In April 2026, Anthropic's Mythos model autonomously produced working exploits against 72.4% of the vulnerabilities it discovered on Firefox's JavaScript shell. Over 99% of those findings are unpatched today. Twelve Project Glasswing companies have that capability. The replication papers are public. Commodity models are six months behind, not five years.
Mean time-to-exploit dropped to seven days last quarter, down 81% from 2025. The fitted decay curve from Phoenix exploit intelligence projects one day by 2028 and one hour by 2032. Forty-one percent of new code on GitHub is AI-generated. The 40,000-finding backlog you remember from two years ago is now 400,000 in most enterprises, and I have personally walked into orgs running four million. Triaging four million by hand takes 8,300 engineer-days a year. Nobody has that headcount, and nobody is getting it. The 30, 60, and 90-day patching SLAs your program runs on were calibrated for the 2018 curve. They are already three orders of magnitude behind the actual speed of exploitation, and the gap widens every quarter.
This keynote is the operational answer.
The Mythos-Ready program, published by the Cloud Security Alliance, SANS, [un]prompted, and the OWASP GenAI Security Project, with the companion playbook from Phoenix Security, has two halves that meet in the middle. Close the tap on the left. Burn the backlog on the right. Six controls. One knowledge graph underneath. No Glasswing budget required.
We walk the architecture left to right, with each control colour-coded so the audience builds the mental map once. Before code merges, Skills bind the coding agent to architectural rules at the design stage, a Secure PRD generator shifts threat modelling to the requirements phase, malware and CVE intelligence acts as an MCP plugin at install time, and graph-aware code scanning runs at the agent and at the pull request. After code merges, ownership attribution routes findings to the team that owns the asset, reachability and threat intelligence drive prioritization, grouped remediation turns twelve PRs into one, and agentic exploit hunting finds the toxic combinations no individual scanner sees on its own.
If attackers have reasoning, defenders need reasoning. Reasoning at scale is only economical against curated context, not the open web. The same code graph, security graph, and architecture graph that lets Mythos chain primitives across files, services, and packages lets your defensive tooling see your own exposure and close it in the same timeframe. Same graph. Same reasoning. Different output. That is the economic foundation that makes defensive AI affordable outside Glasswing.
You will leave with a 90-day deployment plan, four executive metrics reportable to a board without a glossary, an open-source skills repository you can clone on Monday morning, and a direct answer to the question every CISO in the room is asking right now: when commodity models reach Mythos-class capability six months from now, will my program absorb it or react to it?

akeaways for Attendees
* A clear architecture for defending against AI-speed adversaries without an AWS-scale security budget. Six controls, one knowledge graph, composable by design.
* The vocabulary and proof points to take to a CISO and a board on Monday morning. Why CVSS-first is obsolete, why reachability-first is the only viable replacement, and how to frame the metric optics that get worse before they get better.
* Practical implementation guidance for binding security to coding agents at the design and generation stages. The open-source skills repository, the PreToolUse hook pattern, and a working Secure PRD generator you can clone today.
* A working model for grouped remediation that engineering will actually accept. The math behind one PR for twelve fixes, and the customer numbers that prove it.
* A diagnostic framework to identify which of the six controls your program is missing right now, and the install order based on your specific bottleneck, whether that is PR velocity, backlog size, agent adoption, or supply chain risk.
* The Vulnapocalypse-Ready badge audit. Six controls in production means you wear the badge. Anything less means procurement starts now, because the curve does not wait for budget cycles.