After all the noise around Project Glasswing and the usual “this is the end of cybersecurity” takes flying around, I wanted to take a real step back. I have read a lot of doom, a lot of fear and a lot of people acting like the only conclusion here is panic. Yes, Anthropic’s Mythos capability is a genuine powerful shift. Finding vulnerabilities at that scale, including bugs hiding in production code for decades, is a big deal. The discovery side of the problem has clearly moved on. But the real story for me is what comes next. This does not kill cybersecurity. It exposes where the real work has always been. Prioritisation. Ownership. Software QA. Remediation capacity. Change velocity. Engineering discipline. That is where most organisations still struggle. Not because nobody cares, but because real estates are messy, old and full of systems nobody wants to touch on a late Friday afternoon. So rather than add to the doom spiral, I wrote my take on the more optimistic side of this. Where I disagree with some of the commentary. What this actually changes. What it does not change. And where I think the industry has a real opportunity to get better. Better QA before code ships. Smarter release discipline. AI assisted remediation where it genuinely helps. And more honest, intelligence led prioritisation instead of pretending every red dot is the same fire. There is still a lot of good work to do. There are still good people doing it. And there is a credible path forward here if we stop admiring the problem and start fixing the pipeline around it. That is my view on the state of play and what to do next. Link in the comments. #CyberSecurity #CISO #VulnerabilityManagement #AI #ProjectGlasswing #SecurityLeadership
AI Can Find Every Vulnerability in Your Estate. You Still Cannot Fix Them. https://open.substack.com/pub/dtnadvisory/p/ai-can-find-every-vulnerability-in
The vulnerability discovery problem just got faster. The remediation problem is still painfully human. Everybody wants to panic about AI finding more bugs. Fewer people want to admit their pipeline, ownership, and QA discipline were already the real bottlenecks.
Well put Dan TINSLEY. Discovery has moved. Discipline hasn’t. The tension now is detection at scale vs remediation capacity. What we are seeing is the cost of accumulated engineering trade-offs. I shared a brief perspective on this shift in my latest post. https://www.linkedin.com/posts/ponsarun_executivestrategy-cybersecurityleadership-activity-7447916458321379328-y7ws
Dan TINSLEY, I am of the same opinion. For all these years the industry has been churning tool after tool that can "detect" a cyber issue. This development puts all that to ease. I think it is time to build tools to anticipate attacks and withstand its effects.
For context, Jen Easterly piece is very worth reading too, even where I see this a bit differently: https://www.linkedin.com/posts/jen-easterly_a-controlled-collaborative-release-of-perhaps-ugcPost-7447646357680521216-qByj