Get ahead of frontier AI: 5 AppSec strategy upgrades

Over the last month, the aptly named Mythos has been less a next-generation large language model (LLM) than a machine for producing FUD. So potent at finding vulnerabilities that Anthropic says it won’t release it, Mythos has nonetheless been given to a select few corporations and organizations with the expectation that they will use it responsibly. 

But in the world of LLM development, promises have been fragile things, and so the fear, uncertainty, and doubt has been growing among CISOs, who are speculating about how Mythos will automate attackers’ exploitation of zero-day vulnerabilities and wondering how and whether to start prepping their security programs for the next AI frontier.

Caroline Wong, chief strategy officer at the Cloud Security Alliance (CSA), suggested in her address at the group’s recent Agentic AI Security Summit that the FUD and hype are following a familiar pattern. 

“Some people are looking at this and saying, ‘This is overblown. We’ve seen this before.’ Others are saying, ‘This changes everything.’ And some are trying to figure out how to control it, how to operationalize it, how to get ahead of it. All of those reactions make sense.”
—Caroline Wong

But even if Mythos remains unobtainable, it has served as an important wake-up call. Software supply chain attacks are already on the rise without it, and new agentic AI risks will multiply them even without Mythos in the picture. Aggravating the situation are stagnant budgets and security burnout, two longtime and perennial issues for security teams. 

In other words, it shouldn’t take Mythos to make security leaders heed the call to action and upgrade their application security (AppSec) strategy. Here’s why now is the time to get out in front of frontier AI — and how to do that.

Security teams’ need for speed

Whether Mythos and other frontier AI amounts to a step-change in security exposure or merely fast evolution, now is the ideal time for security leaders to take a top-to-bottom look at their strategies and start retooling their road maps, said Gadi Evron, CEO of Knostic.

Evron said recently on X that boards of directors are already asking about the dangers of frontier AI. Evron, along with Rich Mogull of the CSA and Rob T. Lee of the SANS institute, assembled 250 CISOs to develop some essential guidance for teams. The resulting document, “The AI Vulnerability Storm: Building a Mythos-Ready Security Program,” offers the CSA’s action-oriented advice and some practices to prioritize in the immediate, medium-term, and long-term future.  

The recurring theme in the document is speed: Security fundamentals remain security fundamentals, but they must be executed with far more alacrity. To do that, the authors recommend pitting AI against AI, prioritizing the adoption of hardened agentic tools for security workflows, and at long last achieving the automated response and continuous patching that have been championed for years.

Here are five key guidelines from the CSA document.

1. Practice radical prioritization

The sheer volume of AI-generated vulnerability reports and the prospect of automated exploitation made possible by frontier models demands that organizations rethink their vulnerability operations and and patching cadences. 

David Cass, CISO at Keyrock, said the response from AppSec should not be to just automate broken processes.

“The gap between vulnerability discovery and exploitation is collapsing, turning what used to be separate steps into a single continuous event.”
—David Cass

CSA’s Wong elaborated.

“When we layer AI speed response on top of incomplete asset inventories, fragile, broken integrations, and dependencies that nobody’s actually mapped completely, we don’t get faster security; we get faster failure.”
—Carolyn Wong

Joel Scambray, senior vice president at NCC Group, sees cause for some optimism. In a recent Mythos rundown webinar, he said that while automation is crucial, the “radical prioritization” of the vulnerabilities that matter is even more important.

“Fewer than 2% of CVEs are actually exploited for financial loss. It’s a sobering statistic that shows you that radical prioritization in the age of Mythos can lead to successful outcomes.”
—Joel Scambray

Instead of chasing every high-severity flaw, organizations have to rejigger their telemetry and automation to focus on remediating the most attackable flaws and the ones that threaten their most valuable assets — something they should have done long ago. Unfortunately, that involves a lot of boring stuff such as asset inventorying and classification and taking sophisticated measures such as going deeper into enterprise risk modeling and threat modeling.

2. Master the fundamentals 

When time to exploit collapses from days to hours and then to minutes, machine-speed containment takes precedence over trying to achieve total prevention. AppSec teams must pay attention to all the things that limit an incident’s impact, said Keyrock’s Cass.

“Fundamentals like segmentation, access control, and visibility carry more weight when the pace accelerates. Governance has to operate in real time, and teams need to be structured to absorb a much higher tempo of activity.”
—David Cass

In a recent update on the security implications of Mythos, SANS faculty fellow Joshua Wright said AppSec can’t afford “losing grasp of the conventional controls.” 

“Limit the blast radius. And really carefully think about how we can refactor and restructure our incident-response programs.”
—Joshua Wright

3. Upgrade your team’s AI skills

According to the CSA document, the existence of frontier models and the use of agentic tools across the enterprise put security programs in need of agents themselves to solve the problems those things bring. And to assure that those tools will be used proficiently, security leaders need to fast-track training. 

Evron has been urging security leaders to experiment.

“Start using these agents for everything for everybody. Demand it. Start pointing them at your code.”
—Gadi Evron

4. Double down on supply chain visibility

Agentic ecosystems and frontier models make it essential that critical controls are fully inventoried, for example via software bills of materials (SBOMs). David Brauchler, technical director at NCC, said such supply chain visibility is going to be more important than ever.

“A lot of it comes down to visibility and understanding your software bill of materials. If an organization doesn’t know what’s going into its software stack, they’re going to be woefully unequipped to respond to vulnerabilities or even malicious compromise that ends up wandering into their supply chains.”
—David Brauchler

5. Be prepared for the unknown

What awaits us on the AI frontier is unknown, the CSA guidance notes, so it would be wise to plan on additional head count and budget. Greg Notch, CSO of Expe and a collaborator on the document, suggests adding a placeholder line in the budget for security tools that will be needed but haven’t been created yet.

“The products that are going to solve this are coming, but they don’t exist yet.”
—Greg Notch

In line with the CSA’s recommendations of automating remediation pipelines, CISOs should shift their funding priorities, putting less toward vulnerability review and advisory functions and more toward security engineering and operational engineering.

Kick-start your AppSec strategy transformation 

Notch said the new demands on AppSec pinpointed by the CSA are not brand new. “This is a faster, harder version of a problem we already have. AppSec was already unsustainable even before AI.” The CSA’s message could be summarized, he said, as fix the basics, fast.

Doug Levin, a board member at ReversingLabs, wrote a blog post recently reality-checking Mythos’ effect on AppSec. “Don’t get distracted by the headlines. Mythos is a milestone, not a destination. Organizations that understand that will come out ahead," he wrote.

"Yes, adversaries are getting an upgrade with AI. But the defensive answer is architectural, not transactional. Smart CISOs and organizations won’t feel compelled to buy the flashiest, [most] cutting-edge AI security product — whether that’s Mythos or the competitors that are already popping up.”
—Doug Levin

Levin wrote that with the next-generation AI, a serious AppSec program isn’t a scanner stack. Instead, it’s a multi-vector reasoning system built on five layers, he advised.

Here are his five recommended layers:

• Discovery: Use supply chain threat intelligence on open-source packages, and integrate AI-assisted vulnerability research into CI/CD pipelines so that defenders find issues before code ships.
• Analysis: Employ static analysis, SBOM tracking, and threat intelligence enrichment to give discovery context. Include a final build check on the binary. As Levin noted, SolarWinds, 3CX, and CodeCov were all build-pipeline compromises that source-code analysis missed.
• Remediation: Accelerate patching with AI, but include human review, since autonomous patching harbors the same hallucination risk as autonomous discovery.
• Runtime: Upgrade to detection and response tooling that assumes that one-day and even one-hour exploits are the norm and that can reason about code context at runtime.
• Context: Stitch identity, asset ownership, and blast-radius data across the stack, so response is accurate at speed.

Frequently Asked Questions (FAQ)

What is the "AI Vulnerability Storm" briefing? It is an expedited strategy briefing published by the Cloud Security Alliance with the SANS Institute and the OWASP Gen AI Security Project, titled "The 'AI Vulnerability Storm': Building a 'Mythos-Ready' Security Program." Led by Gadi Evron with co-authors Rich Mogull and Rob T. Lee, it gives CISOs an action-oriented plan for a world where AI-driven offense is the baseline.

What is a Mythos-ready security program? It is a security program restructured around the assumption that AI dramatically accelerates vulnerability discovery and exploitation. Rather than relying on reactive patching, it prioritizes radical prioritization of exploitable flaws, machine-speed containment, AI-assisted security workflows, and strong software supply chain visibility.

How does AI change time-to-exploit? AI compresses the window between a vulnerability being disclosed and being weaponized. The CSA briefing frames this collapse as the central risk variable, shifting the defensive emphasis from total prevention toward limiting blast radius and containing incidents at machine speed.

How does software supply chain security fit into an AI-era AppSec strategy? Frontier AI makes it easier for attackers to find and exploit weaknesses in third-party and open-source components. Knowing exactly what is in your software — through SBOMs and post-build, binary-level analysis of the final package — lets teams respond quickly to both vulnerabilities and malicious compromise in the supply chain.

ReversingLabs helps software producers and enterprise buyers verify the safety and integrity of software before it ships or is onboarded. Spectra Assure analyzes final software packages at the binary level to detect malware, tampering, exposed secrets, and policy violations — and will stop a release if something does not pass.

Learn why RL created Spectra Assure Community, and sign up for free and start building more secure software today.