The End is Nigh for the Zero‑Day as a Nation State Asset and the Potential Vulnerability Tsunami

[In cybersecurity a zero‑day vulnerability is a flaw in software or hardware that the vendor does not yet know about, so there is no patch available. The vendor has had “zero days” to fix it. Therefore, defending against a zero-day is more difficult.]

For years, zero‑days have been treated like fine wine by nation states: carefully cellared, fondled occasionally, and brought out only for special geopolitical occasions. Discovery was expensive. Exploitation often required craftsmanship. Stockpiles were small, precious, and discussed in secret.

Then along came Anthropic’s Claude Mythos. [Other similar tools are available]

Mythos isn’t doing anything mystical. It isn’t discovering bugs from another dimension or whispering secrets from the void. It is simply doing what elite vulnerability researchers do, but at machine speed, at scale, without fatigue, and without needing coffee breaks or riders requiring green M&Ms in their dressing room before they start a day’s work, you know who you are.

In controlled industry use, Mythos has already demonstrated the ability to autonomously discover hundreds to thousands of previously unknown vulnerabilities across browsers, operating systems, and critical software stacks, including flaws that had survived decades of human scrutiny.Mozilla’s engineers reportedly described the experience as inducing “vertigo”, which is probably the most honest description we’ve had so far of what it feels like to watch an AI casually invalidate years of security assumptions while you’re still negotiating next quarter’s patch cycle.

Recognising the impact Mythos could have, Anthrophic have only officially released it to a select group called Project Glasswing, this includes key players in the industry such as Apple, AWS, Broadcom, Microsoft, NVIDIA and Google. However there have been recent reports about unauthorised access to the model, showing that even with the best intentions it’s going to be difficult to control.

Let’s talk about the uncomfortable bit.

Nation states have traditionally relied on a structural asymmetry in cyber operations: it has historically been easier to attack than to defend, and easier for states to exploit vulnerabilities than for vendors or defenders to find them.

That asymmetry justified the existence of carefully curated zero‑day arsenals, often treated as strategic deterrents or precision weapons.

Finding zero‑days is (was) hard and they are (were) bought and sold as commodities for considerable sums, but they only remain zero-days until they are reported publicly or disclosed to the vendor. Nations states would cling onto their zero-days, only burning them when necessary and praying that some other researcher wouldn’t stumble across the same vulnerability and disclose it, responsibly or not.

When an AI can surface more vulnerabilities in weeks than entire national programmes surfaced in years, the value of withholding a zero‑day starts to collapse. Exclusivity dies when discovery becomes cheap, fast, and repeatable. Elite vulnerability researchers are probably reconsidering their career choices as yet more victims of the AI revolution, no, you can’t have green M&Ms!

Perhaps nation states have had Mythos like vulnerability discovery for years and the rest of us mere mortals are just catching up, either way, Mythos will help to redress the asymmetry.

Put simply:

Your secret bug isn’t special anymore.
It’s just unpublished.

What Mythos exposes is deeply awkward, especially for software vendors and nation state zero-day arsenals.

For years, we have comforted ourselves with a quiet myth (lower‑case m):

“If it’s open source, widely deployed, and heavily reviewed, the worst bugs would have been found by now.”

Mythos has politely demonstrated that this belief was… optimistic.

In reality, many systems were simply too large, too complex, and too boring for humans to examine exhaustively. AI doesn’t suffer from boredom or sunk‑cost fallacy. It just keeps looking.

Zero‑days stop being crown jewels and start looking more like short‑dated options with terrifying volatility.

It’s tempting to frame this as “good news for defenders” and in some respects it is, short term pain, long term gain.

The same reasoning and exploit‑chaining capabilities that allow Mythos to help safely disclose vulnerabilities are precisely the capabilities that make Anthropic reluctant to release it publicly at all.

That hesitation is not marketing theatre. It’s an implicit acknowledgement that we’ve crossed a threshold: the skill barrier that once limited sophisticated cyber operations to nation states and elite groups is eroding fast.

Whilst Mythos has taken the lead in driving this change, its not the only product available right now, OpenAI have recently released GPT-5.4-Cyber as a competitor and its likely we will see an increasing number of these in the future.

Whilst Anthropic are at least trying to control the use of Mythos, will the same ethical stance be used by all parties? 

(Fix the hole before telling the whole world where it is)

Without responsible vulnerability disclosure, tools like Mythos could create a genuine vulnerability tsunami, overwhelming vendors, delaying remediation, and leaving organisations exposed at scale until patches eventually arrive.

Responsible disclosure is a coordinated process where a vulnerability finder:

• Privately reports the issue to the vendor or maintainer
• Allows time for investigation and remediation
• Avoids public disclosure until mitigations exist

I was first involved in it 25 years ago, which in cyber terms is forever, back then certain entities were offering to broker zero-days on behalf of the researchers, recognising and representing the researchers, whilst ensuring the vendors were actively working on patches, reducing the risk of premature disclosure.

Our own Vulnerability Disclosure Program is here https://www.cndltd.com/vulnerability-disclosure

Never in the field of non-human conflict has so much cyber defence been required by so many from so few.

If vulnerabilities were released as zero-days in quick succession, the software vendors will likely be overwhelmed, leaving clients exposed to attack for a prolonged periods, hence the term vulnerability tsunami.

In addition traditional methods for detecting vulnerabilities are no longer as helpful:

Rapid patching will be essential, but only if vendors can release patches quickly enough. In the meantime, organisations must rely on cyber defence in depth. Schemes such as Cyber Essentials require patching of high and critical severity vulnerabilities in 14 days the reality is this is potentially too long.

Defence in depth

Defence in depth is the implementation of multiple, complementary security controls so that if one layer is bypassed, others continue to protect the organisation and limit exploitation. This may include:

• Role‑based access control (RBAC)
• Least‑privilege access
• Secure configuration and patching
• Behaviour‑based endpoint protection
• EDR and XDR capabilities
• Zero trust principles
• Network segmentation
• Continuous monitoring and response

Vulnerability management and virtual patching

Given the potential vulnerability tsunami, proactive vulnerability management has never been more important. Organisations must identify, triage, and prioritise vulnerabilities through regular scanning and risk‑based assessment.

Where a vendor fix is not yet available, virtual patching can often reduce or eliminate risk by introducing compensating controls, such as restricting access to vulnerable services, blocking or filtering ports, applying firewall rules, or using micro‑segmentation to limit exposure.

This approach can significantly reduce risk while permanent remediation is developed, and our specialists regularly provide guidance on applying virtual patching as part of an effective vulnerability management strategy.

Continuous monitoring

Continuous monitoring is the reactive line of defence, and not just because we operate an MSSP Cyber Security Operations Centre. When multiple vulnerabilities and zero‑days may exist simultaneously, the ability to detect exploitation, not just theoretical exposure, becomes critical.

The potential vulnerability tsunami isn’t a theoretical problem; it’s an operational one. Organisations can no longer rely on patching alone, nor assume that vulnerabilities will appear slowly and predictably. The reality is faster discovery, greater volume, and longer exposure windows.

That’s where we help.

At CND, we support organisations across government, defence, critical national infrastructure and the private sector to anticipate, absorb, and respond to this new reality. Our approach combines proactive risk reduction with continuous detection and rapid response.

We help clients:

• Establish effective defence in depth, ensuring that if one control is bypassed, others continue to protect critical systems and data.
• Implement proactive vulnerability management, using regular scanning, risk‑based prioritisation, and practical remediation planning, not just CVE counting.
• Apply virtual patching and compensating controls, reducing exposure when vendor fixes are delayed or unavailable.
• Detect real‑world exploitation, not just theoretical risk, through continuous monitoring delivered by our human analyst‑led Security Operations Centre (SOC).
• Respond decisively to incidents, with experienced specialists who understand how attackers actually operate, not just how tools generate alerts.

In short, we help organisations move from thinking they are vulnerable to actively managing, mitigating, and detecting risk, even when the scale feels overwhelming.

Because It’s about preparation, visibility, and layered defence.