialised environments such as OT. For organisations, this shifts the central question: which vulnerabilities form a realistic attack path in our environment? Previously, this question was mainly asked by large banks, but it is now relevant to many more organisations.

2. Make patch management risk-based

Many organisations already struggle to patch vulnerabilities quickly enough. New AI models increase that pressure. If Mythos or similar models expose more vulnerabilities, someone still has to test, plan and roll out all those patches.

A standard patching window of thirty days may be too slow for vulnerabilities that attackers can exploit quickly. At the same time, organisations cannot patch everything at once. Some updates require downtime, additional testing or coordination with the business.

Patch management, therefore, needs to become more risk-based. “It is no longer only about the vulnerability with the highest CVSS score, but about the vulnerability that creates the greatest risk in your environment. A lower-rated vulnerability can be more urgent if it can actually be exploited,” says De Vries. “Sources such as the CISA KEV catalogue can help with this.”

3. Speed up detection, but keep people in control

If attackers can test, scan and exploit faster, the number of signals on the defensive side also increases. SOC teams receive more alerts, more suspicious patterns and more incidents to assess.

This is where AI plays an important role. Security teams can use it to speed triage, summarise incident information, recognise patterns, and prioritise alerts. As a result, XDR, SIEM and SOC platforms will play a bigger role in processing volume.

Still, AI does not automatically solve the capacity problem. While an analyst with AI support can handle more cases per day, we expect the flow of signals to increase as well. Human expertise remains essential. “AI should support security teams, not replace them,” says De Vries. “People remain necessary to make the right judgment call, especially in processes where a mistake can have a major impact.”

4. Become a Pokémon trainer

Security teams that want to use AI face a choice: a generalist model that does everything, or a composed set of specialised agents that each perform a specific task. Practice points towards the second option. According to De Vries, we need to make security teams think like Pokémon trainers. “Not one all-powerful AI that does everything, but a carefully composed team of specialised agents, each good at a specific task.”

That applies to both attack and defence. Organisations that want to use AI for continuous red teaming, automated triage or vulnerability scanning would do well to determine, for each use case, which model or agent is the best fit. Human supervision remains the constant factor: AI can quickly go off track if the instructions are wrong or the context is missing.

5. Keep the basics in order and involve the board

The arrival of Mythos does not mean organisations can abandon their existing approach. A properly configured network with active monitoring can also stop a powerful AI model. In the test situations, Mythos had free rein precisely because there was no SOC or blue team present.

The basics remain the foundation: multi-factor authentication, sound patch management, up-to-date asset information, network segmentation, security monitoring, employee training, clear incident response processes and visibility across SaaS, cloud, IoT and OT. “Network segmentation and MFA ensure that an attacker, including an AI-driven attacker, needs more steps. That time is worth gold,” says De Vries.

Those basics also require decisions at the management level. This conversation, therefore, does not belong only with the CISO. Generative AI affects budget, risk acceptance, downtime, tooling, people and governance. Board members need to understand what the higher cyber tempo means for their organisation. A multi-year roadmap remains useful, but it is not enough on its own. Organisations also need to determine what changes are expected in the next 30, 45, and 90 days.

Mythos is mainly a signal

Mythos is probably not the endpoint. OpenAI, Google, and other AI labs are developing models with capabilities similar to or broader than theirs. The real question, then, is not what organisations should do about Mythos, but how they can adapt to the acceleration caused by AI.

The advice from the webinar is clear: think first, then act quickly. Map out which AI applications are relevant to your organisation. Strengthen the basics. Train security teams. Discuss the impact at the board level. And make sure patch management, detection and incident response can keep pace with the threat.

Watch the webinar on demand

Want to learn more about Mythos and the impact of generative AI on cybersecurity? Watch the webinar ‘Mythos: understanding the phenomenon and its impact on your cybersecurity’ on demand. Experts from Orange Cyberdefense discuss what Mythos is and is not, what it means for patch management, detection and incident response, and how organisations can prepare in practical terms.

Watch the webinar on demand

Share

24/7 incident hotline