When patching isn’t fast enough, NDR helps contain the next era of threats.
If you’ve been tracking advancements in AI, you know the exploit window, the short buffer that organizations relied on to patch and protect after a vulnerability disclosure, is closing fast.
Anthropic’s new model, Claude Mythos, and its Project Glasswing, showed that finding exploitable vulnerabilities and subtle cracks in your defenses in operating systems and browsers — work that once took experts weeks — can now be done in minutes with AI. As a result, the patch window of opportunity is now near-zero. The situation is so critical that Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell recently convened an urgent meeting with the CEOs of major U.S. financial institutions to discuss the implied risks. The takeaway was straightforward: surging AI capabilities have upended risk profiles, with profound implications for institutional stability and integrity across industries.
Mythos also highlights the gap between discovery and remediation. It easily surpassed human expertise, solving a complex corporate network simulation that would have taken more than 10 hours of expert programming skill. Its discoveries also found problems in decades-old software that had been missed in thousands of security reviews.
From Mythos to the assume-breach era
Mythos isn’t the only AI model capable of finding vulnerabilities this quickly. Other parties have found them using more basic LLMs.
If your company uses any type of software, you should assume that software probably contains thousands of these unknown vulnerabilities, just waiting to be exploited by AI-assisted discovery. This is not a failure of your security team; rather, it’s the structural consequence of 30 years of accumulated software complexity meeting a leap in offensive AI capability.
Now that near-zero exploit windows are the norm, “patch faster” or “patch better” are no longer enough. Security teams will need new playbooks, based on an assume-breach model: breaches will happen, and detecting them as they occur and containing them at scale will be paramount. These outcomes are decided in real time, on the network.
How to bring an assume-breach model into everyday operations
The assume-breach model has three operational requirements, each of which uses automated methods designed to collapse time to containment:
- Detect post-breach behavior before a threat escalates across your enterprise
- Reconstruct the complete attack chain as soon as possible
- Contain threats rapidly to limit their blast radius
In practice, this method of containment requires:
Visualizing containment as the scoreboard
Prioritize reducing mean-time-to-contain (MTTC) to limit damage while maintaining your watch over detection and response metrics (MTTD and MTTR). As AI accelerates exploitation and reshapes attack methods, the importance of speed in pinpointing, containing, and resolving threats increases. Compressing MTTC starts with real-time, comprehensive network visibility. With it, SOCs can detect post-breach behavior, determine the blast radius, and disrupt events before they spread further.
Monitoring for AI-favored techniques
Autonomous AI attacks increasingly use sophisticated techniques to evade detection, including living-off-the-land (LOTL) methods that conceal malicious activity within legitimate tools and processes. Network Detection and Response (NDR) platforms play a crucial role in identifying these subtle indicators of compromise. They do this by continuously monitoring network traffic for unusual behavior. Signs of such activity might appear as unusual SMB admin shares, NTLM where Kerberos is expected, or new RDP/WMI/DCOM pivots, all of which can signify lateral movement across your network.
Advanced NDR platforms can also detect attackers leveraging LOTL techniques to maintain command and control communications and exfiltrate data while trying to avoid generating alarms. Indicators of command and control can manifest as beacon‑like connection patterns, rare JA3/JA4 and SNI pairs, high‑entropy DNS, or unsanctioned DoH or DoT. Anomalies such as off‑hours uploads, upload/download asymmetry, first‑time destinations (e.g., S3, Blob, GCS, or new CDNs), compression before egress, or the presence of tunnels and VPNs to new destinations can indicate exfiltration.
Automating and maintaining your software inventory
Many organizations still lack a real-time, accurate inventory of their software, leaving them struggling to understand how assets connect and communicate. This gap creates openings for adversaries. Automating asset inventory and mapping helps organizations understand their exposure, react more quickly to emerging threats, and shrink the available windows for exploiting vulnerabilities.
Correlating and reconstructing attack chains
Once a breach is detected, quickly understanding the scope is vital, especially as AI-driven threats move too fast for manual analysis. The once painstaking process of reconstructing events needs to be automated and delivered in real time.
Corelight Investigator, part of the company’s Open NDR Platform, automatically correlates alerts and network activity to help reconstruct detailed timelines of attacks. This makes it easier for your own systems to automate the response workflow, and to improve your resilience against these attacks.
Automating containment
Advances in detection and attack reconstruction should drive decisive, reliable containment. Limiting the spread of threats, the third leg of the assume-breach model, is what turns data and insight into tangible protection. Embedding automated containment into network defense workflows can reduce the risk that fast-moving threats escalate into widespread incidents.
Toward a Mythos-ready security future
Claude Mythos and other AI models are rapidly upending long-standing practices in cybersecurity. Preparing for this dynamic landscape means, in part, building adaptive defensive layers that can help you accelerate your defenses against adversarial AI.
- Monitor: Maintain continuous network visibility and automate detections to identify threats early.
- Assume-breach: Operate under the expectation that breaches will occur and focus on rapid response and containment.
- Protect: Safeguard your trusted ecosystems by strengthening controls where AI-driven attacks can cause the most damage. Builda “Mythos-ready” security program, as suggested by the Cloud Security Alliance.
- Sharpen: Continuously refine your playbooks and response strategies to counter evolving threats.
Corelight Network Detection and Response
Uncover new attack methods with Corelight’s Open NDR Platform. With comprehensive network visibility and deep behavioral analytics, Corelight is designed to help your SOC detect advanced, AI-powered threats faster, so you can act before incidents escalate. Learn more at corelight.com/elitedefense.
