Thales | Security for What Matters Most
More About This Author >
Thales | Security for What Matters Most
More About This Author >
Drawing on conversations with customers around the world, six Thales cybersecurity leaders share their perspectives on what Mythos means, how it is reshaping the threat landscape, and the actions organizations should take now. Across these discussions, Thales leaders agree that organizations should respond with measured adaptation, not fear-driven decision-making.
Todd Moore, VP of Encryption
Damien Bullot, VP of Software Monetization
Tim Chang, VP of Application Security
Jay Thurston, Field CISO at Thales
David Holmes, CTO of Application Security
Jordi Clement, CTO of Identity and Access Management
Anthropic’s Mythos, its most advanced frontier AI model with breakthrough cybersecurity capabilities, marks a turning point by demonstrating how AI can identify and reason about complex software vulnerabilities at unprecedented speed and scale. As a result, Mythos is one of the most common topics Thales executives are discussing now with customers who are asking what this new generation of AI means for their organizations, how it changes their risk landscape, and what they should do now.
Conversations we’re having with security leaders at top organizations worldwide make it clear there’s understanding that Mythos is more than another AI announcement. It represents a fundamental shift in how organizations must think about software risk, vulnerability management, and cyber resilience.
As AI transforms both the threat landscape and the tools available to defenders, CISOs need practical guidance, not speculation. This blog brings together the insights and recommendations Thales leaders are sharing with customers every day, providing a practical framework for understanding what Mythos means and how organizations should prepare for what comes next.
Mythos has not created a new category of cyber risk. Software vulnerabilities have always existed, and attackers have always sought to discover and exploit them. What has changed is the speed, scale, and sophistication with which AI can perform those tasks, compressing timelines and forcing defenders to respond faster than ever before.
This acceleration is the most consequential shift. Vulnerability discovery that once required weeks or months of manual research can now happen in minutes. Attack chains that previously demanded deep technical expertise can increasingly be assembled with minimal human effort. For defenders, this means the time available to identify, prioritize, and remediate risk is rapidly shrinking, making automation, visibility, and operational readiness critical.
David Holmes, CTO of Application Security at Thales, believes organizations should first determine whether systems like Mythos represent a genuine step-change in scalable vulnerability discovery or an evolution of capabilities security teams have been building toward for years. Regardless of where that line is drawn, he believes the defining challenge of the Mythos era is ensuring security programs can operate at the speed and scale of AI systems rather than relying on defenses built for yesterday's threats.
In Holmes’ view, security operations have relied for decades on human expertise to identify vulnerabilities, investigate threats, prioritize risk, and coordinate remediation. That operating model was built around the pace of human decision-making, a constraint AI is rapidly eliminating. As machine-speed attacks become a reality, Holmes emphasizes that organizations must determine where automation can safely accelerate security outcomes, where human judgment remains indispensable, and how to govern the interaction between the two.
Mythos represents more than a technological advance. It signals a fundamental shift in the economics of cybersecurity.
Todd Moore, VP of Encryption Products at Thales, believes organizations must recognize that advanced AI introduces new operational and financial realities. Running frontier AI models demands significant compute capacity, infrastructure, and token consumption, requiring organizations to make deliberate decisions about where AI delivers the greatest value and where human expertise remains essential. Those same economic forces apply to attackers.
Damien Bullot, VP of Software Monetization at Thales, believes that AI has made time an increasingly valuable commodity. Every additional minute an attacker spends probing, adapting, or overcoming defenses consumes compute resources and drives up operational costs. In an AI-driven environment, slowing an attack is an economic strategy, not just a defensive tactic.
This shift in attacker economics changes how organizations should think about cybersecurity. Success is still measured by preventing attacks, however, it is also about increasing operational friction, raising the cost of compromise, and making your organization a less attractive target than the next one. As Bullot puts it, "I don't need to outrun the bear. I just need to outrun you."
While Mythos is best known for accelerating vulnerability discovery, Jordi Clement, CTO of IAM at Thales, believes its broader significance lies elsewhere. To him, Mythos signals the rapid emergence of autonomous AI systems and non-human actors that will increasingly operate across enterprise environments on behalf of people.
For decades, identity and access management centered on authenticating human users. But today, that assumption is no longer sufficient. As organizations deploy AI agents with delegated authority, machine identities, and autonomous decision-making capabilities, identity must evolve from authenticating people to governing every entity that can access data, make decisions, or take action.
In Clement's view, identity management must continuously establish trust, validate intent, enforce policy, and maintain accountability for every actor within an organization's digital ecosystem, whether human or machine. In other words, identity is no longer simply about verifying a login.
Customer conversations reinforce this challenge. Organizations are moving quickly to deploy AI capabilities, yet many acknowledge that the governance, policy, and accountability frameworks needed to secure them are still catching up. Clement believes the industry is repeating the cloud and SaaS adoption cycle, only this time, the gap between innovation and governance is widening much faster.
Despite the headlines, attackers do not have a monopoly on advanced AI. Organizations can use the same technologies to identify vulnerabilities, strengthen defenses, and improve security operations before attackers have an opportunity to exploit them.
In conversations with customers, Tim Chang, VP of Application Security at Thales, consistently hears organizations grappling with the reality that attackers are moving from human speed to machine speed. At the same time, he sees customers increasingly using frontier AI models to test software, accelerate vulnerability discovery, and strengthen defensive operations.
Moore also points out that mature software organizations should be routinely evaluating their code with advanced models, including Mythos and other leading AI systems, to identify and remediate weaknesses before they reach production.
For Jay Thurston, Field CISO at Thales, customer conversations reveal a great concern that too many organizations still view AI risk as a future problem. In reality, AI-powered reconnaissance, automated vulnerability discovery, increasingly sophisticated phishing campaigns, and expanding machine identities are already reshaping today's threat landscape. Traditional security controls remain essential, Thurston notes, but they were designed for a world where attacks unfolded at human speed.
Ultimately, AI-driven cybersecurity is becoming a contest between increasingly automated attackers and increasingly automated defenders. As Thurston sees it, cybersecurity can no longer scale through human effort alone. The organizations that keep pace will be those that use AI to strengthen their own security operations while maintaining the governance, accountability, and human oversight needed to use it responsibly.
The conversations around Mythos and advanced AI can feel overwhelming, but our work with customers reveals that the fundamentals of risk management still apply. AI changes the speed and economics of cybersecurity, not the need for disciplined security operations. Across industries, Thales is helping organizations navigate this transition, and four priorities consistently emerge.
First, demand evidence, not promises. Ask software and technology vendors how they are using AI to improve security testing and vulnerability management and expect proof, not marketing claims. Organizations should understand which AI models are being used, how findings are validated, and how quickly vulnerabilities are remediated.
Next, expand visibility. Security teams need visibility across applications, APIs, identities, and the growing population of non-human actors operating inside enterprise environments. You can't defend against vulnerabilities you can't see.
It’s critical to close the governance gap. AI agents, machine identities, and autonomous systems require the same governance, accountability, and policy enforcement as human users. Governance should evolve as quickly as AI adoption, not years later.
Lastly, fight AI with AI. The most effective response to AI-powered attacks is AI-powered defense. This means using automation where it delivers speed and scale while ensuring human judgment remains responsible for the decisions that matter most.
Cybersecurity has entered a new operational era in which automation, machine-speed interactions, and AI-driven systems are reshaping the pace, economics, and governance of cyber defense. Mythos did not create this transformation, but it made it impossible to ignore.
The fundamentals of security remain unchanged. Organizations still need visibility, governance, resilience, and disciplined risk management. What has changed is the speed at which those fundamentals must be applied and the growing number of human and non-human actors they must encompass.
Through our work with customers, Thales is seeing these challenges emerge across industries while helping organizations navigate them in real time. Those conversations continue to sharpen our own understanding, reinforcing a shared goal of applying AI responsibly to strengthen cyber resilience, raise the cost of attack, and make the digital ecosystem more secure for everyone.