The Cyber Insurance Market Is Pricing a World That No Longer Exists

The cyber insurance industry is pricing risk on a spreadsheet built for a world that no longer exists.

Anthropic published the first real accounting of what Mythos Preview can find when it looks at production software at scale: more than ten thousand high- or critical-severity vulnerabilities in a single month, across the most systemically important codebases on the internet, according to its Glasswing project update. Not theoretical vulnerabilities. Not demo vulnerabilities. Confirmed, triaged, disclosed vulnerabilities sitting in real systems that real enterprises depend on.

The number that matters is not the ten thousand. It is the ten.

Partners running Mythos Preview through their development pipelines found bugs at more than ten times the rate they were finding them before. Cloudflare published its own data independently: two thousand bugs in their critical-path systems, four hundred critical or high severity, with a false positive rate their team calls better than human testers. Mozilla found the same ten-times multiplier in Firefox, per Anthropic's disclosure. Palo Alto Networks shipped five times its usual patch count in a single release. Microsoft acknowledged in its May 12 MSRC blog post that Patch Tuesday is going to keep getting larger, indefinitely, because AI is now doing the finding.

The ten-times number is not a product claim. It is a measurement of how little the industry was seeing before.

For decades, vulnerability discovery was artisanal work. Elite researchers, manual code review, limited surface area, slow cycles. The security industry priced cyber insurance, conducted M&A due diligence, set breach notification thresholds, and allocated security budgets on the basis of what that artisanal process could find. Which was a fraction of what was there. Nobody knew what fraction. Nobody had a way to know.

Mythos Preview does not just find more bugs. It makes the actual vulnerability surface visible for the first time. That is a different kind of claim than any previous security tool has made. It is not a better lock on the door. It is a census of everyone who has ever tried to pick any lock, in every building, with a running tally of who succeeded.

The insurance market has a specific exposure here. Cyber policies are underwritten on models that estimate breach likelihood and loss magnitude. Those models were calibrated against historical vulnerability discovery rates — the artisanal rates. If the true surface is ten times what those models assumed, the loss frequency assumptions are wrong. Not slightly wrong. Structurally wrong. A policy written to cover a world where you find a hundred vulnerabilities a year, in a world where you are actually finding a thousand, is mispriced by an order of magnitude.

The same problem applies to breach disclosure law. Most jurisdictions require notification when a breach involves a certain category of sensitive data, or reaches a certain scale of impact. Those thresholds were set against a discovery rate that is no longer operative. Regulators who designed those frameworks did not have AI-powered vulnerability scanning in mind.

Anthropic has not published Mythos Preview broadly. The model remains restricted to Glasswing partners, and the company says it has not developed safeguards strong enough to release it publicly. That is the right caution. The same capabilities that let a model find ten years worth of vulnerabilities in a month would, in less careful hands, prioritize exploitation at the same speed.

But the organizations running Mythos Preview through Glasswing — including Verizon, which joined the project in May — now have something the rest of the industry does not: a genuine inventory of what is in their code. For everyone else, the question is not whether their infrastructure contains similar vulnerabilities. The question is whether they have any way to know. The gap between those who can measure and those who cannot is now the actual security risk.

The patch backlog is real, and it is not a counterargument to this story. Critics will note that only seventy-five of five hundred and thirty reported high-severity bugs have been patched as of late May, according to Anthropic's update. That is a fact. It is also the point. AI has moved the bottleneck from discovery to remediation. That shift is the story — not a complication within it.

The right question for the cyber insurance market, for regulators, for anyone who has ever written a security budget or priced a breach notification threshold, is not whether Mythos Preview is impressive technology. It is whether they are pricing a world that no longer exists.