Anthropic's Claude Mythos has autonomously discovered thousands of zero-day vulnerabilities across major operating systems and browsers, achieving a 72.4% exploit development success rate without human guidance. The model can take a CVE identifier and git commit hash, then produce working exploits within hours. This joins a growing list of AI-powered vulnerability research: Google's Big Sleep found 20 zero-days in open source projects, while Sophos's OpenClaw compressed Active Directory reconnaissance from three days to three hours in internal testing.
The numbers tell the real story. Time-to-exploit has dropped from 61 days in 2024 to 28.5 days in 2025, with median time from disclosure to CISA's Known Exploited Vulnerabilities list shrinking from 8.5 to 5 days. Confirmed exploitation of high-severity vulnerabilities doubled to 146 cases in 2025. This isn't just faster research—it's a fundamental shift in the economics of vulnerability discovery that defenders haven't caught up to.
What's missing from the security industry's response is honest acknowledgment of the capability gap. While Rapid7 and CSA focus on patching faster, Sophos is actually running these tools internally and seeing the impact firsthand. Their OpenClaw exercise produced 23 actionable findings including Domain Admin escalation paths from a single unprivileged account. That's not theoretical—that's production-ready offense.
For developers building AI systems, this means security can't be an afterthought anymore. You need AI-powered security reviews in CI/CD pipelines now, not when your next security audit comes up. The old assumption that you have weeks to respond to vulnerabilities is dead.