On April 7, 2026, Anthropic released Claude Mythos Preview into Project Glasswing, a limited-access program. Twelve launch partners — AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic — got first access, with 40+ additional organizations behind them. No Korean firm appears on the list.
In Anthropic's own evaluations, Mythos autonomously found thousands of zero-day vulnerabilities across every major operating system and web browser, including a 27-year-old integer overflow in OpenBSD's TCP SACK implementation. It produced a working proof-of-concept on the first attempt 83.1% of the time. Anthropic called the model "too powerful to release publicly" and held it back from general availability.
Sixteen days later, on April 23, Korean CISOs gathered at the 2026 CISO Insight Forum. This piece reads the Forum for the structural shifts it surfaced, organized around the changes themselves rather than the speaking order.
1. Two things Mythos changed
Traditional vulnerability discovery had three steps. Discovery of a candidate flaw. Validation that it's real. Exploitation — building a working PoC. Each step needed different people, different tools, different context. The friction between them was the defender's grace period.
Mythos collapses all three into a single agentic loop. The published scaffold is minimal: an isolated container with no internet, the target source code inside, a one-paragraph prompt asking the model to find a security vulnerability. Then you let it run. The model reads code, hypothesizes, executes the program to confirm, drops into a debugger, and outputs a bug report with a working PoC.
Two things changed here.
One, the human time between discovery and exploit is gone. Time cost was tied to human salary and human learning curves. Defender patch windows were sized against that friction. Remove the friction and the patch SLA needs a new unit of measure.
Two, the cost floor for attacks collapsed. Anthropic's published numbers put 1,000 OpenBSD scans at under $20,000. For comparison: a 2025 enterprise penetration test runs $10K–$35K. So one pentest's budget covered 1,000 sweeps of a single major OS. Run the same math against every major open-source project and the picture writes itself. Risk models that assumed "attacks are expensive" need to be redrawn.
The same capability serves defenders, but almost no Korean CISO has access to a Mythos-grade tool. Capability arrives at attackers first and at defenders later. That asymmetry is policy, not technology.
2. Korean AI policies sit on top of Generation 1
Korean enterprises spent the last 18 months drafting AI usage policies that assume Generation 1 — the user asks, the model answers. "Review AI-generated content before sending." "Don't paste customer data into ChatGPT." Rules built on top of single-shot Q&A.
That isn't where AI is going. Generation 2 is agentic execution: the user states a goal, the model plans and acts. Vibe coding lives here. Generation 3 is multi-agent: a high-level objective, agents talking to other agents to produce results.
Generation 3 can't be governed by Generation 1 rules. By the time a human is in the loop, dozens of agent decisions have already happened. Auditing what an agent did becomes a forensic problem, not a real-time control problem. That requires agent activity logs at a granularity most organizations don't have. Korean enterprises included.
There's a trade-off. Companies that block Generation 3 lose the productivity race. Companies that adopt it without audit infrastructure lose the compliance race. There's no middle path without new tooling.
Vibe coding produces a parallel rule. Don't hand-edit AI-generated code. The moment you do, the agent's context breaks. The next agent edit lands on top of your edit and the code degrades faster. Push corrections back through the agent. That's a real shift in what code review means, and most security teams haven't internalized it yet.
3. The unit of attack surface has changed
Frontier models now process text, audio, video, documents, meeting recordings — all in a single pass. The change that creates is a change of unit.
Thinking about attack surface in units of "this codebase" or "this document" no longer holds. The new unit is everything that flows into a single model invocation, regardless of where that data physically sits. If it's in the same session, it's in the same exposure.
There's another trade-off here. Restrict context and you restrict your own analysts' capacity. Mythos-grade vulnerability discovery doesn't work without the model reading a full codebase in context. The same property creates the offensive risk and the defensive capability. The right move isn't input restriction, it's logged exposure with scoped controls — knowing which data went into which model call.
Shadow AI deepens this problem. SBOMs run on the assumption that you know what software is running inside the company. Shadow AI breaks that assumption a level deeper than shadow IT ever did. An employee uses ChatGPT or Claude through a personal account on a personal device, then pastes the output into work systems. The "tool" never touches the corporate network.
So the control point has to move. Not "what tools are employees allowed to use," but "what data are they allowed to handle". That's an HR and labor-policy problem before it's a technical one.
4. Board reporting is now a legal requirement, and translation doesn't carry the room
In 2026, Korean law moves board-level security reporting from "good practice" to "legally required." Three changes drive it. The Personal Information Protection Act now requires CPO appointment and dismissal to go through the board, and adds a board reporting obligation for privacy posture. The Information & Communications Network Act adds a parallel reporting obligation for information protection status. The Electronic Financial Supervisory Regulation is already in force — CISO must report to the board, not just the CEO.
Press will summarize this as "CISOs must now report to boards." True and uninteresting. The interesting question is why most CISOs will fail at this reporting.
CISOs typically prepare for a board session by translating technical material into accessible language. That doesn't work. Korean corporate boards are dominated by lawyers and business-school graduates. Sociotechnical risk language — CVEs, attack surfaces, MITRE ATT&CK matrices — doesn't land. The translation isn't bad. The attempt itself wastes the slot.
Start in business language. Boards want four data points.
One — risk in monetary terms. Not CVSS scores. The expected loss from an unpatched exposure if it becomes an incident.
Two — maturity against a recognized standard. NIST CSF, Zero Trust framework levels. "We're at level 2 of 4."
Three — compliance posture. PIPA, GDPR, Network Act — exposure to penalties under current and pending regulation.
Four — supply-chain risk. Most modern breaches enter through supply chain. Boards have started asking about it.
ISMS-P certification is the first thing Korean CISOs reach for to show the board "we're handling this." But ISMS-P was designed as an operational compliance standard, not a board communication tool. It shows whether you're patching things. It doesn't show whether your unpatched exposure is worth ₩100M or ₩10B in expected loss. The board needs the second number. ISMS-P doesn't produce it.
A quantitative risk model has to layer on top of ISMS-P, not replace it. Right direction, meaningful operational lift, and most Korean CISOs haven't started.
One more thing. Secure your allies before the formal board meeting. Pre-meetings with the CFO and one or two friendly outside directors aren't optional. The actual board session is the wrong place to surface a controversial finding. The right place is the prep meeting, where you can lose without losing publicly. Has nothing to do with security and everything to do with surviving as a CISO long enough to do the security work.
5. Disclosure, repurposed as competitive pressure
Korea's information protection disclosure regime makes four things public and audited: information protection investment, workforce composition, certifications held, security activities. Most CISOs skim this regime because it looks administrative. Mistake.
In 2024, the law added post-hoc verification authority — the regulator can now check what was disclosed. Before that, filings were essentially what companies wrote. Now they aren't.
Then in 2027, the exclusion thresholds disappear. Companies that had been below the cutoff start filing.
Once filings are public and compared year over year, competitive pressure replaces regulatory pressure as the primary driver. A peer in your sector with a higher security investment ratio shows up in a filing that customers and audit committees both read. Annually. Compared to last year's, and compared to peers.
That shifts the political center of gravity inside the company. Security budget stops being a fight for IT-spend share and becomes a question of where you sit on a public benchmark. The CISO suddenly holds a number the CFO has to defend externally. ISMS-P certification status sits in the public artifact. The certification stops being something you renew quietly every three years and becomes something the market reads.
6. Dynamic access control — externalizing tacit knowledge
The shifts above all push the same question at operators: what can you actually do today, without Mythos-grade tooling? The Forum's most operationally specific answer was dynamic access control.
Korean enterprise access controls have been binary. You have permission or you don't. Employees who need access to personal information get exception-permissions, and those exceptions stay open.
Revalidating those exceptions dynamically is the alternative. Examples: a privileged user accessing the same data through VPN gets masked output. If the VPN-source IP matches a less-trusted endpoint, that's another signal. If a DBA's badge-in record isn't in the system this morning, their DB access is suspended.
What makes this interesting is the choice of signals. Operational signals nobody else queries — badge-in records, IP reputation deltas, peer behavior baselines — get pulled into authorization decisions. Familiar territory in zero-trust literature, but the implementation cues are different.
There's a deeper point underneath. The "abnormal" in anomaly detection mostly lives as tacit knowledge in CISOs' heads. "User X is sketchy" is a judgment that doesn't sit in any system. The dynamic control project is about externalizing that tacit knowledge into systematic signals.
This is harder than it looks. The moment a rule is formalized, it becomes gameable. Anyone trying to evade just routes around it. But the direction is right. Without formalizing and systematizing the concept of "abnormal," dynamic control doesn't actually run.
The same principle applies to pre-launch security review. Business teams skip it. There's a limit to how much you can prevent that. When skipping happens, run a post-implementation review. Document the gaps. List them. Escalate to executives. Preserve the paper trail. Not a control that prevents the skip. A control that ensures responsibility lands in the right place when a skip turns into an incident. Honest, and operationally workable.
This is the operational answer to "AI defense requires AI." Pattern-based security tools were built around static signatures. Post-Mythos attacks are context-driven — they reason, they chain. The only thing fast enough to defend against context-driven attacks is something that reasons in context. That's an AI system. Which is why AI security teams need dedicated personnel — not a generalist who also covers AI, but a specialist whose job is the AI defense layer.
7. The asymmetry Korea is facing
One gap to close on.
Mythos exists. Glasswing exists. AWS, Microsoft, Google, NVIDIA, Palo Alto Networks have access. No Korean firm is on the list.
The implicit assumption running through every Forum discussion was that Korean CISOs need to prepare for AI-driven attacks. The honest framing is that Korean CISOs need to prepare for AI-driven attacks without access to AI-driven defense at the same tier. The asymmetry is structural. By the time Mythos-equivalent capability is commercially available in Korea, the same capability will have been adversarial for some time.
That's the conversation the Forum didn't have. Also the most important one. The threat model, the board reporting mandate, the disclosure regime, the dynamic controls — all correct, all important. None of them resolve the asymmetry.
Three directions might shrink it.
Domestic security AI tooling — built defensively, designed for Korean compliance and Korean-language constraints. There's a view that the government's foundation-model push lost some strategic urgency post-Mythos. There's a case for re-pointing the goal — from "sovereign model" to "defensive AI."
Open-source defensive tooling — the Linux Foundation sits in the Glasswing launch partner list, which matters. Korean CISOs should track these projects actively rather than wait for vendor productization.
Operational discipline that doesn't need Mythos-grade tooling — dynamic access control is the example. Achievable today with existing infrastructure plus better signal integration.
The CISO's job in 2026 isn't to wait for Mythos-grade defense to land in Korea. It's to do everything that doesn't require it, and to prepare the ground for absorbing it the moment it arrives. That's a shorter list than people think. The Forum's value was in mapping it.
Top comments (0)