XBOW’s AI platform found an API key embedded in Moderna’s application source code, authenticated with it, then probed APIs for SQL injection flaws until a malformed request cascaded and crashed the entire chain of applications the dev environment depended on. XBOW had no login credentials. It finished in hours.

That’s the trial outcome Farzan Karimi, Moderna’s deputy CISO, presented at a Gartner summit. His actual problem going in: his vulnerability management system was surfacing hundreds of high-severity findings with no reliable way to know which were actually exploitable. XBOW gave him exploit proofs, not theory.

The result fits a pattern accelerating across the industry. Claude Mythos Preview, Anthropic’s security-focused model, hit a capability level that made enterprise security leaders pay attention in a way they hadn’t with prior frontier releases. Zscaler CEO Jay Chaudhry directed his team to run it against the company’s own applications and confirmed serious findings. The issue was volume. “There aren’t enough resources and cycles to fix all those,” he said.

Cisco’s Tom Gillis explains the underlying shift: legacy network infrastructure runs on tens of millions of lines of code built over decades, and earlier AI models lacked the context window and reasoning capacity to comprehend it fully. Mythos can. That’s why vulnerability counts are moving. Cisco’s Live Protect, built on eBPF, shields a specific vulnerability in production without touching binaries or rebooting. It’s been shipping since October. Customer urgency shifted noticeably after Mythos — Gillis describes one customer: “Turn this thing on right now.”

For operators still running quarterly pen-test cycles, that’s the structural problem. XBOW tests continuously; human red-teamers write a report and move on, leaving a window where risk accumulates. Karimi’s framing: exploit proofs let your developers focus on the real risk tier, not the noise pile. The open question is how to handle the volume of bugs AI-driven scale will surface.

Anthropic’s own blog warns the timeline for a publicly available Mythos-class tool is shortening, with no guarantees on safeguards. Your patch queue doesn’t get a vote.

Nathan Zakhary