Beyond Mythos: Finding Operational Reality in an Augmented Threat Landscape

At the beginning of 2026, we told organizations that artificial intelligence would transition from a scripting assistant to a primary driver of automated exploit chains.

Over the last six months, a massive gap has opened between boardroom panic and operational reality. We hear constant claims that frontier models like Anthropic's Mythos grant threat actors instant network compromise.

The truth is far more complex. Advanced models occasionally discover novel vulnerabilities. Attackers, however, primarily use these tools to operate at an unprecedented scale. They weaponize known flaws faster than traditional defenses react. The market misinterpreted the speed of discovery as the speed of execution.

To cut through the hype, I recently sat down with two of Immersive’s frontline experts: Kev Breen, Senior Director of Threat Intelligence, and Kev Marriott, Director of Cybersecurity Content. We examined the reality of what threat intelligence teams actually see in the wild.

Forget the silver bullets: measure human-AI readiness

Large language models (LLMs) excel at identifying security vulnerabilities and performing rapid patch diffing. Frontier models minimize the need for constant human oversight.

The barrier to entry for identifying flaws has simply dropped. AI enables attackers to operate and chain exploits at unprecedented scale and speed. Historically, organizations over-indexed on the zero-day threat. Proficient threat actors rarely rely on a single silver bullet. They typically chain multiple lower-level vulnerabilities to bypass detection. 

Artificial intelligence accelerates the rate at which an attacker understands how distinct flaws fit together within a complex enterprise architecture. This expands the threat surface exponentially. It enables a massive volume of attackers to execute exploits at a velocity that overwhelms manual defense systems.

The rules of computer science haven’t changed. Threat actors simply accelerated their execution speed. 

Organizations must prove their response teams move as fast as the automated threats they face.

Alert fatigue and the burnout tax

This spike in automated velocity triggers a more immediate crisis. Defensive teams are buried under automated noise and remediation demands.

Security Operations Centers (SOCs) battle alert fatigue, leading analysts to blindly accept risks. Today, that crisis spills into vulnerability management. Armed with capable LLMs, independent researchers flood systems with low-quality, AI-generated vulnerability reports. Open-source giant cURL disabled its bug bounty program after automated tools submitted invalid reports that required manual review. A human engineer may spend hours validating a hallucinated exploit generated by a machine in seconds.

Internally, junior developers generate code at three to four times their normal pace. They fail to check their work. Senior developers drown in pull requests. When an entire engineering team pivots to focus solely on fixing vulnerabilities generated by their own automated coding assistants, product development stalls. 

This acts as a heavy tax on corporate growth. The business loses its ability to ship new features. It fails to capture revenue.

The legal and financial reality of AI

You own your code. You also own the consequences of your automated agents.

The financial fallout of AI adoption hits corporate balance sheets directly through token-based billing. Frontier LLM providers have abandoned subscription-based licensing. A software seat that once cost a predictable $20 base rate easily reaches $600 (or more) per developer when automated pipelines fire constantly on platforms like GitHub. Uber reportedly burned its entire annual AI budget in the first three months of the year.

Shadow AI compounds this financial drain while exposing unmonitored data. The modern insider threat is driven by well-meaning employees trying to work efficiently. If an organization fails to provide a governed AI instance, employees default to public tools. Uploading a sensitive corporate spreadsheet to a public model to generate an instant summary bypasses standard data protection measures.

Companies also face stark legal liabilities. A Canadian tribunal held an airline liable when its customer service chatbot invented a fake bereavement discount policy. The airline argued the chatbot was a separate legal entity. The tribunal rejected this argument entirely. If you hand over part of your business to an automated agent, you pay for its mistakes in open court.

The fragility of the rented model

You do not control your artificial intelligence supply chain. Government intervention proved that relying on a third-party model for defense creates a single point of failure.

On June 12, the US Commerce Department forced Anthropic to suspend global access to its Fable 5 and Mythos 5 models. The directive barred any foreign national from accessing the technology. The government cited a narrow jailbreak technique as a national security threat. Anthropic complied, abruptly disabling the models for all customers.

This mandate actively harms enterprise defense. A unilateral ban on a single commercial model fails to contain the threat. Kev Breen demonstrated this during our discussion, describing how he has used unrestricted models to identify vulnerabilities and generate functional exploits. The capability is decentralized. 

Restricting commercial AI strips defensive teams of their best diagnostic tools while leaving malicious attackers fully armed.

Consider the operational impact. 

If your incident response playbook requires an analyst to query AI to reverse-engineer a payload or parse through raw logs during a live incident, your entire security posture can evaporate without warning. When policies shift and access disappears overnight, the value of leveraging AI during an investigation is completely neutralized.

Regulatory panic forces bad habits

As defensive teams tread water, global regulators are reacting by shortening mitigation timelines to unrealistic extremes. A recent directive in India demands that organizations patch critical, internet-facing vulnerabilities within 12 hours.

This creates friction. Attempting to meet a 12-hour patch window using legacy, manual QA processes breaks production pipelines. When security relies on a human bottleneck to beat a regulatory stopwatch, product releases stall.

This friction compounds when boards distract themselves with futuristic compliance targets. Fear, uncertainty, and doubt (FUD) currently dominate executive conversations around Post-Quantum Cryptography. Boards demand quantum readiness. Yet, global regulatory timelines remain fractured. The UK targets a 2028 cutoff. Google draws the line in 2029. The US defers enforcement until 2035.

Diverting limited engineering capacity to chase a compliance target that remains a decade away represents a severe misallocation of capital. You cannot focus on quantum encryption while your enterprise burns down due to unpatched software.

And governments are recognizing the failure of reactive patching. The UK Government mandated new Secure by Design principles for critical national infrastructure, explicitly moving away from point-in-time legacy accreditation. Attempting to bolt security onto a product at the end of the development lifecycle guarantees failure. Surviving these mandates requires continuous, automated security testing integrated directly into the deployment pipeline from day one.

The failure of point-in-time compliance

Boards are no longer accepting training certificates as proof of security. They are demanding hard evidence.

A static audit spreadsheet shows a policy exists on a shared drive. It does not confirm that your human-AI technology stack actually works under pressure. Passing a point-in-time compliance audit offers zero protection against an automated attack sequence.

Security leaders must move from legacy accreditation to continuous assurance. This requires proving teams can actually contain an incident before it triggers a regulatory disclosure. 

A training module verifies that an employee watched a video. It does not prove that an employee can override a failing autonomous agent at three in the morning.

To govern automated systems effectively, leaders must rely on quantifiable evidence of capability across four core pillars:

1. Establish Strategic Tiger Teams: Map your exact topologies before introducing automation. Align AI tooling strictly to your crown jewels.
2. Enforce Aggressive Data Hygiene: Rely on foundational data retention mandates such as GDPR. Only collect the data you actively need. If you do not maintain a backlog of non-essential data, it cannot be stolen and used against you.
3. Mitigate Skills Atrophy: AI reliance breeds cognitive laziness. If engineers outsource basic commands to an LLM, they lose their foundational technical intuition. When a crisis hits and the AI harness fails, a team experiencing skill fade drowns.
4. Prioritize True Defense-in-Depth: Rushing to patch is a failed strategy. Resilience requires multi-layered architectural controls coupled with a deeply capable human workforce.

Measuring outcomes over theoretical responses

Darren LaCasse, Director of Threat Detection and Response at Elastic, has abandoned idealistic tabletop exercises because they generate no actionable data.

LaCasse realized that gathering executives in a conference room to discuss theoretical responses produced maturity theater rather than actual readiness. 

People will confidently state what they would do in a crisis. But reality rarely matches the discussion.

Elastic has shifted to technical, measurable cyber drills using Immersive. LaCasse challenges his teams to make definitive decisions under time pressure. He measures actual outcomes instead of theoretical responses.

This approach exposes the specific controls, roles, and tactics through which the organization remains vulnerable. It allows security leaders to stop guessing and start measuring.

Bridging the language divide for the board

AI has not rewritten the laws of cybersecurity. Instead, it acts as a powerful diagnostic tool, ruthlessly exposing organizations that rely on severely thin teams, outdated playbooks, and subjective assumptions about safety.

In the face of this threat, stakeholders do not want a roll call of completed training courses. They want to know the size and nature of the financial risk the organization currently carries.

Organizations must translate raw telemetry into a narrative the board can fund. If your security team reduces its Mean Time to Contain by 40 minutes during a simulated AI-driven attack, map that time reduction directly to financial frameworks. Show the board exactly how that forty-minute improvement reduces projected financial loss by specific dollar amounts.

Readiness is an objective capability that you must actively demonstrate.

Discover how to report human-AI readiness to your board and convert your live performance data into executive-ready intelligence.