Data & Culture

Mythos Changes the Speed of Attacks, But Not Cybersecurity Fundamentals

Frederic Rivain
Published:
Will Mythos AI accelerate attacks? Dashlane's zero-knowledge architecture and proactive resilience defend against zero-day threats.

On April 7, Anthropic announced Claude Mythos Preview and Project Glasswing. In internal testing, Mythos found thousands of zero-day vulnerabilities across every major operating system and browser, achieved a 72% exploit success rate, and uncovered a 27-year-old OpenBSD vulnerability.

To coordinate disclosure, Anthropic gave early access to 40 software vendors so they could patch their own products before the public announcement. The announcement reached well beyond the security community, landing in boardrooms across the industry.

Before reacting to this news, let’s look at the numbers that were in motion before Mythos existed.

The gap existed before Mythos

An average of 131 new CVEs were disclosed every day in 2025. Hadrian's analysis of Mandiant data tracked an average time-to-exploit of negative one day, which demonstrates that attackers weaponized vulnerabilities before patches were available.

Meanwhile, 50% of critical CISA KEV vulnerabilities remained unpatched 55 days after a fix was available, and those are the vulnerabilities already known to be actively exploited. That asymmetry between attackers and defenders pre-dated the Mythos announcement.

We haven’t had access to Mythos yet. Everything we know about its capabilities comes from Anthropic's published data and the technical findings released alongside Project Glasswing. Based on those, Mythos lowers the skill floor for discovering and exploiting complex vulnerabilities. It removes much of the human scaffolding previously required to build working exploits at scale.

Whether those claims hold up under broader third-party testing, the trajectory they describe is consistent with what the security community has been tracking for over a year: AI-driven vulnerability discovery and exploitation has been accelerating since at least mid-2025.

The capabilities demonstrated will spread to competing frontier models within months and to open-weight models soon after. Thus, the response window for defenders will keep shrinking regardless of what any single vendor decides to do.

The attack targets don't change: Credentials, access, and data. The security playbook that protects against those attacks doesn’t change either —segmentation, access control, defense in depth—remains as valid as it ever was. What Mythos does, if Anthropic's published numbers hold, is raise the cost of not executing that playbook well.

From reactive patching to proactive resilience

The old model assumed time. A vulnerability is disclosed, a patch ships, teams apply it within days or weeks. That worked when time-to-exploit was measured in months. At under 20 hours, it fails as a primary defense strategy.

Two shifts are now necessary.

The first is proactive vulnerability scanning. Security teams need to find their own vulnerabilities before an attacker does. The same LLM capabilities that power Mythos are available to defenders: Integrating AI-driven review into your CI/CD pipeline, running security agents against your own code before it ships, and treating vulnerability discovery as a continuous function rather than a quarterly exercise are all achievable today.

The second is an architecture that assumes breach. Design so that a successful exploit has a contained blast radius. Network segmentation, egress filtering, phishing-resistant authentication, zero-trust controls, and secrets isolation are best practices to limit damage regardless of whether a patch has shipped. This makes them necessary in any scenario and indispensable in this one.

The CSA strategy briefing published recently, written by 60+ contributors and reviewed by 250+ CISOs, lays out a concrete framework for both shifts. It’s worth reading in full.

What this looks like at Dashlane

Credential managers sit at the center of the attack surface Mythos-class tools are designed to reach. We hold the keys to our users' digital identities, and that responsibility shapes every architectural decision we make.

Our zero-knowledge architecture starts from the assumption that our infrastructure can and will be targeted by sophisticated, well-resourced threat actors. Credentials are encrypted on the user's device. Dashlane does not hold user decryption keys and has no way of accessing the vault contents of a user. Our goal is that a breach of our servers would yield nothing of value to an attacker.

This was a harder path to take, more costly, and more complex from an engineering standpoint. However, that’s what makes our product more resilient in the new AI world. Our threat model assumes motivated attackers targeting users, infrastructure, and supply chain. We design for that scenario, document it, and revisit it as the threat environment shifts. Mythos is consistent with the scenarios we already plan for.

We enforce the same discipline with our own company practices. Our Risk Committee continuously reviews our security posture to ensure we’re reducing risks for our customers and our company. A few examples:

  • We started working on post-quantum cryptography ahead of a potential Q-Day
  • We’ve been actively incorporating AI in our software lifecycle for security review and scanning (ahead of future new capabilities like Mythos)
  • We approach our product’s AI usage with security and privacy in mind.

Five actions every security team can take now

  1. Start scanning your own code with AI agents. Integrate LLM security review into your CI/CD pipeline. Commercial and open-source tools exist today.
  2. Update your risk model. Assumptions built on weeks-long exploit timelines are obsolete. One caveat: Dependency management is more important today than ever. Make sure you have as much control as possible over your third-party dependency risk and exposure. The Axios package incident is the latest in a long list of dependency attacks.
  3. Harden the basics. Having controls documented isn’t the same as having them enforced. Audit whether implemented segmentation actually holds under lateral movement, authentication is phishing-resistant in practice, and egress filtering covers your real traffic patterns (not just the ones you planned for). The gap between a control that exists and a control that works under pressure is where incidents develop.
  4. Design for blast radius, not just perimeter. If an exploit lands today, what does your architecture do to contain it? The answer to that question determines whether an incident can be contained and resolved, or if it becomes a full blown crisis.
  5. Build team muscle for incidents. Create a code red plan. Run tabletop exercises to simulate incidents. Practice so you are ready the day it happens.

Architecture is the answer

The organizations that are resilient won't be those that patched fastest after Glasswing. They'll be the ones that built as if the worst-case scenario was inevitable and designed their systems from the start to be fortified, constraining what an attacker can do with access once they get it.

At Dashlane, every architectural decision started from the same premise: assume you will be targeted, and design so that being breached does not mean losing user data. The choice of a Zero-knowledge architecture is meant to protect user’s data at all cost. By extension, we chose confidential computing through AWS Nitro enclaves to isolate cryptographic operations so that even our own cloud infrastructure cannot access them. Post-quantum cryptography is on our roadmap because the threat horizon extends beyond today's attack surface. These are not reactive choices, but intentional ones made before any specific threat forced them.

We signed CISA's Secure by Design pledge because we believe in security embedded from the start, with software vendors taking ownership of customer security outcomes rather than treating them as someone else's problem. In addition, we published a one-year progress report on what it means in practice. The pledge has acted as a compass for our security roadmap, pushing us to eliminate root causes rather than layer additional controls on top of them.

Mythos raises the risk of building unsecure software. The response to it is the same as it has always been: Design for breach, harden the basics, and stop betting on time you don't have.

Sign up to receive news and updates about Dashlane

Related articles

A green and blue background with three blue slanted rectangles in the middle. A white Dashlane logo is overlaid on top.
Data & Culture

Beyond SSO: Dashlane’s CEO on Real-Time Credential Protection in the AI Era

A green and blue background with three blue slanted rectangles in the middle. A white Dashlane logo is overlaid on top.
Data & Culture

2026 Security Forecast: A CTO’s 5 Predictions About Passkeys, AI Threats, and More

2025 Passkey Power 20
Data & Culture

The 2025 Dashlane Passkey Power 20

A green and blue background with three blue slanted rectangles in the middle. A white Dashlane logo is overlaid on top.
Data & Culture

Expert Guide: Choosing Safe Dark Web Monitoring Services for Stolen Data

4,151% Surge in Phishing: What Security Leaders Need to Know About AI
Data & Culture

4,151% Surge in Phishing: What Security Leaders Need to Know About AI

A New Chapter in Cybercrime: How AI Fuels Phishing Sophistication
Data & Culture

A New Chapter in Cybercrime: How AI Fuels Phishing Sophistication

A picture of the author: Frederic Rivain
Frederic Rivain

Frederic Rivain has been Dashlane’s passionate Chief Technology Officer since 2015. He is eager to learn, innovate, and have fun with the engineering team to ensure it efficiently supports Dashlane and offers the best service to all Dashlane users.