AI is changing the speed and scale of vulnerability discovery. With Anthropic’s Claude Mythos showing how quickly AI can uncover vulnerabilities and zero days, product security teams are facing a new reality: the time between finding a vulnerability and turning it into an exploit is shrinking, while the number of vulnerabilities teams need to evaluate is rising significantly.
We asked RunSafe Security leaders Joe Saunders, Shane Fry, and Doug Britton to share their take on what Claude Mythos and AI in general mean for embedded product security teams, why patch-only strategies are becoming harder to sustain, and how organizations can start preparing for an AI-driven surge in vulnerability discovery.
What Should Security Leaders Do Differently After Seeing Claude Mythos?
If AI is accelerating vulnerability discovery, what should product security teams be preparing for?
For Joe Saunders, CEO and Founder of RunSafe Security, Claude Mythos is a signal that security leaders need to prepare for a faster vulnerability cycle. AI is helping identify vulnerabilities that humans previously missed, and it is also shrinking the window between discovery and exploit development.
“The window between identifying vulnerabilities and writing exploits has also then decreased tremendously,” Joe said. “It used to be [that] it could take months and now it could take days or hours or minutes.”
That creates a real challenge for product security teams, especially in sectors such as aerospace and defense, energy, industrial automation, medical devices, and transportation. These organizations already have to protect complex software while maintaining compliance with requirements such as the EU Cyber Resilience Act and FDA cybersecurity expectations. If AI drives a surge in vulnerability disclosures, the pressure on those programs will only grow.
Joe’s advice is to avoid treating this as a patching problem alone. Teams still need to scan their software, assess reachability and exploitability, and prioritize what matters most. But they also need to add protections that reduce exposure to entire categories of risk.
“It does not make sense for an organization to chase every vulnerability that AI adopts and try to keep pace,” Joe said. “They will consistently fail and fall behind, not only putting their systems at risk, but also falling out of compliance. A better approach for every organization is to add security into their software that eliminates classes of vulnerabilities.”
The Takeaway: Product security teams should use Mythos as a warning to get more proactive. The goal is not just to respond faster, but to make software harder to exploit before the next wave of AI-discovered vulnerabilities arrives.
What Challenges Does Mythos Create for Embedded Software Teams?
What challenges does Claude Mythos pose for embedded security teams, and what should they do next?
Shane Fry, Chief Technology Officer at RunSafe Security, sees Mythos as especially important for embedded software teams because modern devices rely on complex software supply chains. Open source components such as OpenSSL, Curl, crypto libraries, RTOS-related code, Yocto, Zephyr, and Linux often sit deep inside embedded products.
“There’s a lot of open source in the embedded ecosystem,” Shane said.
That matters because embedded systems are difficult to update once they are deployed. Even when a patch exists, it can take months for device manufacturers to test, validate, and deliver updates to the field. As AI tools identify more vulnerabilities in both open source and proprietary code, teams will face more pressure to triage issues while still shipping features, bug fixes, and performance improvements.
For Shane, the answer starts with secure software development lifecycle fundamentals, but it cannot stop there. Code review, security review, and better development practices are important, but they still often focus on finding and fixing individual issues.
“Device manufacturers really need to look at how they can take whole classes of vulnerabilities off the table,” Shane said.
That means looking for protections that reduce broad categories of risk, from web application issues such as SQL injection and cross-site scripting to memory safety vulnerabilities in lower-level embedded code.
The Takeaway: Embedded teams need to prepare for more vulnerability noise, more triage pressure, and more difficult patch decisions. The teams that fare best will be the ones that combine secure development practices with protections that work across whole classes of vulnerabilities.
Is Patching Still Viable at AI Scale?
If attackers can find and weaponize vulnerabilities faster, how should defenders respond?
Doug Britton, EVP and Chief Strategy Officer at RunSafe Security, explained that patching alone cannot keep up with the scale of vulnerability discovery Mythos represents.
Doug described the previous balance between attackers and defenders as a kind of detente. Vulnerabilities and zero days would appear, security teams would be stretched thin, and organizations would work to get critical patches deployed. But Mythos changes that balance by increasing both the number of vulnerabilities discovered and the speed at which they can be weaponized.
“The Mythos insights blow that completely out of the water,” Doug said. “It’s not going to be like a five percent increase in the rate of bugs and patches being deployed. It’s going to be a 10x, 20x, or more increase.”
Doug also warned that the time between discovery and weaponization is narrowing from months to hours, while the skill required to create exploits is dropping.
“The volume of patches is going to completely overwhelm security teams,” Doug said.
For Doug, this is an economic shift as much as a technical one. If attackers can find and weaponize vulnerabilities faster than defenders can test and deploy patches, security teams need strategies that do not depend on chasing every new bug after it appears.
The Takeaway: Patching remains necessary, but it cannot be the only line of defense. At AI scale, defenders need proactive ways to reduce exploitable risk.
Product Security Needs to Move Beyond Patch-Only Thinking
Claude Mythos is a signal of where product security is heading. AI is making it easier to find vulnerabilities, shortening the time it takes to develop exploits, and increasing pressure on teams responsible for embedded and mission-critical systems.
Joe Saunders emphasized that security leaders need to prepare for a world where AI accelerates both vulnerability discovery and exploit creation. Shane Fry explained why embedded software teams face added complexity due to open-source dependencies, slow patch cycles, and difficult device update processes. Doug Britton warned that the scale and speed of AI-driven vulnerability discovery could overwhelm patch-based security programs.
Together, their message is that organizations still need to scan, assess, prioritize, and patch. But they also need to move beyond a patch-only mindset.
That means identifying vulnerabilities earlier, understanding which risks are reachable and exploitable, and adding protections that can mitigate entire classes of vulnerabilities before attackers can weaponize them.
For embedded product security teams, the goal is not simply to keep up with Mythos or the next AI vulnerability discovery tool. Instead, the goal is to build software that is more resilient by design, harder to exploit, and better prepared for the speed of AI-driven vulnerability discovery and exploitation.
For more on Claude Mythos, download our white paper: The Post-Mythos Security Model: Vulnerability Management in the AI Age.




