The security industry spent a good chunk of early 2026 debating whether Anthropic’s Mythos and OpenAI’s Daybreak are truly dangerous or just good marketing. It's a reasonable debate. But while we're having it, attackers are asking a different question: how do we use tools like this to move faster than defenders can respond?
AI is truly accelerating vulnerability discovery. In 2025, roughly 50,000 CVEs were published, up 22% from the year before, which is roughly 130 new vulnerabilities disclosed every single day. That volume is already pushing security teams past their limits. According to Tines' 2026 Voices of Security report, 76% of security professionals say they experience emotional exhaustion, reduced motivation, or mental fatigue frequently or occasionally.
And it's not just volume: Cloudflare's analysis of Mythos found that one of its more unsettling capabilities isn't finding high-severity vulnerabilities but instead chaining several low-severity findings together into a single, larger exploit. Which means security teams can no longer triage findings by severity in isolation. Every finding is potentially part of something bigger.
The window between disclosure and exploitation is collapsing fast. According to Mandiant's M-Trends 2026 report, the mean time to exploit a given vulnerability is now an estimated negative seven days, meaning exploitation is routinely occurring before a patch is even released. Mythos or no Mythos, that trend is only going in one direction.
The real problem was never discovery
Security teams have operated for years under backlogs of thousands of known vulnerabilities, incomplete patching cycles, and legacy systems that can't easily be modified. Adding more discovery speed to that situation doesn't actually help. It just makes the backlog worse.
And yet the industry instinct, when confronted with AI-accelerated attacks, is to reach for AI-accelerated defense. Fight AI with AI. Autonomous agents watching for threats, reasoning in real time, improvising responses.
I understand the appeal but it misdiagnoses the problem.
Approximately 60% of breached organizations had patches available for the exploited vulnerabilities at the time of compromise, according to Verizon's 2025 DBIR. The problem isn't that we don't know what's broken. The problem is the gap between knowing and acting, and that gap exists because production systems can't be taken offline at will, legacy infrastructure runs software that no longer receives updates, and change control processes introduce delays that attackers are happy to exploit.
What actually works
Imagine you're protecting a military base. You don't put your best defense strategist walking the perimeter at night, hoping to spot something unusual. You use that person to design the defenses: position the sensors, establish the checkpoints, define exactly what happens if a tripwire gets hit. And then you let those systems execute. Automatically, consistently, at machine speed, without waiting for a human decision in the moment.
Agentic AI role in the execution layer is for threats you haven't encountered before. If a pattern doesn't match anything in your playbooks, a deterministic workflow won't exist for it yet, meaning an agent working through the unknown is better than nothing. But the key word is "yet." Once an agent has worked through an unfamiliar scenario and figured out the right response, that shouldn't just run on repeat. Ideally, an agent can translate their behavior into a deterministic workflow that is reviewed by a human before deploying. This is faster, cheaper, and consistent every time. Agents are good at exploring the unknown, and deterministic workflows are how you lock in what you learn. Human judgment stays in the picture for oversight, decisions too consequential or too ambiguous to hand off to either.
There are more practical reasons for this approach as well. Agentic AI is really impressive, but it's probabilistic by nature. It reasons toward an answer, which means it can reason incorrectly. For frontline security operations, that's a major risk. The wrong containment decision at the wrong moment can quickly make things much, much worse. And then there's cost. Running reasoning models continuously across high-volume security workflows isn't cheap, and the economics get harder to justify when a well-designed deterministic workflow would execute the same response faster, more consistently, and for a fraction of the price.
AI belongs in the design layer. It should help security teams identify which vulnerabilities in their specific environment are genuinely exploitable, not just theoretically present. It should help generate and adapt response playbooks. It should help build more resilient systems from the start, with security reasoning embedded upstream rather than bolted on later.
But for anything you’ve seen before, which in a mature security operation should be most things, execution should be deterministic. When a threat starts moving laterally at 2am, you don't want a reasoning system evaluating its options. You want a workflow that was built for exactly this scenario, running instantly: segment, isolate, enrich, escalate, remediate. Before the attacker reaches anything critical. A reasoning system might get there eventually. A deterministic workflow is already done.
Intelligent workflows are purpose built for this environment, combining agentic, deterministic, and human-in-the-loop capabilities, each deployed where it brings the most value and/or the most speed.
What the Mythos story actually tells us
We got a useful data point on this recently. Mythos was run across curl, one of the most heavily audited codebases on the planet, installed on over twenty billion devices, and turned up one confirmed low-severity vulnerability. Daniel Stenberg, curl's lead developer, wrote about the experience, and his conclusion was that the hype outran the results.
The reason Mythos found relatively little in curl was not due to luck but instead due to years of deliberate defensive architecture: extensive fuzzing, careful memory safety practices, layered code review, multiple prior AI-assisted scans that had already cleaned up the easier findings. The model's own report noted that the defensive infrastructure "systematically closes the bug classes that would normally be productive in a codebase this size." The projects that held the line did it by building systems that reduced the exploitable surface in the first place, not by just hoping they'd detect and respond fast enough.
The same principle applies to operational defense. AI will keep getting better at finding vulnerabilities. Attackers will use those same capabilities. The organizations that come out ahead won't be the ones that tried to match AI-speed offense with AI-speed improvisation. They'll be the ones that use AI to design smarter, more deterministic defenses, and then let those defenses execute without waiting for a human in the loop.
See how teams are putting this approach into practice. Check out related Tines Stories on patch management, Tanium, Cases, and workflow-driven vulnerability response below.
Want to see how Tines can help you adapt? Book a demo today.
Streamline macOS software updates with self-service patch management and AI
Streamline the entire lifecycle of managing software updates for macOS operating systems. Using a self-service implementation of opting in and out of the patch management pilot group via Tines pages and a ring 0/ring1 approach to distributing macOS operating system updates. Updates are initially pushed to the pilot group for testing, and after a week, they are rolled out to the production group. This automation neatly balances user empowerment, system security and stability, and overall reduction of our company's attack surface.
Community author
Tyler Talaga at MyFitnessPal
Monitor and patch Tanium machines via Tines
Routinely check machines in Tanium to determine if they require patching. Raise cases in Tines for any machines found, with the option to trigger patching. Update the case with the patching status upon completion.
Get NPM package files from GitHub and check for vulnerabilities
Retrieve an NPM package.json file from a GitHub repository. Lookup the packages in GitHub's security advisory, and create issues in Shortcut for vulnerable packages.