Command Line: Mythos burnout and the boardroom

Anthropic’s Mythos is now a boardroom concern. That’s an opportunity for security leaders to try and build out (funded!) programs able to respond to a dangerous pace of change. The time to act is now: Go.

That’s the view of respected CISOs and security leaders like Heather Atkins, Jen Easterly, Phil Venables, Rob Joyce and others in the new “Getting Mythos Ready” paper – which features some punchy advice on building layered defences for a world in which LLMs can spit out complex, functional exploit chains for attackers at machine-speed.

Some key points that jumped out to us in the 30-page report.

1) "When AI-accelerated vulnerability discovery increases the volume of exploitable findings, architectural segmentation becomes the primary control limiting blast radius." (Recall Brad Spengler's 2016 SSTIC talk: "Security will never be achieved through bug reduction." Amen.)

2) "Deploy canaries and honey tokens, layer behavioral monitoring, pre-authorize containment actions, and build response playbooks that execute at machine speed." (There is a lot to do here for most CISOs.)

3) “Without agents, most tasks on this [extensive] list will be untenable… [But] Agents are not covered by existing controls and introduce both cyber defense and agentic supply chain risks... Before deploying agents in or adjacent to production environments, define scope boundaries, blast-radius limits, escalation logic, and human override mechanisms. Do not wait for industry governance frameworks. Define your own now.”

4) "Long-term, there is no alternative to building a permanent Vulnerability Operations (VulnOps) function, staffed and automated like DevOps, but for autonomous vulnerability research and remediation." Boards and CFOs: You are still going to need plenty good people.

Beware burnout...

On which note, the report rightly makes a critical point.

"You have a workforce already at capacity absorbing exponential increases in workload without corresponding investment in headcount, tooling, or wellbeing. Burnout and attrition in security functions represent a direct operational risk. Security team resilience... should be treated as a strategic priority with the same urgency as the technical challenges AI presents."

These are sobering times for cybersecurity professionals. A reminder that when things go wrong, it can be very costly indeed; whether you want to take $1.6 billion example of Change Healthcare, or the £136 million example of M&S, even opportunistic, commercially motivated, path-of-least-resistance-following ransomware groups can wreak tremendous havoc; that's before thinking about critical IP loss et al.

A smattering of recent incidents and zero days below...

It hasn't hit CISA's KEV yet, but Adobe has now confirmed exploitation of a zero day in Acrobat and Reader, and allocated CVE-2026-34621. The exploit is... tricksy; not least for abusing an undocumented Adobe API, suggesting the attackers have either spent a lot of time reversing Adobe’s internal DLLs, had access to leaked source code, or potentially are a three-letter agency caught in the wild. Thoughts welcomed!