CISOs don’t need another headline telling them security just got harder. It already is. Their environment is changing constantly. Systems come and go. Identities, especially non-human ones, keep growing. Activity moves faster than teams can track. And even with the right tools in place, it’s not always clear what’s actually happening at any given moment.
So, when something like Claude Mythos shows up, the question isn’t whether it’s interesting or important. It’s more practical than that: Does this change what I need to worry about tomorrow morning? That’s where the conversation starts.
To understand the questions CISOs are asking about Claude Mythos and Project Glasswing, I sat down with Vectra AI CEO, Hitesh Sheth, Vectra AI CTO, Oliver Tavakoli, and Marty Roesch — creator of SNORT, founder of both Sourcefire and Netography who now operates as Head of Cloud at Vectra AI.
“Does Claude Mythos make us less secure?”
Hitesh Sheth, CEO
Hitesh tends to step back from the headline and look at the broader system.
The enterprise didn’t suddenly become complex because of Claude Mythos. It was already there. What we now call the modern enterprise is always on, always connected, and always changing. Workloads move. Identities authenticate across systems. Data flows continuously between environments.
Security, on the other hand, was largely built for a different model — one where environments were more stable, boundaries were clearer, and there was time to figure things out. That mismatch is the real issue.
Claude Mythos doesn’t introduce a new category of risk as much as it accelerates something that was already happening. It reduces the effort required to find weaknesses and act on them. It compresses timelines. It gives attackers more speed, but it doesn’t fundamentally change how they operate.
They still log in. They still use valid access. They still move across systems in ways that look normal when viewed in isolation. That’s why the harder problem for most teams isn’t prevention; it’s understanding. Not whether something could happen, but whether it is happening.
And that’s where CISOs often feel the most pressured. They’re expected to answer questions that sound simple but are difficult in practice:
- Who / what is on our network?
- Are we exposed to attack right now?
- Will the controls we have in place work?
The challenge isn’t lack of data. It’s lack of clear, timely answers. From that perspective, Claude Mythos doesn’t create a new problem. It makes an existing one harder to ignore.
“Can we address Claude Mythos by patching faster?”
Oliver Tavakoli, CTO
This is usually the next question, and Oliver’s answer is straightforward. Not in the way most people hope.
If Claude Mythos is even directionally accurate in what it shows, then we must assume that much of the software we depend on is more vulnerable than we thought. Not because it was poorly built, but because some flaws were simply hard to find and exploit, and now it’s easier to do so.
The real shift is speed and scale. Vulnerabilities that might have taken months or years to uncover can now be identified much faster. And once they’re found, turning them into working exploits is no longer a time-consuming process requiring unique skills.
That puts pressure on a model that was already strained. Organizations are used to identifying vulnerabilities, prioritizing them, and patching over time. But that process depends on a manageable volume and a reasonable timeline. When the volume expands and the timelines shrink, the model breaks down.
There are practical constraints that don’t go away:
- Critical systems can’t always be patched immediately
- Upgrades introduce operational risk
- Legacy and OT environments are difficult to change
- Dependencies slow everything down
So, teams end up in a familiar but uncomfortable position. They know where some of the risks are. They know what needs to be addressed. But they can’t fix everything at once, and they can’t afford to break what’s already working. That creates a period where organizations are operating with known but unresolved exposure.
During that time, a few things are likely to happen in parallel. Vulnerabilities will continue to be discovered. Exploits will be created and shared more quickly. And attacks, including successful ones, will increase.
At the same time, not all attacks rely on software flaws. Identity abuse, misconfigurations, and social engineering remain effective and, in many cases, easier. So, the goal isn’t to eliminate all known risks immediately. It’s to manage through a period where risk is higher and where perceptions of risk are constantly shifting.
“If we assume things will get through, how do we defend?”
Marty Roesch, Head of Cloud
This is where the conversation shifts. At what point in an attack does prevention stop being an option?
There’s a moment when an attack transforms from something you might be able to block into something that needs to be detected so you can respond. Before that moment, you might catch the exploit itself. After it, you’re dealing with activities that blend into normal behavior. In modern environments, that moment comes earlier than most people expect.
Security architectures often assume that multiple layers provide overlapping protection. In practice, they’re more sequential than redundant. Each tool sees a different part of the attack, at a different point in time. If that moment is missed, there isn’t always another chance to observe the same action. That’s one reason attacks can move through environments without being detected for long periods. Not because there are no controls in place, but because there are gaps between them.
Marty’s view is that the problem isn’t the absence of telemetry. It’s that the telemetry is fragmented.
Endpoint tools see processes on managed devices. Identity systems see authentication events. Cloud tools see activity within specific services. Each is useful, but none of them shows how activity connects across the environment.
The network is where attacks actually unfold. They move across identities, systems, and environments. Each step may look legitimate on its own. It’s the sequence that tells the story. This is why Marty keeps coming back to the network.
The network is one of the few places where everything shows up. Every system, every identity, every workload eventually communicates across it. That makes it a consistent vantage point, especially for areas that are otherwise hard to observe, like network infrastructure or unmanaged systems.
From there, the focus shifts away from trying to recognize every possible exploit and toward understanding behavior. Not what a system, identity, or application is supposed to do, but what it is doing.
There’s a pattern to how attacks progress, how access is gained, how privileges change, how movement happens, how data is accessed and moved. Those patterns don’t depend on a specific vulnerability. They hold across different techniques. That’s what makes them useful in an environment where the specifics are constantly changing.
Putting it together
None of these perspectives contradict each other. They build on each other.
- Hitesh starts with the reality that the enterprise is already dynamic and difficult to fully understand in real time.
- Oliver explains how AI-driven vulnerability discovery increases the pressure on systems that were already hard to maintain and secure.
- Marty focuses on what happens when prevention doesn’t catch everything, and how detection needs to work in that scenario.
Taken together, they point to a simple conclusion. Claude Mythos doesn’t introduce a new category of problem. It accelerates all existing ones.
What to take away from these conversations
In the near term, things may feel less stable, not more. Vulnerabilities will be easier to find. Exploits will be easier to create. Some systems will be harder to fix quickly. Attacks will continue to use a mix of techniques, not just software flaws.
Over time, software will likely improve. Some of the easier vulnerabilities may disappear. But attackers will adjust, as they always do. The constant isn’t the vulnerability itself. It’s the need to understand what’s happening in your environment as it happens. That’s the part that matters, regardless of how the threat evolves. And that’s the question CISOs keep coming back to not just with Claude Mythos, but with everything:
Do we understand what’s happening on our network, across our infrastructure — right now?