When the time to fix vulnerabilities shrank from 771 days to less than 4 hours, Anthropic Mythos sounded the alarm for everyone.

When the time to fix vulnerabilities shrank from 771 days to less than 4 hours, Anthropic Mythos sounded the alarm for everyone.

```

The time buffer that has sustained the operation of the cybersecurity sector is disappearing. Bloomberg opinion columnist Parmy Olson points out that the window from public disclosure of software vulnerabilities to the emergence of usable attack tools has plummeted from an average of 771 days in 2018 to less than 4 hours today. The arrival of Anthropic’s latest AI model, Mythos, is bringing this crisis to the center of public attention—whose real warning isn’t aimed specifically at large banks, but is an urgent signal for the vast number of organizations with weaker defenses.

Anthropic has classified Mythos as “too dangerous to release,” a move that quickly set off a chain reaction. U.S. Treasury Secretary Scott Bessent immediately convened Wall Street executives to evaluate system defense readiness; currently, the Treasury seeks direct access to Mythos. The first organization granted access to the model, the UK AI Security Institute, has assessed that Mythos’s capability to launch complex cyberattacks indeed surpasses existing tools like OpenAI’s ChatGPT and Google’s Gemini.

However, the UK AI Security Institute also notes that Mythos poses the greatest threat to “weakly defended” or simply structured systems. Large banks possess world-class IT security systems; those truly exposed to high risk are the broader group of small and medium-sized enterprises, hospitals, and small retailers—targets historically favored by hackers that generally lack the resources or capabilities for swift response.

With the rise of agentic AI, the window between vulnerability disclosure and exploitation has effectively vanished. Olson believes this forces the entire industry to confront a fundamental question that remains unanswered: When vulnerabilities can be weaponized within hours, is the decades-old “responsible disclosure” mechanism still viable? Does the weeks- or months-long patch deployment process still hold practical meaning?

Anthropic’s handling of Mythos has first focused the public's attention on the financial industry. Olson points out that Scott Bessent’s intervention has led this AI company to gain rare public spotlight ahead of its IPO, while also raising questions about who may receive exclusive access to Mythos.

The UK AI Security Institute’s assessment gives some basis for market concerns—Mythos is indeed better than other AI tools at launching complex cyberattacks. But the Institute stresses its threat is mostly focused on weaker targets. Large banks possess the most rigorous IT defense systems in the world, and hacker groups have always tended to bypass such targets.

Those truly facing harsh tests are the many small organizations lacking adequate defenses. Hackers typically don’t attack banks directly, instead scanning the internet to find hospitals for ransomware attacks, or small merchants with weak security. The advancement of AI capabilities makes these organizations increasingly vulnerable.

From 771 Days to Less Than 4 Hours: AI Compresses the Window

To understand why the rise of AI is so dangerous, you first need to clarify how cybersecurity used to operate. Olson explains that the tech industry has long upheld the principle of “responsible disclosure”: once a software flaw is discovered, vendors would inform the public along with remediation advice, allowing clients time to patch. Microsoft's “Patch Tuesday” is a prime example—this mechanism regularly discloses security vulnerabilities found in products like Office 365 and Windows each month.

IT teams at banks like Barclays and Wells Fargo, upon receiving patch recommendations, must undergo compatibility testing, management approval, and final deployment—a process that usually takes weeks or even months. Before the arrival of generative AI, this pace was acceptable because the time hackers needed to research and exploit disclosed vulnerabilities was usually longer than the time the victims needed to patch.

But AI has fundamentally changed this equation. Even two years ago, hackers could paste disclosure details into ChatGPT, instruct it to scan public code repositories like GitHub for similar exploitable patterns. For example, if Microsoft disclosed a flaw in Office 365 handling certain files, chatbots could not only suggest specific exploitation paths, but quickly find similar weaknesses in products like Outlook and Teams. According to zerodayclock.com, the average time from public vulnerability disclosure to the creation of usable attack tools has shrunk from 771 days in 2018 to less than 4 hours today.

Agentic AI: Towards Full Automation of Exploits

Olson believes the latest leaps in AI capability over the past months have ushered threats into a more dangerous new phase. AI companies are successively giving their models “agent” abilities, allowing them to operate autonomously rather than just provide suggestions. Anthropic’s Claude Cowork, released in January this year, can already perform independent operations like sending emails and managing calendars.

For cyberattackers, this means AI tools are no longer mere assistants for finding vulnerabilities, but will automatically try different breach paths until something works. Mythos goes further, able to chain multiple vulnerabilities together for multi-step compound attacks—a capability previously limited to top human hackers. Olson likens it to a burglary: finding the first unlocked window, then using it to undo the door lock from inside, then switching off the alarm; each step alone isn't enough, but chained together can enable full intrusion.

Even before agentic AI became widespread, generative AI was quietly reshaping the hacker's toolbox: chatbots were used to optimize phishing emails, making them more deceptive; real-time virtual avatar generators produced deepfake video calls, making it hard for victims to distinguish truth from falsehood. The emergence of agentic AI pushes “hacker activity itself” toward automation, rather than merely serving as an auxiliary tool.

The Logic of “Responsible Disclosure” Is Disintegrating

Olson directly questions the core principle long upheld by the cybersecurity industry. Anthropic’s disclosure of Mythos surely helps it create technological mystique ahead of its IPO, but Olson notes the event objectively forces the industry to confront a long-ignored structural issue: with the window between vulnerability disclosure and exploitation gone, can the underlying rationale of “responsible disclosure” still stand? Has the weeks- or months-long patch deployment process become useless?

For large banks, at least, a resolution may be possible. Olson believes large banks have enough staff and funds to pursue and gradually achieve near real-time patch deployment.

What remains unresolved is that small and medium enterprises, who need to act just as quickly but lack comparable capabilities. They need both technical support and regulatory frameworks—as of now, the market supplies neither.

Risk Warning and DisclaimerThe market carries risks; please be cautious with investments. This article does not constitute personal investment advice and does not consider individual users’ unique investment goals, financial circumstances, or needs. Users should consider whether any opinions, viewpoints, or conclusions in this article fit their particular situation. Invest at your own risk. ```