Every company on earth now faces a mandatory software modernization program.
The emergence of AI-driven vulnerability discovery has made one fact unavoidable:
the accumulated security debt across the world’s application landscape is no longer
a manageable background risk. It is an active, time-bound operational threat that supersedes
existing technology roadmaps. The only question is execution.
$50
Cost to autonomously discover a critical remote exploit
5B
Devices exposed by a single wolfSSL flaw — severity 10/10
>99%
Of Mythos-discovered critical vulnerabilities remain unpatched
Months
Estimated window before this capability proliferates beyond Glasswing
The catalyst — April 7, 2026
Anthropic’s Mythos redrew the threat boundary
Anthropic disclosed that its frontier model Mythos Preview — a general-purpose AI, not one
specifically trained for security — had autonomously discovered thousands of critical, previously
unknown vulnerabilities across the world’s most scrutinised software. Working from a single
instruction to “find a security problem,” it identified decades-old flaws that had survived
millions of automated fuzzing runs and repeated expert audits. In response, Anthropic formed
Project Glasswing: a select group of critical infrastructure providers given early access to scan and
remediate. The rest of the industry was not included.
CVE · OpenBSD
27-year-old remote crash vulnerability
A chained integer overflow in TCP’s SACK implementation allows any attacker to remotely crash OpenBSD hosts — the OS underpinning critical firewalls, DNS, and VPN infrastructure worldwide.
CVE-2026-4747 · FreeBSD
17-year-old unauthenticated root access
Full remote code execution granting root to any unauthenticated user — discovered and exploited by Mythos fully autonomously, without a single line of human guidance.
CVE-2026-5194 · wolfSSL
Encryption bypass across 5 billion devices
A critical authentication bypass in the embedded TLS library used across smart grids, automotive, aviation, medical, and consumer devices. Rated 10/10 severity by Red Hat.
CVE · Linux kernel
Privilege escalation chains — full root
Mythos chained 2–4 independent kernel vulnerabilities — including KASLR bypasses — to achieve complete root access from a standard user account. Nearly a dozen working exploits produced.
CVE · FFmpeg
16-year-old flaw missed by 5M fuzzing runs
A memory-safety bug invisible to every automated tool and human auditor that had reviewed the world’s most heavily-tested media library for over a decade.
All major browsers · Closed-source
Sandbox escapes and firmware exploitation
Chained JIT exploits achieving kernel writes via every major browser. Closed-source binaries reverse-engineered and exploited without access to source code.
Key context: Anthropic has confirmed this capability will not remain exclusive. Nation-state actors and competing labs are actively working toward identical tooling. The Glasswing partners are already remediating. The transition period has begun.
The modernization imperative
This is not a patching exercise. It is a fundamental overhaul.
The vulnerabilities Mythos has found are the visible fraction — fewer than 1% of its discoveries
have been disclosed so far, as over 99% remain unpatched and under responsible embargo.
When the full scope becomes actionable, every organisation running proprietary software, commercial
off-the-shelf systems, embedded technology, or open-source dependencies will face the same
imperative: a structured, high-velocity modernization program across their entire application landscape.
No industry is exempt
Financial services
Healthcare & life sciences
Energy & utilities
Manufacturing & supply chain
Government & defence
Telecoms & media
Retail & e-commerce
Software & technology
Insurance & real estate
Logistics & transport
What modernization actually entails
Attack surface mapping
Full inventory of proprietary systems, third-party components, embedded technology, and open-source dependencies — ranked by exposure and criticality.
Vulnerability triage & prioritisation
AI-assisted scanning across codebases, followed by human expert validation. Risk-ranked remediation queues built against business criticality, not just severity scores.
Code remediation at scale
Parallel remediation workstreams across multiple systems simultaneously — including legacy codebases where original developers are no longer available.
Infrastructure & pipeline upgrades
Hardware, OS, and embedded system updates. CI/CD pipeline hardening to ensure all future deployments are scanned before release — not after.
Workforce enablement
Training for development, operations, and support teams. Establishing new security-first engineering practices that persist beyond the immediate remediation program.
Compliance & regulatory alignment
Documentation, audit trails, and regulator communication across jurisdictions — particularly critical for financial services, healthcare, and public sector organisations.
On project prioritisation: Organisations will need to make a clear-eyed assessment of their current technology portfolio. Programs that cannot withstand a security audit against the new threat baseline are not delivery risks — they are liabilities. The most commercially rational decision in most cases is to pause non-critical initiatives and redirect capacity toward security modernization. This is not disruption. It is the protection of everything else already in flight.
Why Our Company
The scale of the response demands a partner built for scale
Security modernization at this velocity cannot be staffed through normal hiring cycles.
The combination of volume, urgency, specialisation, and the need to run parallel workstreams
across heterogeneous technology estates calls for a partner with the workforce depth, delivery
methodology, and tooling already in place. Our company is that partner.
340K
Professionals worldwide
Spanning security engineering, software architecture, cloud infrastructure, compliance, and programme management — deployable at scale.
30+
Years of large-scale delivery
Decades of running parallel, multi-country technology transformation programmes for the world’s largest organisations across every major industry.
Day 1
Ready to mobilise
Phalanx teams are pre-built, methodology is established, toolchain is live. There is no ramp-up period waiting for capacity to assemble.
The Phalanx approach
Assessment and prioritisation are non-negotiable first steps. You cannot modernise what you have not mapped, and you cannot prioritise without understanding business impact.
1
Assess
Full attack surface mapping. Inventory of all systems, dependencies, and embedded components by risk tier.
2
Prioritise
AI-assisted vulnerability scanning combined with business impact analysis. Remediation backlog ranked by actual exposure, not theoretical severity.
3
Mobilise
Parallel workstreams activated across priority systems. Teams scaled to match scope without disrupting BAU operations.
4
Remediate
High-velocity code modernization, infrastructure hardening, and pipeline upgrades executed against a governed delivery cadence.
5
Sustain
Continuous scanning integrated into delivery pipelines. Knowledge transfer and enablement to ensure the organisation stays ahead of the next wave.
PILLAR 01
Parallel execution at programme scale
Multiple concurrent workstreams across different systems and business units
Dedicated stream leads with domain expertise — not generalist project managers
Integrated dependency management across streams to avoid compounding disruption
Escalation paths to senior leadership active throughout
PILLAR 02
Agentic governance toolchain
Internal AI-assisted toolchain purpose-built for large-scale code modernization programmes
Automated triage, prioritisation scoring, and progress tracking across all workstreams
Audit-ready compliance documentation generated continuously throughout delivery
Real-time programme health dashboards for client and our leadership
Anthropic partnership
Direct access to the frontier
Our company’s close working relationship with Anthropic means our teams operate with the most current understanding of Mythos capabilities, responsible disclosure processes, and the security findings still under embargo. This translates directly into more accurate risk assessment and better-informed remediation prioritisation for our clients.
Why timing matters
The window is narrow and closing
The Glasswing partners have a head start measured in weeks. The responsible disclosure embargo on the remaining thousands of vulnerabilities will expire on a rolling basis over the coming months. Organisations that have not yet begun their assessment are not standing still — they are falling further behind a threat landscape that is moving without them.
Start now
The first step is understanding exactly where you stand.
Phalanx engagements begin with a rapid assessment: attack surface mapping, criticality scoring, and a
prioritised modernization roadmap. This gives your leadership a clear, evidence-based picture of
exposure and a credible execution plan — before committing to the full programme.
Reach out to Christian Nilsson and the Phalanx team to schedule your initial assessment.
Resources across the programme are finite and are being allocated now.
The companies that move first will have the most control over the outcome.
Christian Nilsson · Project Phalanx Lead · April 2026
