TL;DR: Claude Mythos Preview uncovered thousands of unpatched vulnerabilities across every major operating system and browser. Learn why identity infrastructure is the target of the coming exploitation wave and what you must do now to get ahead of it.
On April 7, 2026, Anthropic announced a model it has deliberately chosen not to release. Claude Mythos Preview, available only to Project Glasswing partners including Microsoft, Google, Apple, Amazon, and JPMorgan Chase, has, in internal testing, found thousands of high-severity vulnerabilities across every major operating system and web browser.
One of them had been hiding in OpenBSD for 27 years. Another, a remote code execution flaw in FreeBSD’s NFS implementation (CVE-2026-4747), gives an unauthenticated attacker root on any exposed host. Mozilla has already patched 271 Firefox vulnerabilities that Claude Mythos surfaced.
Yet according to Anthropic, 99%of what Claude Mythos Preview has found remains unpatched in the wild. That’s why the tech industry is now working a single sentence into every briefing, and the warning is dire:
The window between vulnerability discovery and exploitation has collapsed from months to minutes.
That sentence is aimed primarily at software vendors who will write the code and ship the fixes. But it lands hardest on the people responsible for what happens after an exploit works. Because when a machine-speed discovery engine like Claude Mythos meets the existing criminal infrastructure for weaponization and delivery, most organizations won’t lose at the perimeter but at the identity layer.
Identity is the blast radius of AI-discovered zero-day exploits
No matter which CVE an attacker rides in on, the monetization path ends in the same place: Active Directory (AD), Entra ID, service accounts, privileged tokens, and Tier 0 assets. Your endpoints are the entry point, but identity security is the objective.
The numbers make the case, and even these frightening statistics predate Claude Mythos Preview:
- 600 million identity attacks per day
- A 2.75x year-over-year increase in ransomware attacks
- 60% of breaches tracing back to unpatched endpoints
- $730,000 per hour in AD downtime costs
And soon, attackers with Claude Mythos-class discovery tools will exploit those endpoint vulnerabilities and identity planes at scale. Once the disruptions to business operations, authentication, and recovery are factored in, the AD downtime costs alone will be catastrophic.
Here’s the sequence that’ll play out repeatedly over the next twelve months:
- A Claude Mythos-discovered zero-day lands in a public patch
- A fraction of your environment gets updated in the first 72 hours
- Attackers reverse-engineer the patch and weaponize it within days
- They stay to harvest credentials, find a path to a domain controller or a privileged Entra ID role, and from there, they have the whole forest
That’s the flood plain. Here’s how to fortify your identity security infrastructure before the water rises.
Your checklist for identity security readiness
Your identity security program was built for a slower pre-Claude Mythos world. Here are six actions you need to take now.
1. Treat identity posture as a live signal.
Quarterly audits give attackers 90-day windows. Known misconfigurations in AD and Entra ID, stale GPOs, over-privileged service accounts, weak Kerberos encryption, and risky conditional access gaps become exploit paths. In a post-Claude Mythos environment, continuous posture assessment at the identity control plane must run at the same cadence as endpoint vulnerability scanning.
2. Inventory your identity end-of-life.
Every environment carries identity debt. That debt will fuel attacks as AI-discovered zero-day exploits enter active circulation. That’s why you must clean up:
- Unsupported domain controllers
- Forest functional levels that never got raised
- Trusts to domains no one remembers
- Hybrid sync configurations set up during an old migration
- Dormant privileged accounts
Catalog your environment with the same rigor you apply to device end-of-life. If you can’t patch it, plan to retire it.
3. Assume AD outages. Plan for forest-level recovery.
The default failure mode for a serious 2026 breach is an AD or Entra ID outage and “restore from backup” is not recovery. Most backup platforms reintroduce the malicious changes that caused the incident.
Attack-tested identity recovery in a Claude Mythos threat landscape requires:
- Object-level restore
- Malware-free forest rebuilds
- Tested RPO and RTO
Organizations that run this regularly see up to 90%faster recovery. With AD downtime costing $730K an hour and AI-discovered zero-day exploits accelerating attack timelines, you can’t afford to discover vulnerabilities during an actual incident.
4. Protect Tier 0 actively, not passively.
Detection-only ITDR simply tells you an attack is happening. It does nothing to stop it.
Active identity threat detection and response at the control plane must be able to:
- Freeze changes to Tier 0 objects during a live incident
- Block unauthorized privilege escalation in flight
- Disrupt persistence and lateral movement before it’s too late
Organizations running this kind of proactive containment have a 44%improvement in identity MTTR. Containment is the new detection, and it’s non-negotiable in a Claude Mythos security environment.
5. Move admin paths to phishing-resistant authentication.
If Claude Mythos-class tools make exploits cheap, the remaining moat is authentication that can’t be relayed, phished, or replayed. Hardware-backed, phishing-resistant MFA and passkeys for privileged work aren’t a 2027 roadmap item anymore. They’re the control that keeps a clicked link from becoming a domain compromise.
6. Assume someone will click.
Workforce vigilance matters, but plan as if your best phishing training still leaves a gap. ITDR must catch what comes after the click, including Kerberoasting, DCSync, token theft, suspicious privilege grants, and unusual cross-tenant activity, and it must do it at machine speed. Your identity defenses can’t depend on users being perfect, given the increased risk you’ll face over the next twelve months.
Detection-only ITDR won’t survive Claude Mythos-speed attacks
ITDR that stops at detection was designed for a human-speed threat landscape. The old alert-triage-investigate-respond loop assumes defenders have time. Those days over. We’re now in a world where Mythos – and whatever comes next – can surface and accelerate exploitation of thousands of vulnerabilities simultaneously.
Adversaries with Claude Mythos-class capabilities can attack your infrastructure with unprecedented speed and sophistication. Attackers can chain discoveries, compound exploits, and operate faster than ever. That’s why the NIST Cybersecurity Framework 2.0 expanded to six functions, adding Govern alongside Identify, Protect, Detect, Respond, and Recover.
Identity security in the Mythos era must now encompass:
- Prevention
- Containment
- Attack-tested recovery
These capabilities can no longer live in different tools. They must operate as a unified identity security posture across everyday operations and high-risk change windows.
The timing problem: modernization collides with the Claude Mythos threat
This AI-discovered zero-day exploitation surge is arriving at the worst possible moment, as most enterprises are in the middle of modernization initiatives.
Complications are likely to arise amid dual efforts to complete patching amid:
- Hybrid AD-to-Entra ID projects
- Zero Trust rollouts
- M&A-driven identity consolidations
- Cloud migration finish-line sprints
Each of these creates the conditions Claude Mythos-era attackers will exploit: change windows that relax controls, temporary admin rights that linger, service accounts that spawn faster than they can be governed, and Tier 0 boundaries that blur.
The answer is not to pause modernization but to apply the same identity security controls during change events that you use in steady state. Auditing, Tier 0 enforcement, recovery readiness, and containment should be elevated during migrations, not suspended.
Closing this security gap in a post-Claude Mythos world requires a unified approach to AD and Entra ID that includes:
- Identity defense
- Attack-tested recovery
- Security-first modernization
It should all operate from a single platform rather than a disjointed strategy. This ensures controls travel with the workload instead of getting left behind during transitions.
Your 90-day identity readiness checklist
If one thing survives this post and ends up on a whiteboard, it should be this checklist.
Here are the steps I implore you to take as soon as possible to protect your organization:
- Run a fresh AD and Entra ID identity security posture assessment.
- Inventory identity end-of-life unsupported DCs, stale privileged accounts, legacy sync paths, and forgotten trusts.
- Time a real AD recovery test. Not a backup test. A recovery. Rehearse a forest rebuild.
- Define and operationalize your Tier 0 containment policy, including what freezes, when, and who authorizes it.
- Move every privileged authentication path to phishing-resistant MFA or passkeys where supported.
- Audit every in-flight migration and M&A workstream for relaxed identity controls and tighten them.
- Align your ITDR program with all six NIST CSF 2.0 functions: Govern, Identify, Protect, Detect, Respond, and Recover.
The floodgates are about to open
The Mythos announcement isn’t a distant warning. The tide is already rising. Those who survive the coming wave of AI-discovered zero-day exploits won’t be the ones with the fastest patch cycles. They’ll be the ones whose identity security infrastructure was built to prevent, contain, and recover at AI speed. Your window is already narrowing. Now is the time to act.
Check out more blog posts by Bastiaan Verdonk here.
