According to Anthropic, their new Claude Mythos model discovered thousands of zero-day vulnerabilities across every major operating system and web browser. They claim that the model is so powerful they are not releasing it publicly. Instead, they launched Project Glasswing, a coordinated disclosure effort with AWS, Apple, Microsoft, Cisco, Linux kernel maintainers, and other companies.
If you are trying to figure out what this means for your team, you are not alone. The conversation so far has been heavy on fear and light on practical guidance. This session is here to fix that.
SANS faculty and staff have 15 months of real-world experience using current AI models to discover vulnerabilities in penetration tests, finding critical flaws in code that human reviewers already cleared. On Thursday, we are putting that experience on camera so the community can see exactly what this looks like.
What You Will Learn
What Mythos and Project Glasswing are and why they matter
Why you do not need access to Mythos to discover serious vulnerabilities with AI
A live demonstration of AI-assisted vulnerability discovery using a current model against real code
The vulnerability types AI finds most effectively (IDOR, BOLA, race conditions, authorization flaws, and more)
Why the next 12 months will likely see accelerated zero-day attacks
What defenders and security leaders need to do now to prepare
Speakers
Ed Skoudis SANS Technology Institute President
Chris Elgee Principal Instructor, SANS Institute
Joshua Wright Faculty Fellow and Senior Technical Director, SANS Institute
The Briefing to Read Before Thursday
On April 12, the Cloud Security Alliance CISO Community, SANS Institute, [un]prompted, and the OWASP GenAI Security Project published "The AI Vulnerability Storm: Building a Mythos-Ready Security Program." 60+ contributors. 250+ CISOs reviewing. Three days from first draft to release.
What's inside:
A 13-row risk register mapped to OWASP LLM, OWASP Agentic, MITRE ATLAS, and NIST CSF 2.0. Each row frames the risk as an acceleration of something that already existed, not a new problem Mythos created.
11 priority actions with start dates and completion horizons. PA 1: point AI agents at your code this week. PA 11: stand up a permanent VulnOps function within 12 months.
10 diagnostic questions to triage where your security program actually stands before you start building.
A board briefing section with talking points, a 90-day plan structure, and the line your CFO needs to hear: "The security program this board has funded is what makes the AI strategy viable."
Thursday's SANS Critical Advisory: BugBusters - AI Vulnerability Discovery Hype vs. Reality session shows you what PA 1 looks like in practice. The paper tells you what comes after. Read the Briefing.
Ed is the founder of the SANS Penetration Testing Curriculum and Counter Hack; leads the team that builds NetWars, Holiday Hack, and CyberCity; and is President of the SANS Technology Institute.
Chris is a senior security analyst for Counter Hack and Cyber Range Lead (S-6) for the Army National Guard's 91st Cyber Brigade. Through his work, he shares his unique insights into cyber security threats to prepare and inspire students.
Joshua Wright, Senior Technical Director at Counter Hack Challenges and author of SEC504, has spent over two decades teaching and building tools that help defenders identify and counter real-world cyber threats through practical, hands-on learning.
