How AI-driven vulnerability discovery is changing the economics of software companies
For decades, the pace of software vulnerability discovery was fundamentally constrained by humans. Even widely used and heavily scrutinized systems such as operating systems, networking stacks, browsers, open-source libraries, and enterprise software routinely carried hidden vulnerabilities for years before discovery. Some flaws persisted not because the ecosystem lacked tools, but because of human bottlenecks.
The introduction of Anthropic’s Claude Mythos suggests that this dynamic may be beginning to change. Mythos claims to have exceptional ability to discover vulnerabilities in operating systems, web browsers, SaaS software at unprecedented scale.
Anthropic created Project Glasswing, an initiative that provides select tech partners controlled access to the unreleased, highly advanced model to secure critical global software infrastructure. The coalition includes companies such as AWS, Apple, Google, Microsoft, Nvidia, Cisco, CrowdStrike etc.
Partners are using “Mythos Preview” through APIs and cloud platforms like AWS Bedrock to rapidly scan massive codebases. Participating organizations are expected to report findings and remediation learnings within 90 days, helping shape how cybersecurity practices evolve in the era of advanced AI.
Mythos reportedly identified:
These were not obscure hobby projects, but foundational components of modern software infrastructure that has undergone years of security review and analysis.
As organizations participating in the Mythos preview accelerate security scanning across vast pieces of legacy software, customers are increasingly being presented with a rapidly expanding stream of newly discovered vulnerabilities. Many are legitimate, some theoretical, and others buried within dependencies across operating systems, open-source libraries, middleware, SDKs, and third-party infrastructure.
This is creating a new operational reality for software vendors. Enterprises are no longer being asked to remediate only the vulnerabilities in code they directly wrote, but they are increasingly expected to account for weaknesses embedded across the entire dependency stack their products inherit. In many cases, remediation remains dependent on upstream maintainers, infrastructure providers, or open-source communities operating on entirely different timelines.
Modern enterprises do not merely run their own software. They run a stack that has dependencies across other vendors, open-source libraries, linux kernels, SDKs, containers, middleware and legacy APIs. Enterprises inherit not only their own code risk, but the accumulated security debt of the entire dependency ecosystem.
Before frontier AI, vulnerability discovery progressed at a comparatively slow pace because it relied almost entirely on human expertise and manual effort. Security researchers had to painstakingly audit code, design tests, and reason through complex systems, which created a natural bottleneck due to limited time, attention, and specialized skill sets. As a result, many flaws remained undiscovered for extended periods of time.
Now with AI models like Mythos, vulnerability discovery has begun to scale far beyond traditional human limits. AI systems can, at computational scale, continuously analyze vast codebases, configurations, and binaries in parallel, dramatically increasing the volume and speed of discovery. Their ability to perform contextual reasoning across large and heterogeneous inputs/datasets also improves the quality of findings, enabling them to identify logic flaws and cross-component interactions that would be difficult for humans to track consistently. This enables AI to trace complex relationships across libraries and services to uncover inherited vulnerabilities that might otherwise go unnoticed. AI systems can enumerate exposed endpoints, interfaces, and misconfigurations across environments in real time, providing a more complete and continuously updated picture of potential entry points for exploitation.
While frontier models can continuously surface issues across massive codebases at computational speed, remediation still depends on human coordination - prioritization, patch development, regression testing, compliance review, deployment orchestration, customer communication, and dependency management across fragmented ecosystems (3rd party libraries, SDKs or open source components).
The result is an emerging asymmetry between AI-scale vulnerability discovery and human-scale remediation. The bottleneck is no longer discovering vulnerabilities. It is absorbing them.
AI now introduces a new tax on software development for constant security remediation. As AI lowers the cost of vulnerability discovery toward zero, it imposes an expanding remediation tax across the software economy.
Constant remediation requires time, engineering allocation, compliance overhead, vendor and ecosystem coordination which creates an operational drag. This tax compounds - as findings keep increasing, prioritization complexity increases too. Enterprises cannot ignore alerts and customers increasingly demand proof of remediation.
The issue is not whether the vulnerabilities are real. Many are. The issue is whether the software ecosystem possesses the operational capacity to absorb, prioritize, coordinate, and remediate discoveries arriving at AI scale.
Mythos has been shared as a preview with select companies. So the companies with access to these models can now harden products earlier, improve their own trust posture, accelerate audits, reduce liability risk while identifying weaknesses across competitor ecosystems faster.
Meanwhile, the broader software ecosystem may face escalating customer scrutiny, growing remediation backlogs, and limited access to equivalent tooling.
This is especially significant since investors have already been spooked by SaaSpocalypse and the possibility of reduced valuations of legacy software/SaaS companies due to AI-native upstarts and customers in-house tools replacing SaaS vendors. Now, in addition to prioritizing their own AI transformation, they will be constantly bogged down by the security remediation tax as well.
The first wave of AI transformation was framed around productivity. But the next phase may be defined by organizational adaptability.
Frontier AI is increasing the rate of discovery, competition, and operational complexity faster than traditional software organizations can absorb.
AI-native companies attack from below with radically leaner operating models. Big tech concentrates frontier capabilities above. Meanwhile, enterprises face a growing remediation and governance burden across increasingly fragile dependency ecosystems.
In this environment, AI transformation is no longer optional modernization. It is organizational adaptation to an asymmetric world.
Companies are no longer going to be competing only on product velocity or moat, they will be competing on their ability to absorb, operationalize, defend against, and adapt to AI-scale change.
The defining advantage of the next decade may not be who builds the most AI features, but who develops the organizational capacity to continuously absorb AI-driven change.
Subscribe below.