Asymmetry has always been part of cybersecurity. Bad actors need only one point of entry, while we have to scrutinise every packet. What makes modern AI-based attack vectors like Mythos so revolutionary is their ability to perform asymmetric attacks in real time.
Mythos is an AI framework developed by Anthropic under Project Glasswing, aiming to build new forms of AI for researching vulnerabilities and conducting multiple phases of cyberattacks in real time. What is truly concerning about these systems, is not only their ability to locate security weaknesses quickly, but how they amplify the existing asymmetry dilemma.
Threat actors need only one point of entry to wreak havoc, whereas cybersecurity practitioners must defend all possible attack points. The use of AI exacerbates this asymmetry by enabling adversaries to find, exploit, and link attack vectors far more quickly than many businesses can respond.
The issue is not so much that organisations are suddenly being faced with ‘superintelligent’ attacks, more so that AI is highlighting operational shortcomings that have been there for some time. These include a lack of inventory management, delays in applying patches, poor governance, SOC understaffing, and over-reliance on manual security measures. For many businesses, the real difficulty is not finding vulnerabilities, but taking action on them.
Security experts stress implementing AI in cybersecurity won’t, by itself, solve the defender’s dilemma. The capabilities that enable businesses to understand their assets and allocate necessary resources to address vulnerabilities will remain the same, but vulnerability identification will become faster.
Conversely, ignoring these innovations would be unwise. AI-powered attack-path analytics is becoming extremely effective in exploiting legacy systems, unknown assets, and complex cloud infrastructures. Security professionals will have to shift their focus from individual vulnerabilities and alerts, to how these vulnerabilities can be chained to achieve a successful compromise.
On the plus side, the same technology that accelerates offensive research can also improve defenses. For instance, AI-based exposure management, attack surface detection, automatic containment, and risk prioritisation might prove valuable for noise reduction and quick responses, assuming the desired maturity level within the organisation is attained.
That’s why discussing the Mythos problem and other emerging threats is important. It’s not about one particular technology solution or vendor. It’s about getting a look at a possible future for cybersecurity in which it will be less about technology and more about throughput: how fast a company can move from discovery, to decision, to remediation.
The winners won’t be those with the most advanced AI technology. They will be those with the best visibility, the best governance, and the ability to make the right decisions quickly.
Top trends
- Attack chains speed up: It is becoming more common for AI systems to combine many low-level vulnerabilities into attack chains, reducing the time malefactors take, while also challenging SOCs to look beyond standard response frameworks.
- Governance is a security control: Many companies have realised their greatest vulnerability lies not in technical debt but in decision-making debt: long decision-making processes, unclear ownership, and obsolete risk management frameworks.
- Visibility is (more) vital: No matter how sophisticated a business’s AI security strategy, it can only defend against what it knows about its own environment.
CISO voice
“Offence benefits from asymmetry by design. An attacker needs to find one way in. A defender needs to cover everything. AI amplifies that asymmetry because it scales discovery faster than any organisation can scale remediation.”
— Rik Ferguson, Vice President of Security Intelligence at Forescout
“When AI can chain multiple vulnerabilities into a full system compromise in minutes, playbooks built around sequential, human-reviewed escalation become liabilities. Pre-authorised containment logic and machine-speed detection are no longer optional architecture decisions.”
— Anastasios Arampatzis, Head of Quality Control at Bora
“AI has collapsed the time between identifying vulnerabilities and chaining them into full attack paths. We are no longer dealing with isolated exploits, but automated, multi-step compromise scenarios that unfold at machine speed.”
— Panagiotis Soulos, Information Security GRC Senior Manager, Steelmet
“If organisations can’t act quickly, the problem isn’t merely technical, but leadership and operational design.”
— Ross Moore, Information Security Strategist
These viewpoints reflect the discussions that will define this year’s event, where top CISOs, researchers, policymakers, and cyber-strategists will convene within our committee of experts and our speakers’ panel to explore the future of AI-based security.
Regulatory watch
The EU Cyber Resilience Act (CRA): From the 11th September 2026, producers of “products with digital elements” will need to begin reporting about actively exploited vulnerabilities and incidents.
The date of full applicability of the CRA is set for 11 December 2027, but in the meantime, the Commission is urging businesses to align their software security and supply chain risk procedures according to the CRA.
Innovation spotlight
One company worth keeping an eye on is BottleCap AI, a Prague-based business developing efficiency-focused foundational AI models that deliver stronger reasoning with dramatically lower compute requirements.
Founded by prominent AI researchers, including Tomas Mikolov, the company is challenging the industry’s “more GPUs = better AI” mindset while championing more sustainable, transparent, and practically deployable AI systems.
Barcelona Cybersecurity Congress update
The operational challenge of moving from discovery to remediation at speed will be a central theme across the Barcelona Cybersecurity Congress tracks, with sessions exploring GenAI risk, regulatory readiness, and real-world enterprise adoption. Expect practitioner-led discussions that move beyond hype and focus on what is working (and, importantly, what still isn’t) across Europe.
Barcelona Cybersecurity Congress 2026
Dates: 3–5 November
Location: Barcelona
Co-located with: Smart City Expo World Congress
CONNECTING EUROPE’S CYBERSECURITY ECOSYSTEM