Mythos, Aardvark and AI Vulnerability Discovery: The Future of Cyberattacks?

When people talk about artificial intelligence in the hands of attackers, most think about phishing, deepfakes or fake messages. Those topics are easy to explain because they touch everyday life.

There is also a more technical area that may be even more important for the future of cybersecurity: autonomous vulnerability discovery.

In simple terms, these are AI systems that can read software, look for bugs, test them and propose fixes. That can be excellent when defenders use the tools. It can become dangerous when similar capabilities are used by attackers.

For broader context, read AI as an Attacker and what AI phishing is.

The defensive side of the same topic is covered in AI as defense in cybersecurity, where AI helps with monitoring, incident analysis and human-reviewed security action.

Aardvark and Codex Security as a concept for an AI security researcher

What is a software vulnerability?

A vulnerability is a bug or weak point in a system that can be abused. It does not have to be a dramatic flaw in a banking app. A vulnerability can also be a misconfigured server, an old plugin, weak access control, a login flaw or an unpatched application.

Attackers like vulnerabilities because they can open a path into a system. Sometimes one unpatched bug is enough to access data, accounts or infrastructure.

That is why companies need vulnerability management: regular discovery, assessment and remediation of vulnerabilities. It also includes patch management, the process of updates and fixes.

What is CVE?

CVE is a public identifier for a known vulnerability. It helps security teams, vendors and users refer to the same issue by the same name.

What is zero-day?

A zero-day is a vulnerability the vendor does not yet know about or has not yet fixed. The name suggests that defenders have zero days to prepare once the vulnerability becomes known or exploited.

For a normal business, the conclusion is simple:

  • updates are necessary, but not enough,
  • monitoring matters,
  • the impact of compromise must be limited,
  • backups are required,
  • response speed matters.

What is bug bounty?

A bug bounty is a program where a company allows security researchers to look for vulnerabilities under clear rules. AI can help researchers, but it does not change the basics: testing must be authorized, responsible and reviewed.

What does agentic AI mean?

Agentic AI refers to systems that do more than answer one question. They can work through several steps, use tools, plan, check results and continue. In security, that can mean reading code, building a mental model of the system, finding suspicious areas, validating the issue, proposing a fix and explaining it to a developer.

How vulnerabilities were found before

Traditionally, software bugs were found through:

  • manual security testing,
  • penetration testing,
  • automated scanning,
  • code review,
  • bug bounty programs,
  • fuzzing,
  • monitoring known CVE vulnerabilities.

Each method has strengths and limits. Manual testing is high quality but expensive and slow. Automated scanners are fast but often find only known or simpler issues. Developers understand the code, but they may not always think like attackers.

AI vulnerability discovery adds a new capability: combining code reading, logical reasoning, testing and remediation suggestions.

Aardvark and Codex Security: AI as a security researcher

Aardvark was presented as an agentic security researcher. In plain language: an AI agent that behaves somewhat like a security analyst. It reviews code, tries to understand what the application does, looks for suspicious areas, validates problems and proposes fixes.

This is valuable for defenders. Many companies have a lot of code, little time and even fewer security experts. If AI helps find issues before production, it can reduce incident risk.

Still, this kind of tool should not replace people. It should help developers and security teams, while final decisions, priorities and fixes remain under human review.

Mythos: a sign of rapidly growing capabilities

Mythos Preview showed that modern AI models can be strong at finding and validating vulnerabilities. The point is not only flagging suspicious code. The important part is multi-step work: reading code, creating hypotheses, testing them, validating results and preparing an explanation.

For the security community, this is important. These models can help fix critical software faster. At the same time, they may reduce the time companies have to react after a vulnerability becomes public.

In the past, it could take longer to turn a known vulnerability into a practical attack. Stronger AI may shorten that window. Delaying updates will become increasingly risky.

Why this is useful

AI vulnerabilities and automated discovery have strong defensive potential. They can help developers find bugs before deployment, help security teams prioritize risk and help companies fix critical issues faster.

For small and midsize businesses, the benefit may be even larger. They often use websites, e-shops, internal applications, cloud services and plugins without having a dedicated security team. AI tools may make higher-quality security checks accessible to more organizations.

Why this is risky

Every tool that helps find bugs can be used in two ways. A defender uses it to fix. An attacker may use it to find a path inside.

Main risks include:

  • faster discovery of weak points,
  • faster exploitation of known vulnerabilities,
  • more pressure on companies that patch slowly,
  • more automated attack attempts,
  • a lower entry barrier for less experienced attackers.

This does not mean AI security tools are bad. It means the world is speeding up, and slow security will become a bigger problem.

Secure by design approach for protection against AI vulnerability discovery

What this means for a normal business

A normal business does not need to understand every exploit detail. It should understand the consequence: security cannot be handled once a year.

If you have a website, e-shop, internal system, remote access, cloud, plugins or external suppliers, you need a regular process.

Key questions:

  • Do we know which systems we use?
  • Do we know who manages them?
  • Do we know which systems are exposed to the internet?
  • Do we update regularly?
  • Do we track critical vulnerabilities?
  • Do we have backups?
  • Can we quickly disable or fix a problem?
  • Do we test security before changes go live?

Practical recommendations

1. Build an asset inventory.

You cannot protect what you do not know exists.

2. Patch regularly.

Especially public systems, CMS platforms, plugins, VPNs, firewalls and servers.

3. Separate critical access.

Admin accounts should use MFA and least privilege.

4. Run regular security checks.

At minimum, use vulnerability scans and occasional penetration testing.

5. Monitor suppliers.

An external website or plugin can become an entry point.

6. React quickly to critical vulnerabilities.

For serious flaws, waiting months is not a strategy.

7. Build security into development.

Fixing a bug before deployment is cheaper than fixing it after an incident.

8. Use AI as an assistant, not a blind judge.

AI can accelerate analysis, but risk and remediation decisions need human review.

Conclusion

Autonomous vulnerability discovery is one of the most important changes in cybersecurity. Models such as Aardvark and Mythos show that AI can do part of the work that was recently limited to a small group of experts.

For defense, this is a major opportunity. For unprepared companies, it is a serious warning.

The future will not belong to organizations that never make mistakes. Mistakes will always exist. The future will belong to those that can find, evaluate and fix them before someone abuses them.

Related articles

Do not wait until an attacker finds the vulnerability - test your systems.

Book Now