On April 7, 2026, Anthropic revealed its new AI Model named “Mythos” (currently in private mode) that aims to secure software in the AI era.  

Anthropic claims that AI has reached a turning point in cybersecurity. With the expected release of Mythos, AI models are poised to be capable of identifying and exploiting software vulnerabilities at a level that rivals and, in many cases, surpasses top human experts. Mythos has already uncovered thousands of high-severity vulnerabilities across major operating systems and browsers, signaling rapid acceleration in both capability and risk.  

Quickly in the wake of the Mythos announcement, Anthropic launched a coalition, named Project “Glasswing” after the clear-winged, tropical butterfly. The project, which includes over 40 major technology organizations such as Apple, Google, Microsoft, and Nvidia, is critical to redirecting this vast new LLM power toward defense rather than exploitation. 

A recent example shared by Anthropic highlights the leap in capability: while the Opus 4.6 model was able to generate a working JavaScript shell exploit for a Firefox 147 vulnerability only two times out of hundreds of attempts, Mythos achieved a dramatically higher success rate, producing a working exploit in 181 cases. That’s not a marginal gain; it’s a fundamentally different level of capability. 

In this article, we will provide a useful guide to allow you to better understand the announcement, what it means for application security leaders as well as some recommendations that you can learn from as you are moving forward with your AI journey.

Why did Anthropic Make this Announcement? And, Why Now?

For years, many software vulnerabilities have gone undetected because identifying and exploiting them requires highly specialized expertise. With the rise of advanced AI models, the barriers due to cost, effort, and skill have dropped dramatically, making both discovery and exploitation accessible, fast, and scalable. As you can see in Checkmarx’s own research below, the time to exploit a security vulnerability decreases dramatically with the power and adoption of AI. 

Vulnerabilities that took weeks, months, or even years to exploit until recently, can now be weaponized in a matter of minutes. This defines an entirely new reality for application security, and it needs to be top priority for any head of security, head of engineering, and the entire executive team.  

According to our annual Future of Application Security report, over 81% of organizations knowingly ship vulnerable code driven by overwhelming noise, uncontextualized backlogs, and limited resources. This is just one of several AI-driven challenges AppSec leaders must now confront. In the next section, we break down the most critical ones. 

For additional perspective on how security is evolving with advances like Mythos, watch this industry discussion: 

The Challenges of Adopting only AI Model-Based Security Solutions

As organizations accelerate toward AI-native development, the security landscape is shifting just as rapidly, and not always in predictable ways. New AI models are demonstrating an unprecedented ability to uncover vulnerabilities in existing codebases, including long-standing flaws that have gone undetected for years. At the same time, these models are dramatically lowering the barrier to exploitation, enabling faster weaponization of both known and unknown vulnerabilities. This creates a dual challenge: while discovery improves, the volume and velocity of risk increase just as quickly. 

With that in mind, here are some of the key security challenges that are emerging in agentic development, that enterprises must acknowledge: 

• New models are uncovering large volumes of zero-days in older code. 

• AI Speeds weaponization of vulnerabilities: Known & unknown. 

• A great reference to learn from is the recent article around the “jagged frontier” of AI security. 

• As much as 45% of AI-generated code may be insecure.  

• LLMs are missing vulnerabilities; coverage is incomplete. 

• Models are trained from different sources, thus producing inconsistent results from one LLM to another. 

• AI Models are not comprehensive enough and are lacking context. 

Deterministic & Probabilistic AppSec for Known & Unknown Vulnerabilities

As the software landscape evolves into an agentic one and LLMs continue to advance, it’s critical to recognize that AI-driven security analysis alone is not sufficient. Models that generate, and flag issues based on probabilistic reasoning must operate alongside deterministic systems grounded in real-world context, customer environments, true exploitability, policy enforcement, auditability, and full visibility. At enterprise scale, this also means supporting thousands of repositories, distributed teams, and highly interconnected systems. 

As highlighted in Tomasz Tunguz’s “Jagged Frontier of AI Security” article above, AI capabilities are not linear; they are inconsistent and context dependent. While models like Mythos can demonstrate breakthrough performance in discovering and exploiting unknown vulnerabilities, similar outcomes can often be reproduced by smaller models when given the right inputs. At the same time, known vulnerabilities, often buried in backlogs and lacking prioritization, remain a significant and weaponizable risk in the age of AI. 

In this uneven reality, some vulnerabilities are identified with high precision, while others are missed entirely. This leads to false confidence, inconsistent outputs, and critical gaps in risk coverage. If detection isn’t consistent, it isn’t trustworthy. 

This is where a hybrid model becomes essential – AI with its probabilistic reasoning provides speed and scale, but it must be complemented by a deterministic security layer that validates findings based on context and real exploitability, and this is where we are focused. Brought together, probabilistic and deterministic approaches establish a new standard for agentic application security, one that delivers high-fidelity, actionable results at scale. 

Making the case for Agentic Triage & Remediation

We’ve established that combining LLM-driven security which uncovers a wide range of unknown vulnerabilities with an already unmanageable backlog of known issues (leaving 81% of organizations exposed) requires a hybrid approach that blends probabilistic and deterministic analysis. But that alone is not enough. 

The sheer volume of vulnerabilities now demands agentic triage and remediation. Manual processes cannot keep up; they fail to provide context, prioritize effectively, or resolve risk with confidence at scale. 

This is where AI agents become critical. By automatically performing intelligent triage to eliminate noise and prioritize truly exploitable risk, and by driving fast, automated remediation, they bring together reasoning and precision. The result is security that is not only scalable, but truly actionable in an AI-native development environment. 

Final Thoughts & Recommendations

The Mythos announcement and the formation of Project Glasswing mark a major milestone in AI-driven security, but they are not, and cannot be, a standalone solution. As outlined above, AI models both amplify existing risks and expose new ones, creating challenges that require a broader, more integrated approach. 

To build a truly enterprise-grade, trustworthy AI security program, we recommend the following steps: 

• Hybrid AppSec Model 
  Combine deterministic precision with probabilistic AI to cover both known and unknown risk. 

• Agentic Triage & Remediation 
  Leverage AI agents to scale context-aware triage and accelerate remediation. 

• Shift Left to the Source 
  Identify and fix AI-generated vulnerabilities at code creation, before they reach production. 

Learn more about Checkmarx’s agentic agents: Developer Assist and Triage and Remediation Assist.

While enterprise developers understand the importance of application security (AppSec), it slows them down. Instead of using all their time for creativity, coding, and debugging – their “main job” – AppSec requires them to spend increasing amounts of their time going back to older code and closing all types of security gaps that security teams are focused on. The result is a reduction in development velocity and gradually increasing “security fatigue.”

As all types of cyber-attacks are on the rise, and the widespread adoption of GenAI among developers adds even more risks, it can feel like AppSec requirements are on a collision course with developer experience.

Fortunately, improved AppSec technology is now enabling development teams to “shift left,” making it easier, faster, and smoother to address application security risks as part of the earliest software development stages: while writing code and before committing code to source code management systems (SCMs), such as GitHub.

The Benefits of Shifting Left

When most AppSec risks are addressed early in the software development lifecycle (SDLC), developers seldom need to return to previously written code to close security gaps.

This dramatically reduces the cost and complexity of remediation tasks down the road; it is well-understood that addressing security gaps later is more difficult, takes longer, and may need to be done under high-stress or emergency conditions (e.g., following the detection of an actual security breach).

Shifting left: Advancing security scanning to check code and dependencies for vulnerabilities (and provide inline remediation guidance to developers) from the Build stage to the earlier Local Development and Code Commit stages improves security, while saving time, increasing productivity, and enhancing developer experience.

But We Already Scan Our Code at Build!

Scanning code at build time or upon pull requests are common approaches. However, they create a fundamental timing problem: Many of these automated security scans are too late in the SDLC to provide optimum protection. By the time applications are being compiled and deployed, the stages of writing code and incorporating third-party dependencies are already concluded.

Blocking builds is great for security objectives, but it delays version release timelines and doesn’t alleviate much of the security fatigue affecting developers. A better approach is required.

Realtime Code Analysis and Remediation

Imagine if each developer was teamed with an AppSec expert who watched every line of code being written, and who immediately pointed out anything that could pose a potential security issue. Furthermore, imagine that this expert would explain the risk and provide in-context remediation recommendations on the spot.

By essentially transforming every enterprise developer into an enterprise AppSec expert, the quantity of downstream AppSec alerts is dramatically reduced, improving the enterprise’s overall application security posture and the developer experience.

This is exactly what realtime code analysis and remediation technology does. Combining multiple security scanning technologies embedded within the developer’s integrated development environment (IDE), realtime code analysis can detect – and suggest in-line remediations for – many security flaws, including:

• Vulnerable code, written by developers or generated by AI coding assistants, that can be exploited by attackers
• Incorporation of third-party packages containing vulnerable or malicious code, whether the references to the packages were written in-house or generated by AI
• Hardcoded secrets (e.g., credentials, keys, tokens) that, if contained in shared repositories, can expose an organization to supply chain attacks
• Misconfigurations in infrastructure as code (IaC) files that can leave an organization’s environment open to attack

Once context-aware detection and remediation assistance capabilities are an integral part of the ongoing development process, developers can easily understand and address security issues without unnecessary friction or long lag times.

When developers receive application security posture management (ASPM) reporting inside the IDE, they can efficiently prioritize and address the most critical vulnerabilities found in the code they are responsible for – to improve their code quality and prevent unnecessary later work when the same issues are reported by the AppSec team.

However, even the best realtime analysis relies on developer adoption. That’s where pre-commit scanning creates an additional safety net.

Pre-commit Code Scanning

While realtime code analysis and remediation holds the potential to eliminate most application security vulnerabilities, it still relies on developers choosing to make use of these technologies. If a developer feels under too much time pressure, for example, to address every in-line alert generated by such a tool, those alerts will go unheeded, and the software will still end up containing vulnerabilities.

For this reason, it is also important for enterprise development organizations to implement automated pre-commit code scanning. Using “hooks” (commands or scripts that are automatically executed before a Git “commit” is performed), all code can be scanned for a variety of dangers before it ever reaches the SCM or other code repo.

Defining “hooks” allows the automated scanning of code for a variety of dangers before “commits” so that risky code never reaches code repository.

Since developers typically commit code changes soon after working on the code, receiving a list of risks to address at this point is still much more convenient than getting them at some later point in time. And, of course, preventing risky code and hardcoded secrets from ever reaching code repositories results in more secure compiled applications, less exposure to breaches, and a significantly lower risk-remediation burden for developers later.

Organizations should automatically run the following types of code scans prior to permitting code commits from completing:

• Static application security testing (SAST) – to limit the presence of exploitable code vulnerabilities in compiled applications
• Software composition analysis (SCA) – to prevent the deployment of vulnerable third-party libraries or the violation of third-party code licenses, and to ensure the constant availability of up-to-date software bills of materials (SBOMs)
• Malicious package protection (MPP) – to prevent third-party libraries containing malware from reaching code repositories, artifact registries, or running applications
• Secrets detection – to prevent the possible exposure of sensitive credentials to unauthorized parties who may try to exploit them
• Infrastructure as code (IaC) scanning – to ensure that there are no misconfigurations that can endanger the organization’s software infrastructure

Organizations need to create policies around these scans to balance security needs with developer experience and productivity. For example, most developers will accept cancelation of a code commit if the code contains hardcoded credentials, malware, or third-party code that violates licensing requirements. On the other hand, it is reasonable to allow certain types of low-severity vulnerabilities to pass through in the interest of developer velocity and meeting business deadlines.

Therefore, any pre-commit code scanning implementation must allow managers to customize the policies in place, to easily fine-tune these policies over time, and to allow relevant managers to override restrictions on a case-by-case basis. Without this level of control – and these types of release valves – a developer rebellion may occur!

The Critical Importance of Accuracy

A key success factor in shifting AppSec left is the accuracy of the technologies being implemented. If developers are bombarded with “false positives” during coding, they will quickly stop trusting (and using) these tools. Likewise, if their code commits are frequently blocked for “no good reason,” frustration will mount, and developer cooperation with security teams is likely to suffer.

Achieving low false positive rates requires a combination of technological and data-collection capabilities that can ensure that a very high percentage of alerts (and suggested remediation steps) are correct. Some examples of these capabilities include:

• Fine-tuned SAST vulnerability detection algorithms that support a wide range of coding languages with high-fidelity results
• Remediation guidance capable of pinpointing individual fix locations that can address multiple vulnerability findings in a single edit
• Effective SCA reachability analysis that uses multilingual “exploitable path” methodologies to determine which unsafe library functions may actually be called at runtime – and which are unused (and thus safe) for now
• Comprehensive and up-to-date databases of third-party code libraries containing vulnerable or malicious code – and the best alternatives, if they exist
• Sophisticated secrets detection algorithms that don’t confuse harmless code with sensitive credentials, and that can be customized when necessary
• Live validation of discovered secrets to determine if they are still exploitable

Having an accurate high-level view of the overall application security posture at all times helps teams to prioritize the fixes that matter most.

This Shift is Already Happening

The confluence of multiple trends is rapidly accelerating the adoption of realtime code analysis and automatic pre-commit security scanning in enterprise software development environments. These include:

• The larger attack surface presented by modern software supply chains
• The ever-increasing number and sophistication of cyber-attacks
• The sudden ubiquity of AI-driven code-generators
• The greater attention being paid to developer experience by security professionals
• The emergence of new technologies to better (and earlier) detect (and help remediate) software security issues

This proactive shift toward early risk detection and remediation is revolutionizing the relationship between enterprise development and security teams, with tremendous benefits: higher levels of application security along with improved developer experience. By automating embedded AppSec scanning – and remediation guidance – where developers live, both security and productivity soar.

Continuous visibility and measurement of developer productivity and the ability to address high-risk vulnerabilities are key factors of successfully shifting left in AppSec.

Ready to Transform Your AppSec Approach?

So, how can you start shifting your AppSec further to the left, while improving both application security posture and developer productivity? Here are some suggested next steps to get you started:

1. Assess your current security posture – Identify where vulnerabilities are typically found in your SDLC and calculate remediation costs.
2. Select IDE-integrated security tools – Evaluate and implement realtime code analysis tools that match your technology stack.
3. Configure pre-commit security hooks – Set up automated scanning for vulnerabilities, secrets, and dependency risks before code reaches repositories.
4. Define clear security policies – Establish which issues block commits and which generate warnings, balancing security with developer productivity.
5. Start with a pilot team – Implement with a small, receptive development team to gather feedback and demonstrate value.
6. Invest in developer training – Ensure teams understand security risks and how to use the new tooling effectively.
7. Optimize false positive rates – Continuously tune detection algorithms based on feedback to maintain developer trust.
8. Measure and communicate wins – Track metrics like vulnerabilities prevented and time saved to demonstrate ROI.
9. Integrate with existing workflows – Connect new security tools with CI/CD pipelines and ticketing systems.
10. Scale gradually across teams – Roll out to the broader organization based on lessons learned from early adopters.

By following these steps, you can achieve the dual benefits of improved application security and enhanced developer experience. The journey to shift-left security is an evolution, not a revolution, but the rewards are well worth the investment.

Explore how Checkmarx One helps secure code earlier, reduce developer friction, and scale security across your SDLC. Learn more here.