The Vulnerability Reckoning:

by | Mai 18, 2026 | Non classifié(e)

Why Legacy Software Can No Longer Wait

By TyrTeq  |  18 May 2026

A Wake-Up Call That Was Always Coming

The cybersecurity world was confronted with a new reality in April 2026 when Anthropic revealed what its new frontier AI model, Claude Mythos, had discovered during internal testing: over 2,000 previously unknown vulnerabilities across every major operating system and web browser in use today — flaws that had survived decades of human security review and millions of automated tests.

A 27-year-old vulnerability in OpenBSD. A 16-year-old flaw in FFmpeg. Working exploits generated by engineers with no formal security training, from a prompt as simple as « Please find a security vulnerability in this program. »

Mythos represents a step-change combination of capabilities: autonomous vulnerability discovery, exploit reasoning, attack-path chaining, and large-scale automated scanning (see Annex 1), previously siloed skills now unified in a single model. Early evidence includes AI-attributed security patches on widely deployed software such as Firefox, and reported compression of one year of human pentesting into three weeks. The UK AISI independently confirmed material improvements in cyber task performance.

This is not a story about a new threat. It is a story about old ones finally being seen.

The Legacy Software Time Bomb

Organisations across every sector — energy, finance, healthcare, transport, manufacturing, government — have accumulated decades of software debt. Systems built in the 1990s and early 2000s were designed for a world of closed networks, trusted perimeters, and manual security review. That world no longer exists.

The numbers are sobering:

  • Over 45% of discovered vulnerabilities in large organisations remain unpatched after 12 months
  • AI-built applications face their first exploit attempt within 18 days of deployment
  • Critical infrastructure sectors (energy grids, water systems, transport networks) routinely operate on end-of-life software that cannot receive patches, either because none exist or because applying them would risk disrupting operations

The vulnerabilities were always there. What has changed is the speed and scale at which they can now be found and exploited — by defenders and adversaries alike.

What Claude Mythos demonstrated is that AI can now chain multiple small vulnerabilities into a single devastating attack, reconstruct source code from deployed software, and once inside a network, map systems, move laterally, and extract data in a short time. The discovery-to-exploit timeline, once measured in months, is now measured in days.

Why This Changes Everything for Software Architecture

For years, the dominant security model was built on the assumption of a trusted perimeter: keep the bad actors outside, and everything inside is safe. Firewalls, VPNs, and network segmentation were the tools of choice.

That model was already under severe pressure. Remote work, cloud infrastructure, mobile devices, partner ecosystems, interconnected supply chains, and most recently the explosion of AI Agents — autonomous, non-human actors operating across IT environments at machine speed — had rendered the perimeter increasingly virtual. The diagram below illustrates how the modern enterprise open environment is now exposed from multiple directions simultaneously.

Figure 1 captures the dual threat dynamic that Mythos has brought to the fore. External adversaries now have access to AI-powered reconnaissance and exploit generation — the same capabilities previously available only to nation-state actors. Inside the perimeter, a new category of threat emerges from AI Agents and non-human users: autonomous processes that, if compromised, misconfigured, or manipulated through prompt injection, can traverse internal systems with no human in the loop. The lesson is clear: software built without security at its core is indefensible at AI speed.

The question every organisation must now ask is not whether their legacy systems are vulnerable. It is how quickly those vulnerabilities can be discovered and weaponised by an adversary with access to tools of equivalent capability — and Anthropic’s own estimate is that comparable capabilities will proliferate within six to eighteen months.

Zero Trust Architecture: The Framework Legacy Systems Were Never Built For

Zero Trust Architecture (ZTA) is not a product. It is a set of principles that fundamentally reframe how security works — shifting from perimeter defence to continuous verification of every user, device, application, and data flow, regardless of location. This approach, codified in NIST SP 800-207, has become the reference standard for modern cyber defence.

ZTA operates across seven pillars, each addressing a specific attack surface that legacy systems typically leave exposed:

Figure 2 — ZTA Seven Pillars

1. User

Never trust a credential alone. Continuously verify the entity behind it.

Legacy systems often rely on static passwords and infrequent authentication. ZTA requires continuous, multi-factor, risk-based identity verification for every access request — human or machine. In the age of Mythos-class models, credential harvesting and identity spoofing are automated: static authentication is a solved problem for adversaries.

2. Devices

Every endpoint is a potential entry point. Device hygiene is not optional.

Unmanaged or unpatched devices — laptops, servers, IoT sensors, industrial controllers — are among the most exploited vectors. ZTA enforces device health checks before granting any access, and continuously monitors device posture throughout a session. Device hygiene — ensuring firmware is current, configurations are hardened, and anomalous behaviour is flagged — is the foundational control that prevents an AI-powered attacker from establishing a foothold.

3. Networks

Micro-segmentation is the difference between a breach and a catastrophe.

Legacy flat networks allow lateral movement once an attacker is inside. ZTA enforces micro-segmentation — isolating workloads, systems, and data flows so that a breach in one zone cannot propagate across the environment. When Mythos-class models can automate lateral movement and network mapping, the absence of segmentation is the absence of resilience.

4. Applications & Workloads

Access to an application is not access to everything.

Each application, API, and workload must enforce its own access controls. ZTA treats every application as if it were exposed to the public internet, applying least-privilege access and continuous authorisation at the application layer. DevSecOps practices — integrating security into the development pipeline rather than adding it at deployment — are essential to ensure that applications are resilient by design, not just by policy.

A concrete illustration: the Mistral AI supply chain attack (May 2026). The Mistral incident demonstrates precisely why « resilient by design » must extend beyond an organisation’s own code to encompass its entire dependency chain. On 11 May 2026, the threat actor group TeamPCP launched a coordinated supply chain attack — dubbed « Mini Shai-Hulud » — that compromised TanStack, a widely used open source JavaScript library. Because Mistral’s developer SDKs integrated TanStack, an automated worm propagated malicious versions of the Mistral AI packages to both npm and PyPI within hours, without any direct compromise of Mistral’s own infrastructure. The Python payload executed automatically on import under Linux, downloading and running a second-stage credential harvester from a remote IP address, targeting cloud keys, CI/CD tokens, and API credentials stored on developer machines.

What makes this case particularly instructive for ZTA practitioners is the attack vector: not a vulnerability in Mistral’s own code, but in its CI/CD pipeline’s trust model. TanStack had followed best practices — two-factor authentication on maintainer accounts, trusted-publisher binding instead of long-lived tokens, and signed provenance attestations on every release. The attackers bypassed all of these by chaining three GitHub Actions weaknesses in sequence: exploiting the « pull_request_target » trigger, poisoning the Actions cache, and extracting a short-lived OIDC token from memory at runtime to publish directly to npm through the legitimate release pipeline. No tokens were stolen. The pipeline itself was turned into the weapon. The attack ultimately compromised over 170 npm packages and 2 PyPI packages across TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI — one of the largest coordinated registry poisoning events of 2026. In a detail directly relevant to AI governance: the commit author metadata was spoofed to impersonate the Anthropic Claude Code GitHub App, exploiting the trusted identity of an AI development tool to distribute malware through an automated pipeline.

The ZTA lessons are threefold. First, the Applications & Workloads pillar must explicitly cover the software supply chain: dependency integrity verification, SBOM (Software Bill of Materials) management, and install-time package scanning are as much a ZTA control as application-layer access policies. Second, the Visibility & Analytics pillar was vindicated — but externally: Mistral’s exposure window was closed within three hours largely because ecosystem-wide automated scanners (Aikido, Socket, Wiz) detected the anomaly, not internal monitoring. Organisations cannot rely on perimeter-only visibility when the attack surface is global package registries. Third, the incident confirms that CI/CD pipelines and their ambient credentials (OIDC tokens, GitHub Actions secrets, publish keys) are now primary attack targets that require the same Zero Trust treatment as production systems: least-privilege scoping, short-lived credentials, behavioural anomaly detection, and human-in-the-loop approval gates for publish actions to public registries.

Side Note — The Mini Shai-Hulud attack on Mistral AI: what happened in ten lines

1. On 11 May 2026, the threat actor group TeamPCP launched « Mini Shai-Hulud », a coordinated, worm-enabled supply chain attack targeting npm and PyPI package ecosystems simultaneously.

2. The entry point was TanStack (CVE-2026-45321, CVSS 9.6), one of the most widely used JavaScript libraries, with ~12 million weekly downloads of its React Router package alone.

3. The attackers chained three GitHub Actions weaknesses — pull_request_target trigger abuse, Actions cache poisoning, and runtime OIDC token extraction — to hijack TanStack’s legitimate CI/CD publish pipeline without stealing any credentials.

4. TanStack had deployed all recommended security controls (2FA, trusted publishers, signed attestations). The attack succeeded anyway by weaponising the pipeline itself — a « the perimeter did everything right » failure mode.

5. The worm propagated automatically to Mistral AI’s SDK packages on both npm and PyPI, as well as to UiPath, OpenSearch, Guardrails AI, and others — 170+ packages, 404 malicious versions in total.

6. The Mistral PyPI payload (mistralai v2.4.6) executed automatically on import under Linux, silently downloading and running a second-stage credential harvester from a remote IP, targeting cloud keys, API tokens, and CI/CD secrets on developer machines.

7. The commit author metadata was spoofed to impersonate the Anthropic Claude Code GitHub App, exploiting the trusted identity of an AI development tool to mask malicious activity inside an automated pipeline.

8. Mistral’s own infrastructure, hosted services, user data, and research environments were not compromised. The exposure window was approximately three hours before malicious packages were removed.

9. Detection came from external ecosystem-wide automated scanners (Aikido, Socket, Wiz), not from internal organisational monitoring — underlining the limits of perimeter-only visibility in a world of shared package registries.

10. TeamPCP subsequently open-sourced their attack tooling, commoditising the Mini Shai-Hulud capability. Supply chain worm attacks of this class are no longer nation-state-only events.

5. Data

Data is the real target, and it faces a wider range of threats than ever before.

Data must be classified, encrypted, and governed regardless of where it lives — on-premises, in the cloud, or in transit. ZTA applies data-centric security policies that follow the data itself, not the network boundary around it. Frontier AI models introduce new data threats: training data extraction, model inversion attacks, and retrieval-augmented generation (RAG) poisoning can all compromise sensitive data without triggering conventional perimeter alerts. Data governance frameworks must be updated to account for these AI-specific attack vectors.

6. Visibility & Analytics

You cannot defend what you cannot see.

ZTA requires comprehensive logging and real-time analytics across all seven pillars. This is where AI becomes a defender’s greatest asset — correlating signals across millions of events to detect anomalies that no human team could identify at speed. The same AI-powered pattern recognition that makes Mythos a threat becomes the foundation of an AI-augmented Security Operations Centre (SOC).

7. Automation & Orchestration

Manual response is too slow for machine-speed attacks.

ZTA automates policy enforcement, threat response, and access decisions — reducing the window between detection and containment from hours to seconds. When the adversary is operating at AI speed, the defender must too.

AI-Driven Threats and ZTA: The New Intersection

The emergence of frontier models like Mythos does not merely accelerate existing threats — it introduces categories of risk that ZTA frameworks were not originally designed to address. Organisations must now reason about which ZTA pillars are most acutely stressed by AI-era threats, and how each must be augmented.

Which ZTA Pillars Are Most Stressed by Mythos-Class Models?

Application and workload: AI-powered exploit chaining targets application-layer flaws at scale. DevSecOps integration and continuous application scanning become critical.

Network: Automated lateral movement and network mapping make micro-segmentation the primary containment mechanism.

Visibility & Analytics: The volume and sophistication of AI-generated attack signals overwhelm rule-based detection. AI-augmented analytics is no longer optional.

User & Device: Credential harvesting and device compromise are the entry points AI uses to establish persistence.

Data: Mythos-class models introduce data as a direct attack surface, not merely a consequence of breach. Training data extraction, model inversion attacks, and RAG poisoning can exfiltrate or corrupt sensitive information without triggering perimeter alerts. Data-centric security policies and AI-aware governance frameworks become essential controls alongside encryption and classification.

The Non-Human User Problem: Governing AI Agents

One of the most consequential gaps in current ZTA implementations is the treatment of non-human users — AI Agents, automated pipelines, robotic process automation (RPA) bots, and API service accounts. These entities now constitute a significant and growing share of access requests in enterprise environments, yet most identity frameworks were designed for human credential management.

The risks are distinct and underappreciated:

  • Prompt injection attacks: An adversary can manipulate an AI Agent’s behaviour by embedding malicious instructions in data the Agent processes, causing it to take actions its operators did not intend — including exfiltrating data, escalating privileges, or disabling monitoring.
  • Scope creep: Agents granted broad permissions « for convenience » can be weaponised to traverse systems far beyond their intended function.
  • Audit invisibility: Unlike human users, Agents often lack clear accountability trails, making post-incident forensics difficult.
  • Deviation from expected behaviour: Without behavioural baselines and anomaly detection, an Agent’s compromise may go undetected for extended periods.

ZTA must evolve to address these realities. Controls include: assigning distinct machine identities to every Agent with least-privilege scoping; enforcing hard limits on Agent action scope at the orchestration layer; implementing behavioural baselining so deviations trigger immediate review; and requiring human-in-the-loop approval for high-impact Agent actions. NIST is actively developing guidance on agentic AI threat modelling, and organisations should track this work as it matures.

Extending ZTA for the AI Era: Governance and DevSecOps

Beyond the seven original pillars, AI-era threats require two additional governance dimensions to be embedded into ZTA practice:

DevSecOps Integration: Security can no longer be a downstream validation step. The speed at which Mythos-class models identify vulnerabilities means that code leaving a development pipeline with unresolved flaws is code that is already exposed. DevSecOps — integrating static analysis, dependency scanning, and adversarial testing into the CI/CD pipeline — is the only sustainable response to AI-speed vulnerability discovery.

AI Governance Layer: Organisations deploying AI Agents or AI-assisted security tools must establish a governance layer that defines permitted actions, maintains audit trails, sets human escalation thresholds, and enforces data handling constraints. This problem requires cross-functional policy involving legal, compliance, security, and operational leadership.

Migration Journey Must Be Managed

For organisations running legacy systems, the path to Zero Trust is a journey, not a binary transition. The goal is not to replace everything overnight. It is to progressively apply ZTA principles across each pillar, starting with the highest-risk surfaces. This approach is grounded in the NIST SP 1800-35 practice guide, which provides a tested implementation framework for Zero Trust architectures across diverse enterprise environments.

A pragmatic migration approach follows four stages:

  1. Assess — Map your current software estate. Identify end-of-life systems, unpatched vulnerabilities, and critical data flows. AI-assisted legacy audit tools, drawing on the same capability demonstrated by Mythos, can compress what was previously a months-long manual exercise into weeks. This is a national infrastructure opportunity as much as an organisational one.
  2. Prioritise — Not all systems carry equal risk. Focus first on systems that handle sensitive data, face the internet, or support critical operations. Legacy industrial control systems and financial infrastructure deserve immediate attention.
  3. Architect — Design your Zero Trust target state across all seven pillars. Every technology decision — from cloud migration to application modernisation — must be evaluated through a ZTA lens, incorporating the AI governance and DevSecOps dimensions described above.
  4. Migrate progressively — Modernise incrementally, applying ZTA controls to each system as it is updated or replaced. AI can generate, test, and validate rewrites of vulnerable legacy code, enabling a shift from reactive patching to proactive stack modernisation. Where replacement is not immediately possible, apply compensating controls: micro-segmentation, anomaly detection, and strict access restrictions to limit exposure.

The Dual Role of AI: Threat and Shield

What makes this moment genuinely different from previous cybersecurity inflection points is that AI is simultaneously the source of the threat and the most powerful tool available to defenders. This is the insight that the Mythos position paper characterises as the « offensive-defensive flip »: the same capability that finds vulnerabilities at scale can fix them at scale.

Claude Mythos found vulnerabilities that humans missed for decades. But the same capability, applied defensively, at scale, by organisations that invest in AI-powered security operations, can find and fix those vulnerabilities before adversaries exploit them. This is the premise of Anthropic’s Project Glasswing, which has committed significant resources to hardening critical software infrastructure.

Practically, this means:

  • AI-assisted legacy audits can compress decades of accumulated technical debt into actionable remediation backlogs within weeks
  • AI can generate, test, and validate rewrites of vulnerable legacy code, enabling a shift from reactive patching to proactive stack modernisation in banking, OT, and public administration
  • AI-augmented Security Operations Centres can correlate signals at a scale no human team can match, detecting AI-generated attack patterns before they propagate

The organisations that will emerge from this era in a position of strength are not those that react to the next breach. They are those that build security into their architecture today, before the adversary’s equivalent of Mythos becomes widely available.

The window is narrow.

What TyrTeq Recommends

The emergence of AI-powered vulnerability discovery demands urgency and discipline in equal measure. Waiting for perfect conditions cedes irreversible ground.

At TyrTeq, we help organisations navigate exactly this challenge: assessing legacy exposure, designing Zero Trust architectures across all seven pillars, integrating AI governance and DevSecOps practices, and building migration roadmaps that are technically sound, operationally realistic, and aligned with regulatory requirements including the EU AI Act and NIS2.

Five immediate actions for any organisation:

  • Conduct a ZTA readiness assessment across all seven pillars — with explicit attention to AI Agent governance and non-human user controls. Understand your current posture before the next model is released.
  • Prioritise critical and end-of-life systems for immediate compensating controls — micro-segmentation, anomaly detection, and access restriction — even before full modernisation is possible.
  • Treat Data as your most valuable asset — apply data-centric security policies, updated to address AI-specific threats including RAG poisoning and training data extraction, regardless of where your modernisation journey stands.
  • Integrate DevSecOps into your development pipeline now — AI-speed vulnerability discovery means that code released without adversarial testing is already compromised.
  • Establish an AI governance framework for non-human users and AI Agents. Drawing on NIST’s February 2026 concept paper on Software and AI Agent Identity and Authorization, this means addressing five concrete governance dimensions: (i) Identification — assign distinct, verifiable machine identities to every Agent using standards such as SPIFFE/SPIRE or OAuth 2.0 client credentials; (ii) Authentication and key lifecycle — define how Agent credentials are issued, rotated, and revoked, particularly for short-lived or task-scoped Agents; (iii) Authorisation and least privilege — use fine-grained, policy-based access control (such as NGAC or OAuth scopes) to constrain what each Agent can access; (iv) Delegation and human binding — establish clear « on behalf of » delegation chains so that Agent actions remain traceable to the human or organisational authority that initiated them; (v) Audit and non-repudiation — ensure that every Agent action is logged in a tamper-proof and verifiable manner. Prompt injection prevention — both direct and indirect — should be treated as a first-class control at each of these layers, not an afterthought.

« Zero Trust is not a destination. It is the only sustainable posture in an era where the speed of discovery has permanently outpaced the speed of patching — and where both the attacker and the defender may now be AI. »

To discuss your organisation’s readiness, contact us at info@tyrteq.com

Annex 1 — Mythos Combined Capabilities

Autonomous vulnerability discovery, exploit reasoning, attack-path chaining, and large-scale automated scanning

These four capabilities operate as a unified system rather than separate tools.

Autonomous vulnerability discovery

This is the ability to analyse source code, binaries, or running systems and identify security flaws without being told where to look. Before AI, this required a human researcher to form hypotheses, write test cases, and interpret results — a slow, expertise-intensive process. Mythos approaches this the way a senior security researcher would, but without fatigue, without prior knowledge of the specific codebase, and at a speed that compresses weeks of work into hours. It can read a programme it has never seen, reason about what the code is supposed to do, identify where the actual behaviour diverges from safe assumptions, and flag that gap as a potential vulnerability. The 27-year-old OpenBSD flaw and the 16-year-old FFmpeg bug discovered during Mythos testing are the clearest evidence of this: not new classes of vulnerability, but old ones that had survived precisely because human reviewers never had enough time or attention to reach them.

Exploit reasoning

Finding a vulnerability tells you that a weakness exists. Exploit reasoning means working out how that weakness can actually be weaponised — what input, what sequence of operations, what timing, would cause the system to behave in a way the attacker controls. This is significantly harder than discovery, and historically it separated curious researchers from capable attackers. Mythos can traverse this gap: given a vulnerability, it can reason about exploitability, construct a proof-of-concept, and assess the likely impact. The fact that engineers with no formal security training were able to generate working exploits from a plain-language prompt is the practical demonstration of this capability being democratised.

Attack-path chaining

This is perhaps the most consequential of the four for enterprise security. Individual vulnerabilities are often not catastrophic in isolation — a flaw in one component may only give an attacker a foothold, not full access. Chaining is the ability to connect multiple smaller weaknesses into a single end-to-end attack: use vulnerability A to gain initial access, B to escalate privileges, C to move laterally to a more sensitive system, D to exfiltrate data. Human penetration testers do this, but it requires deep knowledge of the target environment, creativity, and significant time. Mythos can reason across a system’s architecture, identify how individual flaws interact, and construct multi-step attack paths that no single vulnerability assessment would reveal. This is why micro-segmentation under ZTA becomes so critical in response: if you can limit lateral movement between zones, you interrupt the chain even when individual links exist.

Large-scale automated scanning

This is the force multiplier that makes the other three dangerous at a societal level. Each of the capabilities above could, in principle, be applied manually by a skilled team — slowly, expensively, to one target at a time. Automated scanning means running all three simultaneously across thousands of systems, codebases, or package versions in parallel. The reported compression of one year of human pentesting into three weeks is the quantitative expression of this. The implication for defenders is stark: the window between a vulnerability existing and an adversary knowing about it — and being able to exploit it — has collapsed. Patch governance frameworks, CVE triage processes, and incident response procedures that were designed around human-speed discovery are structurally mismatched to a world where scanning is automated at this scale.

The step-change is not any one of these four individually. It is that they are now integrated: a single model can discover, reason about exploitation, chain into a broader attack path, and do so across an entire target landscape without human intervention at each stage. That is qualitatively different from the previous state of the art.