The Treatment Was Successful. Unfortunately the Patient Died
For the last few weeks, the cybersecurity world has been arguing about what Anthropic’s Mythos and projects like Glasswing actually mean. Some people hear the alarms and think we are watching the beginning of the end. Others think we are finally seeing the breakthrough the industry has been chasing for decades.
They may both be right.
The optimistic camp includes people I respect. In a recent piece, former CISA Director Jen Easterly argues that AI could mark the beginning of the end of cybersecurity as we know it, not because threats disappear but because software finally becomes secure by design.
Her argument is simple and hard to refute. Cybersecurity exists largely because we keep shipping insecure software. If AI systems can systematically discover and fix vulnerabilities, developers will eventually respond by writing better code in the first place. The endless cycle of scan, detect, patch and repeat could finally give way to resilient software.
In other words, cyber nirvana.
But there is another perspective worth listening to. Security analyst Rich Mogull describes the coming AI shockwave as a kind of stellar physics event, a “core collapse” where the current model of cybersecurity compresses into something denser and stronger.
Stars do not quietly become neutron stars.
They explode first.
And that supernova phase is what worries me.
The Cloud Security Alliance recently warned about what it calls the “Vulnpocalypse,” a moment when AI systems like Mythos can systematically discover vulnerabilities across the entire software ecosystem.
Think about that for a second.
For decades, the cybersecurity industry has been constrained by human limits. Even the best vulnerability researchers could only examine so much code. Exploit development required time, skill and patience. Discovery was the bottleneck.
AI just removed that bottleneck.
Tools like Mythos change the equation. Instead of a handful of elite researchers looking for weaknesses, imagine thousands of AI agents examining software continuously. They can analyze entire codebases, identify flaws and even generate exploit paths.
The industry likes to frame this as a defensive breakthrough. And maybe it is. If defenders deploy these tools first, they might uncover vulnerabilities before attackers do.
But defenders still face the same problem they always have.
Finding bugs is the easy part.
Fixing them is the hard part.
Every vulnerability still has to be triaged, prioritized, patched, tested and deployed. That process takes time and coordination. In large organizations it can take weeks or months.
Attackers do not have that problem.
They only need to find one weakness and move.
That asymmetry has always existed. What AI does is amplify it.
Imagine AI systems discovering vulnerabilities across enterprise software, open source dependencies, embedded systems and infrastructure platforms at machine speed. Now imagine attackers using similar tools to turn those discoveries into automated exploits.
That is not a hypothetical scenario. It is the logical next step.
This is why Mogull’s supernova analogy resonates. In astrophysics, a star collapses when the forces that hold it together can no longer support the mass inside it. The core compresses in an instant and the outer layers explode outward.
Cybersecurity may be approaching a similar moment.
For years, the industry has built an enormous ecosystem around vulnerability discovery, patching and mitigation. Vendors sell scanners. Consultants sell testing. Enterprises build entire programs around managing flaws in software.
Now imagine AI discovering vulnerabilities faster than organizations can remediate them.
The entire system begins to wobble.
This is not just about enterprise risk. It is also about the cybersecurity industry itself. If software eventually becomes secure by design, a lot of today’s security tooling becomes less relevant. Whole categories of vendors exist because code is insecure.
If that changes, the market changes with it.
It would not be shocking to see the number of cybersecurity companies shrink dramatically over the next decade. Maybe by half. Maybe more.
But the real danger is not the long-term equilibrium. The real danger is the transition period.
Between today’s vulnerable software ecosystem and tomorrow’s secure code lies the Vulnpocalypse.
That period could look less like cyber nirvana and more like a Trail of Tears for parts of the industry. Enterprises scrambling to fix decades of accumulated vulnerabilities. Security teams drowning in findings. Attackers racing to exploit weaknesses before patches arrive.
In that environment, resilience becomes the only strategy that matters. Assume your code has flaws. Assume your infrastructure will be tested. Assume attackers have access to the same AI tools defenders do.
Because they will.
To be clear, I actually believe Easterly may be right about the destination. AI could eventually force the software industry to build systems that are fundamentally more secure. If vulnerability discovery becomes cheap and automatic, insecure coding practices will become unsustainable.
Developers will adapt. Software will improve. The ecosystem will stabilize.
But Mogull may also be right about the process that gets us there.
Stars do not quietly collapse into neutron stars.
They explode first.
And when that supernova hits the cybersecurity universe, we may discover something uncomfortable.
The treatment was successful.
Unfortunately, the patient died.
