Preparing the CTEM Program for AI-Accelerated Offense

A lot has been said and written in the past couple of days about the new Anthropic Mythos frontier model that promises to revolutionize the field of cyber security through its uncharted performance in finding and exploiting security vulnerabilities. Anthropic decided to release the new model to only a small group of cyber security companies through the “Project GlassWing” due to the concern that the attackers could use the same amazing AI security capabilities to craft their exploits against organizations around the world.

First off, the choice to disclose the new model to only a limited number of cyber security companies in the hope that they are going to use it and then spread the experience learned around is questionable. Much like “full disclosure” of vulnerabilities would benefit the entire industry and customers, limiting the number of companies that can “test-drive” the model will inevitably create a “two-speed” security agenda that is not benefiting the overall learning process.

Following the “Project Glasswing” press release, Anthropic released this interesting blog post about a defender roadmap to cope with a forthcoming flood of vulnerabilities coming out of an AI-accelerated vulnerability discovery. These are my comments on each security control recommendation.

1. As a first recommendation Anthropic recommends to “Close your patch gap”, which means substantially prioritize those vulnerabilities that are actively exploited in the wild (CISA KEV), those with an elevated threat-based risk score, reduce the MTTR SLA for Internet-exposed systems to the minimum and automate as much as possible patch deployment and system rebooting to minimize the patching time. All those recommendations make sense and should be part of a well balanced CTEM and VRM program. All those features are the cornerstone of NopSec CTEM and VRM Framework, including NopSec Threat-based vulnerability risk prioritization, asset value based on location (Internet-exposed) and connection to automated Patch deployment and ticketing systems.
2. Prepare to handle a much higher volume of vulnerability reports: With an increase of the capabilities of the frontier model, it is natural to expect a much higher volume of vulnerability reports and reported CVEs. This fact could put an organization’s vulnerability management program under extreme strain, without an automated and well-oiled CTEM and VRM processes. The era of managing vulnerabilities around a vulnerability scanner and a spreadsheet is over. The urgency calls for an automated vulnerability risk management program that also considers cloud and open source dependencies and third-party vendors. So no more spreadsheets and only manual processes, get into a modern and automated CTEM program framework like NopSec.
3. Find bugs before you ship them: prevention is always better than cure. Finding bugs as part of the CI/CD pipeline, through static and dynamic analysis, using on-prem vulnerability patching and cloud resources, through container image automation and software as code. Anthropic also talks about security code reviews using Vibe coding platforms, such as Cursor. Again consider a modern CTEM platform that has many integrations to bring under a unique umbrella many vulnerability types, such as infrastructure and cloud, container and bare metal, SAST and DAST, open source dependencies and more so that the correlation of threat and risk that can be calculated on a much broader spectrum.
4. Find the vulnerabilities already in your code: Scan for 0-day unfound vulnerabilities and CVE-based vulnerabilities for the assets with most value, where the code is legacy or EoL. So as in the NopSec Framework, prioritize the fix of vulnerabilities on assets of high value and where legacy code and OSes are.
5. Design for Breach: on the defender side, apply zero-trust authentication and authorization everywhere. From the CTEM standpoint, this means managing “attack paths” and “attack surface” appropriately, meaning exploitable vulnerabilities can be everywhere but network segmentation and other mitigating controls are the most important aspects in calculating an effective attack surface, meaning where an attacker can strike more effectively. The NopSec “Attack Path” feature helps the defenders visualize theoretical attack paths where vulnerabilities meet working/non-working mitigating controls – network segmentation, EDR, antivirus, AD IAM policies, and more.
6. Reduce and inventory what you expose: This means you cannot protect what you do not know to exist. So from the CASM standpoint, inventory all the Internet-exposed systems – even those that seem not exposed – to give them priority in the vulnerability prioritization process. Remove EoL and legacy systems and from the control standpoint default deny ingress firewall rules. Asset management features and attack path features are integral part of this CASM control system. Also, now NopSec has an Agentic AI Adversarial Emulation for the external attack surface. With this automated agentic AI system you can map the external attack surface and automatically verify exploitability of externally-facing systems and controls.
7. Shorten your incident response time: this is about putting investigation and forensic on overdrive. From the CTEM standpoint, NopSec can map every CVE with the corresponding MITRE ATT&CK procedures and techniques. This way for every exploit we are able to map the related lateral movement ATT&CK procedures and techniques coming along the attack chain.

As you can see the CTEM methodologies and frameworks have not changed with the advent of AI frontier systems. What makes a huge difference these days is to have modern, threat-, asset-value-, and attack-path-based vulnerability risk management systems replacing the do-it-yourself practice of relying on spreadsheets, manual processes, and raw threat intelligence feeds. Much like the NopSec CTEM and UVRM platform!