From Zero-Day to Zero-Minute Vulnerabilities

How frontier AI models are compressing the gap between vulnerability discovery and exploitation, and why enterprises need an assume-breach, Zero Trust posture

Co-authored by Amit Pawar & Abraham Jose

As of April 9, 2026, Anthropic’s decision to tightly restrict Mythos access should be read as a meaningful signal that frontier AI cyber capability is advancing fast enough to alter enterprise security assumptions. The issue is not only Mythos itself, but the broader reality it reflects: advanced vulnerability discovery and exploit reasoning may soon operate at machine speed, and similar capabilities are unlikely to remain limited to safety-conscious organizations for long.

Anthropic is positioning Project Glasswing as a defensive response during a narrow window when the ecosystem still has time to strengthen. This is not a standard product launch. Mythos Preview is being handled as a tightly controlled research offering for defensive cybersecurity workflows, with invitation-only access and no general release. Public detail remains limited because most vulnerabilities identified were still unpatched at the time of disclosure, but the strategic implication is clear: security leaders should begin planning now for a threat environment shaped by rapidly scaling AI-driven cyber capability.

C-suite takeaways

Anthropic’s gating of Claude Mythos Preview under Project Glasswing should be read as a time buying defensive move, not a durable containment strategy.
The strategic risk is diffusion, meaning another actor develops or releases comparable capability, compressing the window from zero day toward zero hour, and sometimes near zero minutes for highly exposed systems.
The scalable enterprise response is assume breach plus accelerated Zero Trust architecture, with identity and policy as the control plane.
Critical infrastructure operators across all sectors and resource constrained organizations should prioritize baselines and maturity sequencing over perfection, especially where legacy environments limit patch velocity.

What Anthropic announced, who gets access, and why Mythos was gated

Anthropic announced Claude Mythos Preview as an unreleased frontier model delivered via Project Glasswing, a curated defensive cybersecurity initiative intended to help secure critical software infrastructure. Anthropic’s stated reason for gating is misuse risk: it argues that models have reached coding capability sufficient to find and exploit vulnerabilities at a level surpassing all but the most skilled humans, and it states Mythos has already identified thousands of high severity vulnerabilities, including in every major operating system and major browser.

Access is explicitly restricted. Anthropic’s own developer documentation describes Mythos Preview as a gated research preview for defensive cybersecurity workflows, invitation only, with no self serve sign up. Anthropic’s Alignment Risk Update for Mythos Preview states the preview has not been deployed for general access and outlines a structured risk assessment approach for the model’s capabilities and safeguards.

A concise model comparison matters because it clarifies what is different from normal releases. Public Claude models such as Opus 4.6, Sonnet 4.6, and Haiku 4.5 are broadly available via API and partner platforms. By contrast, Mythos Preview is invitation only. In terms of published interface characteristics, Claude documentation groups Mythos Preview with models that support a one million token context window, similar to Opus and Sonnet, while Haiku has a smaller listed context window. On price signals, Anthropic publishes post credit participant pricing for Mythos Preview in the Glasswing announcement, which is notably higher than publicly listed model prices. Major outlets confirm the restricted rollout, highlight the safety framing, and emphasize that industry observers expect comparable capability to emerge from other actors over a relatively short horizon.

The real problem: diffusion and the zero minute vulnerability scenario

Glasswing’s existence does not resolve the systemic risk. It demonstrates that one vendor is attempting to slow diffusion from one path, while the broader capability trend continues. Anthropic’s own Glasswing framing explicitly anticipates proliferation of similar capability. If that expectation holds, the question for enterprises is not whether Mythos becomes widely available, but how quickly other models, open ecosystems, or adversaries can assemble comparable offensive acceleration.

The “zero-minute vulnerability” scenario should be treated as a tempo shift rather than a literal claim that every vulnerability is exploited immediately. It describes a direction of travel where the most exposed, most valuable targets see shrinking time between vulnerability disclosure, proof of concept availability, scanning, and exploitation attempts. Mandiant’s analysis of time to exploit trends reports that for vulnerabilities exploited in the wild and disclosed in 2023, the average observed time to exploit fell sharply, and it argues attackers are moving fast enough to beat many patch cycles. Real world telemetry has also shown reconnaissance probing can begin quickly after public exploit information appears, illustrating how scanning and targeting can compress into hours and days.

In such an environment, the security center of gravity shifts. Patch velocity and secure development remain essential, but architecture and operational resilience become decisive because they determine whether an initial compromise can become a rapid cascade.

Threat model: how equivalent offensive capability could be reproduced

The most realistic threat model is not a single mythical model. It is a composable stack that lowers the cost of discovery, reasoning, and iteration.

Key building blocks include:

Model substrate:strong code reasoning and long context analysis, which Anthropic ties directly to Mythos’s cyber capability claims and to the rationale for gating.
Specialization:fine tuning or targeted adaptation toward security tasks and vulnerability patterns, improving performance in narrow domains.
Retrieval grounding: retrieval augmented methods that provide relevant knowledge and context, which research suggests can improve vulnerability detection quality and reduce ungrounded output.
Agent orchestration: multi agent planning and delegation that improves long horizon task execution, which has shown measurable gains in benchmarked exploit style settings.
Tooling and harnesses: structured tool calling, automation loops, and benchmark driven evaluation frameworks, which are becoming common in offensive security research and practice.

Anthropic’s Frontier Red Team description adds an important nuance: it limits what it discloses because most of the discovered vulnerabilities were not yet patched, which is consistent with coordinated disclosure constraints while still signaling meaningful capability.

What enterprises should do: assume breach plus accelerated Zero Trust

Under a diffusion threat model, the credible response is not to wait for access to a gated tool. It is to assume that offensive acceleration becomes cheaper and faster, then reduce blast radius and raise detection and containment speed.

Assume breach becomes the correct executive posture in a world where time to exploit is compressing and reconnaissance can begin rapidly after disclosure. Assume breach is not defeatism. It is an operating model: initial compromise is treated as plausible, and systems are engineered so that compromise does not immediately become systemic.

Zero Trust architecture is the most practical blueprint for implementing assume breach at scale. NIST SP 800 207 defines Zero Trust as an architectural approach that shifts away from implicit trust based on network location and emphasizes per request decisions, with focus on protecting resources and reducing lateral movement. CISA’s Zero Trust framing and maturity guidance organizes implementation into five pillars, identity, devices, networks, applications and workloads, and data, with contextual visibility and analytics as foundational capabilities. OWASP’s LLM and agentic guidance reinforces a modern twist: when systems become tool using and autonomous, governance of tool permissions and output handling becomes central to preventing cascading impact.

A prioritized roadmap in prose follows:

Next 30 days: tighten privileged access and reduce obvious blast radius. Strengthen authentication for privileged roles, reduce standing privilege, eliminate shared admin pathways where possible, inventory service accounts and API keys, and centralize identity and cloud control plane logs. These steps are high impact because identity remains the fastest path from initial foothold to enterprise wide impact.
Next 90 days: isolate crown jewels and constrain automation. Expand least privilege and just in time elevation, segment the most consequential systems and administrative paths, require device posture for sensitive actions, and introduce policy gates for high consequence automation, including agent tool access and dangerous connectors. This phase turns assume breach into actual containment, reducing lateral movement and limiting what any compromised identity or workload can do.
Next 180 days: raise resilience under compressed time. Implement continuous exposure management tied to criticality and exploitability, improve detection tuned for automation patterns and unusual identity graphs, rehearse incident response for faster chaining scenarios, and validate recovery for core services and backups. Defensive AI can be used here, not as a replacement for security architecture, but as a throughput multiplier for triage and remediation.

Identity controls and privileged access redesign typically deliver the highest impact for moderate effort. Segmentation around crown jewels is high impact but often higher effort, and should be staged. Governance of non human identities and short lived credentials is high impact in cloud and integration heavy environments, because it reduces blast radius of automation and third party pathways. Tool governance for agents is increasingly critical as enterprises adopt copilots and automation, and should be treated like privileged access policy, not like a productivity feature.

”Critical infrastructure operators across all sectors face additional constraints because legacy environments and safety requirements can slow patching and change cadence. NIST’s ICS guidance emphasizes that operational realities, including reliability and safety, must shape countermeasures. For these operators, compensating controls, segmentation, strict remote access governance, and rehearsed response playbooks become even more important, precisely because zero minute scenarios punish slow remediation cycles.

Strategic implications: race versus time, policy levers, and coordination

This is a race between attacker acceleration and defender modernization. Anthropic’s framing is explicit about the time mismatch between capability advance and infrastructure defense. Mandiant’s time to exploit evidence suggests this mismatch is already visible in real world tempo.

Defensive AI is part of the answer when used to increase remediation throughput. The DARPA AI Cyber Challenge is one example of a public effort to advance autonomous vulnerability discovery and patching, and it signals a future where both attackers and defenders will industrialize automation.

Policy and regulatory levers often matter most for raising the floor across resource constrained organizations. Baseline performance goals, procurement requirements, secure by design expectations, and sector level coordination can push adoption of core identity, segmentation, and monitoring controls. Industry coordination, including gated previews for high risk capability, shared red teaming, scaled vulnerability disclosure practices, and funding for open source security capacity, can reduce systemic fragility created by shared dependencies.

To learn more, watch our latest video, Raising the Stakes: Securing Critical Infrastructure in the Era of AI-Powered Cyber Attacks.