“Trying to chase one bug at a time” isn’t a cybersecurity strategy, as anyone who has tried to keep up with patch cycles can tell you.
Recently, Joe Saunders and Doug Britton joined Paul Ducklin on Exploited: The Cyber Truth for a conversation on what Claude Mythos and AI-driven vulnerability discovery mean for the future of cybersecurity. As AI accelerates the discovery and weaponization of software vulnerabilities, organizations can no longer rely on testing, scanning, and patching alone to defend critical systems.
“What product managers have previously relied on as a layer of security…is that exploitation of vulnerabilities is harder,” Britton said. “It wasn’t a valid assertion originally, but it is demonstrably less valid now.”
AI lowers the barrier to entry. It can help identify vulnerabilities, accelerate exploit development, and package knowledge that once required specialized expertise. In critical infrastructure and national security environments, that acceleration matters.
AI Is Changing the Economics of Attack
Cybersecurity has always been shaped by economics. Attackers invest where the payoff is worth the effort. Defenders spend where risk is visible, urgent, and measurable. The side that can impose greater cost on the other gains leverage.
That is why the next phase of cybersecurity cannot be defined by incremental improvements to detection or patch response. It must be defined by disrupting the attacker’s return on investment.
Defenders need to “render an entire class of cyber weapon assets inert,” Britton said. Attackers do not lose much when one exploit fails. They lose far more when an entire category of exploit becomes unreliable.
AI makes that shift urgent. Vulnerabilities that remained hidden for years, even in heavily tested software, can now be surfaced faster. Exploits can be developed more quickly, and the cost of offensive experimentation is falling. Once exploitation knowledge exists, it can spread, be sold, or be automated.
Saunders captured the value of disrupting adversary economics this way: there is nothing better than an attacker spending “six months, 12 months planning for an attack” only to find that “their highly reliable exploit now fails.”
Critical Systems Cannot Be Patched at Machine Speed
The patching problem is especially severe in safety-critical and mission-critical systems, where embedded software security is vital.
A consumer app can often be updated quickly. A browser can ship emergency fixes, but aviation systems, industrial controllers, medical devices, automotive platforms, and energy infrastructure operate differently.
These environments depend on determinism. A valve must open when it is supposed to open. A flight control system must behave within certified parameters. A medical device must respond predictably. In real-time systems, dependable, repeatable behavior is the requirement.
That makes patching expensive, slow, and operationally sensitive.
In safety-certified spaces like aviation and automotive, Britton noted that a typical patch can take “a year and $1 million at the least.” It is the cost of ensuring that a change does not break a system where failure can have physical consequences.
AI changes the scale of the problem. A process built to handle a manageable number of vulnerabilities cannot withstand an exponential surge in discovered and weaponized flaws. No patching model built around long testing and certification cycles can keep pace with machine-speed vulnerability discovery.
For manufacturers, the dilemma is brutal: maintain compliance, protect customers, preserve system reliability, and support devices that may remain deployed for years or decades.
Discovery Is Not the Same as Defense
Software composition analysis, SBOMs, vulnerability scanning, and static analysis all have important roles. They help organizations understand what is inside their software and where risks may exist.
But visibility is not the same as mitigation.
A longer list of vulnerabilities does not automatically make software safer. It can slow teams down, distract from what matters, and create a false sense of progress.
Saunders pointed to one of the core weaknesses of static analysis: it can miss vulnerabilities while also producing false positives. In an AI-driven environment, teams need to know which issues are reachable, exploitable, and worth immediate action.
“If you can understand the extent of the vulnerabilities and whether an attacker can reach those vulnerabilities,” Saunders explained, teams can focus on “reachability” and “exploitability” rather than chasing every theoretical flaw.
Countering AI with AI Is Not Enough
The natural reaction to AI-enabled attacks is to deploy defensive AI. That will be part of the future, but it cannot be the entire strategy.
An AI-versus-AI contest risks becoming an endless arms race. The side with the better model, better data, or better automation gains a temporary advantage until the other side catches up.
A more durable answer is asymmetric: counter AI with defenses that remove exploit value before AI can take advantage of it.
“You need to take some kind of asymmetric shift that counters AI with something that is not AI,” Saunders said.
That shift begins with the assumption that vulnerabilities will exist. Britton said: “We assume everything’s vulnerable.” From that premise, the goal is not to know every bug before the attacker does. The goal is to make broad classes of attack fail even when vulnerabilities remain present.
Attackers may still find bugs, but if they cannot reliably weaponize them, the value of discovery drops.
The Future Belongs to Class Risk Reduction
AI has exposed the limits of one-bug-at-a-time security.
Patching will still matter. Testing will still matter. SBOMs, scanning, static analysis, and AI-assisted tools will still matter. But none of them can solve the problem alone, especially in systems where downtime is costly, certification is mandatory, and deterministic behavior is non-negotiable.
The next era of cybersecurity must focus on class risk reduction: removing entire categories of exploitability, reducing attacker reliability, and forcing adversaries to rebuild their assumptions from scratch.
Britton summarized the mindset defenders need: look at each step of the attack chain and “figure out how you can deprive them and make their job harder at each point.”
That is the future of resilience. Not more alerts. Not more patch queues. Not an endless AI arms race. The organizations best positioned for what comes next will be those that change the economics of attack before the attack arrives.
To hear the full conversation on Mythos, AI-driven vulnerability discovery, and why critical systems need a new model for resilience, watch or listen to the full episode of Exploited: The Cyber Truth.




