Tag: Microsoft

When AI Finds Every Bug

Posted on by NSS Labs

The discovery clock just accelerated

On April 7, Anthropic announced that its newest model, Claude Mythos Preview, had autonomously discovered thousands of high and critical severity zero-day vulnerabilities across every major operating system and web browser—many hiding in plain sight for over a decade. A 27-year-old bug in OpenBSD. A 16-year-old flaw in FFmpeg that automated fuzzers had hit five million times without catching. And Mythos doesn’t just find vulnerabilities—it writes the exploits, succeeding on over 83% of first attempts where previous models achieved close to zero.

That is good news in one sense: software vendors and maintainers may be able to identify and patch flaws earlier, and reduce the time that dangerous defects remain unknown.

But that same acceleration also accelerates threat landscape changes for everyone else. The same class of AI capability that can help defenders find weaknesses can also help bad actors understand them faster, build exploits around them faster, and operationalize attacks at far greater speed and scale.

This is a watershed moment. But while the headlines focus on offensive implications, the downstream consequences for enterprise security operations are just as profound.

The deployment clock has not

The optimistic reading is simple: vulnerabilities found earlier get patched earlier. Project Glasswing—Anthropic’s well thought-out consortium with AWS, Apple, Cisco, Google, Microsoft, and others—is already putting Mythos to work scanning critical codebases. But enterprise security leaders know the uncomfortable truth: a patch being available and a patch being deployed are two very different things.

Even when software owners produce fixes more quickly, enterprise deployment lifecycles still have to contend with regression testing, change windows, operational dependencies, rollback planning, uptime requirements, and the broader risks that come with touching mission-critical systems.

For most enterprises, especially those operating essential services or critical infrastructure, upgrade patterns will still need to follow established risk-mitigation best practices. The cost of an unstable production change can be just as severe as the vulnerability itself.

Layered defenses under increasing pressure

That leaves a familiar but increasingly compressed exposure gap: the period between when a vulnerability is known and when an organization can safely deploy the patched version into production.

As has been true for years, enterprises will need to rely on layered defenses to help close that gap. Firewalls, IDS/IPS, segmentation controls, and related security systems will remain essential in providing mitigation protection while upgrades are planned, tested, and rolled out safely.

What changes now is the pace and volume. If AI sharply increases the rate at which vulnerabilities are discovered, then the burden on protective controls will grow with it. Those systems will need to implement and deploy signatures, policies, and other mitigation mechanisms more quickly and more often.

Deployment has to be not just faster, but smarter

In this environment, simply deploying a mitigation faster is no longer enough. A signature added to an IPS, a rule pushed to a firewall, or a policy configured on paper does not by itself prove that the control is effective against the exploit path it is supposed to stop. An overly broad signature triggering false positives will interrupt legitimate business.

Those mitigation measures can be made smarter through validation that they are effective in protecting against the consequential vulnerabilities and exploits being targeted. Otherwise, organizations are not demonstrating risk reduction; they are assuming it.

This distinction will matter more as AI also helps adversaries accelerate exploit development and surrounding tooling. The attack side of the equation will move faster, which means control effectiveness must be measured more often and with greater rigor. Absent that, we will have a case where enterprises try to move fast but end up breaking things.

Why oversight pressure will rise

A hyper-accelerated threat environment will not only affect security teams. Lawmakers, regulators, insurers, auditors, boards, and other oversight bodies focused on enterprise risk are watching the same headlines. When AI can autonomously compromise critical infrastructure software, tolerance for vague assurances evaporates.

Their questions will increasingly shift from broad policy statements to operational evidence. Questions will evolve from “Do you have security controls?” to “What have you done to prevent this, and what is the evidence it’s working?”.

As a result, requirements for proof of continuous validation testing and evaluation of deployed security controls are likely to become more common across corporate governance, risk management, compliance, insurance underwriting, and sector-specific oversight agencies.

Continuous validation becomes a core operating discipline

This is why continuous validation testing of security controls will become more critical in enterprise IT operations.

Continuous validation gives organizations a practical way to bridge the gap between faster vulnerability discovery and the slower, smarter, necessary discipline of safe production change. It helps prove that compensating controls are providing real mitigation while the enterprise works through responsible remediation cycles.

In the age of AI-accelerated vulnerability discovery and exploit creation, continuous validation will become central not only to security operations, but also to meeting corporate GRC obligations, supporting regulatory readiness, and demonstrating defensible cyber resilience.

Organizations that build this into their operational cadence, GRC programs, and vendor accountability frameworks will be able to answer the hard questions when regulators and boards come asking. Those that don’t will find themselves defending assumptions in a world that no longer accepts them.

Continuous validation isn’t the future of enterprise security operations. It’s the present. Mythos just made it impossible to ignore, and Project Glasswing presents a great opportunity to respond.

What enterprise leaders should do now

Priority Why it matters
Preserve disciplined change management Do not trade mission-critical availability for superficial patch velocity. Upgrades still need controlled testing and rollout.
Strengthen layered defenses Firewall and IDS/IPS mitigations will be asked to carry more of the burden during the exposure window.
Validate mitigations continuously Controls need evidence-based testing to prove they actually block the vulnerabilities and exploits they target.
Prepare for evidence demands Regulators, insurers, boards, and auditors will increasingly expect proof, not just claims, that controls are working.

NSS Labs Publishes Two Foundational White Papers on Enterprise AI Security

Posted on by NSS Labs

Austin, TX – March 18, 2026 – NSS Labs, the leading authority in independent cybersecurity product validation, today announced the publication of two new white papers addressing the rapidly evolving challenge of securing artificial intelligence in enterprise environments:

Together, the papers provide enterprise security leaders with a structured, governance-driven framework for understanding AI risk in production systems. The research was developed in collaboration with Amazon Web Services (AWS), F5, and Microsoft as well as other industry leaders.

AI Security Beyond the Model: What Enterprises Need to Care About — and Why,” outlines why securing the AI model alone is insufficient and why enterprise AI security must be treated as a system‑level and governance challenge. The aim is to provide concrete guidance to Chief Information Security Officers (CISOs), enterprise buyers, and Governance, Risk and Compliance (GRC) leaders on the questions to ask before real-world AI failures are exposed under regulatory, legal, customer, or board-level scrutiny.

“Evaluating Enterprise AI Security: Questions Every Buyer Should Be Able to Answer” moves from theory to procurement discipline to help enterprise buyers formulate better questions when shortlisting AI security vendors. The focus is primarily on runtime guardrails in the form of AI Protection Systems, the controls outside the model that enforce policy, protect data, and produce audit evidence.

“We’re at the beginning of the AI revolution and everyone has questions,” said Vikram Phatak, CEO of NSS Labs. “These papers provide a framework for how to think about securing AI as well as practical guidance for governance of what their AI systems are permitted to do and why. Yes, AI security is a technical issue, but it is also a governance issue.”

The white papers highlight several critical priorities for enterprises:

  • Embedding AI security into Governance, Risk, and Compliance (GRC) frameworks
  • Moving beyond model-centric controls to system-level runtime guardrails
  • Managing delegated authority in agentic AI systems
  • Combining detection with verification where certainty is required
  • Establishing measurable, independent validation practices

Together, the papers provide a practical roadmap for organizations to safely transition from AI experimentation to accountable, production-grade deployment.

Both white papers are available for download at nsslabs.com.