Cybersecurity has a speed problem

When Anthropic unveiled Claude Mythos in April, the reaction across the cybersecurity industry was immediate. Boards demanded answers, tech leaders called urgent meetings, and a familiar narrative began to take hold: AI is changing the rules of cybersecurity.

But while this is partly true, it misses the real point. AI hasn’t changed the rules. It has simply sped up the game and exposed that the rules were already broken.

For years, cybersecurity operated on a relatively stable assumption. If attackers discovered a vulnerability, it would take time to exploit it, and defenders would have a window to respond. That window was never perfect, but it made the system workable.

That time is now gone. In 2018, the average time between discovering a vulnerability and exploiting it was measured in years. Today, it is measured in hours, so this isn’t a gradual shift, it’s a fundamental change in how cyber risk behaves.

What tools like Mythos show is not a leap in technical capability, but a breakthrough in execution. Vulnerabilities that have existed for decades can now be found and exploited almost instantly. The bottleneck is no longer discovery. It is deciding what to fix and doing it fast enough.

So, this is where the real challenge begins.

On the defensive side, organisations are increasingly overwhelmed. AI systems can surface huge volumes of vulnerabilities, but they are far less effective at identifying which ones are actually exploitable. Security teams are left with growing backlogs, trying to prioritise risk while the cost of delay continues to rise.

Attackers, meanwhile, face a much simpler problem. They do not need to fix anything. They only need one viable path. AI gives them the ability to test multiple options and select the most effective route at machine speed.

This imbalance sits at the heart of the issue.

It is also being reinforced by a deeper structural problem. Many organisations still manage cybersecurity as if time is on their side. Annual penetration tests, slow patch cycles and retrospective reporting are all built on the assumption that vulnerabilities can be addressed before they are exploited.

That assumption no longer holds, especially as at the same time, the attack surface continues to expand. Every new integration, cloud service or legacy system creates another potential entry point. In many cases, the greatest risks do not come from well-tested core systems, but from overlooked suppliers or outdated components that no one wants to touch.

This is why the Mythos moment is about more than software flaws. It is about digital exposure. Most organisations do not fully understand what is exposed or how it could be exploited.

Therefore, the response cannot be to simply do more of the same, and this isn’t a problem that simply hiring more analyst can solve. The scale and speed of modern threats have already outgrown what humans can handle alone.

What is needed is a shift in approach, from reacting to incidents to continuously validating risk.

That shift depends on three things: visibility, validation and speed. Organisations need to understand what is exposed, prove what is actually exploitable, and act before attackers do.

But even that is not enough on its own.

We are now entering a phase where cybersecurity becomes an AI versus AI problem. Attackers are already using automated systems to scan, test and exploit vulnerabilities at scale. Defenders will have to respond in kind, using AI to continuously probe their own systems, simulate attacks and prioritise real risk.

The difference will come down to how effectively that technology is directed. AI can generate possibilities at scale. It can surface thousands of potential weaknesses. But it still lacks context. It cannot reliably decide what matters most, or what a real attacker would do next, and that responsibility still sits with humans.

Which means the real battleground in cybersecurity is shifting. It is no longer about who can find vulnerabilities first. It is about who can make better decisions, faster.

AI will continue to uncover weaknesses. That is inevitable. The question is who can turn that information into action before it is exploited.

Because cybersecurity is no longer just a technical challenge, it is a race, and right now, most organisations are running behind.