Skip to main content
Mythos Finds 1,000 Bugs in 10 Hours: Where EPSS Fits InIncident
4 min readFor Security Engineers

Mythos Finds 1,000 Bugs in 10 Hours: Where EPSS Fits In

What Happened

In October 2024, Anthropic deployed an AI agent called Mythos to scan its codebase. The system identified roughly 1,000 potential vulnerabilities in just 10 hours. For context, that's about what a mid-sized security team might triage in a quarter.

Anthropic didn't experience a breach, but this event highlighted a growing issue: AI-driven scanning tools are generating vulnerability reports faster than human teams can assess them, let alone fix them.

The company's response was to endorse the Exploit Prediction Scoring System (EPSS) as the primary method for prioritizing vulnerabilities.

Timeline

October 2024: Anthropic runs Mythos against internal systems. The agent returns about 1,000 findings in 10 hours.

Immediate aftermath: The security team faces a prioritization crisis. Traditional CVSS scoring doesn't help when everything is marked "High" or "Critical."

November 2024: Anthropic publicly recommends EPSS to manage the volume of AI-generated vulnerabilities.

Current state: Mean time to exploit is projected to reach one hour in 2025, dropping to one minute by 2028. Your current triage process won't scale to meet this timeline.

Which Controls Failed or Were Missing

This wasn't a control failure. It was a mismatch between detection capability and response workflow. However, the gap relates to specific standard requirements:

NIST 800-53, RA-5 (Vulnerability Monitoring and Scanning) requires continuous scanning and timely remediation. When your scanner returns 1,000 findings overnight, "timely" becomes meaningless without a prioritization framework.

ISO/IEC 27001:2022, Control 8.8 (Management of Technical Vulnerabilities) mandates identifying and assessing technical vulnerabilities, then addressing the associated risks. The control assumes you can assess faster than new vulnerabilities appear. That assumption broke.

PCI DSS, Requirement 6.3.1 requires identifying security vulnerabilities using reputable sources and assigning a risk ranking to newly discovered vulnerabilities. CVSS scores everything as high-risk, leaving no practical way to sequence remediation work.

The missing piece: a probabilistic model that predicts exploitation likelihood, not just theoretical severity.

What the Relevant Standards Require

None of the major frameworks explicitly require EPSS, but they all require risk-based prioritization:

NIST CSF, ID.RA-1: You must identify and document asset vulnerabilities. The function assumes you'll prioritize by risk but doesn't specify how.

ISO/IEC 27001:2022, Clause 6.1.2: Risk assessment must consider likelihood and consequence. CVSS measures consequence (impact if exploited), while EPSS measures likelihood (probability of exploitation in the next 30 days).

PCI DSS, Requirement 12.3.1: Your risk assessment methodology must be documented and include a process for identifying threats and vulnerabilities. EPSS qualifies as a documented, evidence-based threat assessment process.

Here's the disconnect: CVSS tells you how bad a vulnerability could be. EPSS tells you how likely it is to actually get exploited. You need both.

Lessons and Action Items for Your Team

Stop using CVSS as your sole prioritization metric

CVSS is a severity score, not a risk score. When Mythos returns 1,000 findings and 400 of them have CVSS scores above 7.0, you haven't learned anything useful. EPSS has been incorporated into more than 120 security vendors' products. If your vulnerability scanner doesn't expose EPSS scores yet, ask when they will.

Integrate EPSS into your existing workflow

You don't need to replace your current tools. Add EPSS as a filter:

  1. Pull your vulnerability scan results.
  2. Enrich each CVE with its current EPSS score (available free from the FIRST EPSS API).
  3. Sort by EPSS score, not CVSS score.
  4. Remediate anything above your threshold (many teams start at EPSS > 0.10, meaning 10% exploitation probability in 30 days).

Define your EPSS threshold based on your patch cadence

If you can patch weekly, you might tolerate EPSS scores up to 0.20. If you're on a monthly cycle, you need to act on anything above 0.05. The threshold isn't universal. It depends on how fast your team can move.

Automate the enrichment step

Don't make analysts manually look up EPSS scores. Write a script that:

  • Queries your vulnerability database.
  • Calls the EPSS API for each CVE.
  • Updates your ticketing system with the EPSS score.
  • Flags anything above threshold for immediate review.

This takes about 200 lines of Python. Run it daily.

Prepare for sub-hour exploitation timelines

Mean time to exploit is dropping fast. By 2028, you'll have minutes, not days, to respond to actively exploited vulnerabilities. Your current "we'll patch it next sprint" workflow won't survive that timeline. EPSS gives you advance warning: it flags vulnerabilities before they're actively exploited, based on patterns in attacker behavior.

Use EPSS for board reporting

When your CISO asks "what's our riskiest exposure right now?", don't hand them a spreadsheet of CVSS scores. Show them the top 10 CVEs by EPSS score in your environment. That's the list attackers are actually targeting.

Acknowledge what EPSS doesn't solve

EPSS predicts exploitation likelihood across the entire internet. It doesn't know your specific threat model. If you're in critical infrastructure and nation-state actors target you specifically, EPSS won't capture that. You still need threat intelligence and context. But for the 95% of vulnerabilities that don't involve targeted attacks, EPSS is the most accurate predictor we have.

The Mythos incident wasn't a breach. It was a preview. AI-driven scanning will flood your queue with findings. CVSS can't scale to that volume. EPSS can.

Topics:Incident

You Might Also Like