Security in the age of agentic

Last month, when Anthropic first announced Claude Mythos, its new cybersecurity generative AI model, it caused a lot of concern and conversation in the cybersecurity community. Mythos was reported to have identified new vulnerabilities in every major operating system and web browser. It was deemed too dangerous to release publicly.

If security experts were not already paying attention, here was a clear example of the new era of security staring right back at them.

Amid the AI boom in recent years, tech development cycles are now moving much faster, while stakes have gotten much higher. Financial systems, supply chains and cybersecurity infrastructure are all now more connected. Billions more devices are online. All these dynamics are creating a broader and more complex cybersecurity battlefield and causing a shift from isolated incidents to systemic pressures.

More than ever, attacks are moving at machine speed. Defenses now must be just as fast. Organizations must evolve to meet this moment by focusing on a few key areas.

Businesses, governments and nonprofits of all sizes are all part of the global digital ecosystem. That means we need to be accountable to each other and protect one another. Not only is that the right thing to do, it is absolutely necessary to prevent an attack from spreading. Once cybercriminals breach any organization's systems, they can use the stolen confidential and personal data to broaden their attack.

Larger companies have easy access to sophisticated tools and big cyber teams so they can respond to new AI innovations. Smaller organizations don’t, leaving them far more vulnerable to AI-powered attacks. For those that don’t have access to cutting-edge tools or cannot afford their own defenses, it is incumbent on larger players to step up and support them. That kind of collaborative approach is now needed more than ever.

Keeping bots out of our systems used to be an obvious part of any security apparatus. Now it is not so simple.

As AI agents come into our lives, people will consent to different kinds of agents operating on their behalf, such as software agents completing business tasks and commerce agents making purchases. This development of autonomous commerce agents is perhaps one of the most profound changes to payments in history. Cybersecurity teams will need to be able to identify the difference between good AI agents and harmful ones. That’s possible through new standards and controls, like Know Your Agent (KYA) to catalogue and track bots, Know Your Merchant (KYM) to classify legitimate websites from fraudulent ones, and even what I like to call Know Your Fraudster (KYF) — keeping tabs on potential adversaries, analyzing fraud signals and threat intelligence data, and responding before it is too late.

Managing bot traffic is a critical new element of security work going forward, but it is far from the only one. Cybersecurity teams also need to work more closely across their organizations to reinforce the concept of “secure by design.” That means we prevent breaches by identifying software and hardware vulnerabilities during the coding and development process and before products launch. After all, a hacker cannot exploit a vulnerability that does not exist.

Too many organizations still patch their software manually. Meanwhile, the number of credible threats is growing now that AI models can quickly find more vulnerabilities.

Organizations need to automate more of their patching systems to speed up this process and more efficiently determine which credible threats they should prioritize for patching. Because of AI, time-to-exploit has dropped to hours from days, making the need for this change critical.

Beyond automating patching, organizations will need to lean into using AI-powered predictive intelligence and continuous monitoring to react faster to threats.

Breaches are most commonly caused by the same three issues — stolen credentials, unpatched vulnerabilities and exceptions — and that has been the case for decades.

While a lot is changing because of AI, many of the same basic cybersecurity processes are needed. Those include robust data protection and retention plans, reviews of legacy systems and reducing technical debt. This is the unglamorous work — day in, day out — that is necessary to protect digital ecosystems.

Mythos has provided the cybersecurity industry with a vital reminder that dynamics have drastically changed. In this new agentic era, the industry must move from being reactive to predictive — using collaboration, early warnings and faster coordination — to stay a step ahead.