Cutting Through the Mythos: What AI Vulnerability Discovery Actually Means for OT

Jori VanAntwerp

CEO and Founder at EmberOT || Web

For over two decades, Jori has enabled industrial and IT organizations to be successful in reducing risk, increasing compliance, and improving their overall security efforts. He has had the pleasure of working with companies such as Gravwell, Dragos, CrowdStrike, FireEye, McAfee, and is now CEO & Founder at EmberOT, a cybersecurity startup focused on making security a reality for critical infrastructure.

This is Part 1 of a 2-part blog series focused on AI vulnerability discovery in OT. Anthropic’s Claude Mythos Preview has the security industry in the middle of an unusually loud moment. Here’s what the headlines are missing for operational technology.

The Mythos coverage has been loud, contradictory, and short on practical guidance for OT. Anthropic has done genuinely impressive work. The skeptics are doing useful work cutting through the hype. What the OT community needs is a piece that separates the signal from the noise, written for the OT defenders, asset owners, and operators trying to figure out what Mythos actually means for their environment, from the perspective of someone who has worked in security and OT for over two decades.

On that front, here is the fact most of the Mythos coverage missed.

The UK’s AI Security Institute (AISI) tested Claude Mythos Preview against the same kinds of attack ranges it had been used to evaluate prior frontier models. Against IT-flavored ranges, Mythos completed the full 32-step “The Last Ones” enterprise simulation end-to-end, the first model ever to do so. Against AISI’s “Cooling Tower” operational technology range, Mythos failed. The model got stuck on IT-layer sections rather than OT-specific controls, but the outcome is the same: the most capable cyber-offensive AI model publicly evaluated to date could not get through an OT range.

That is not a vendor pitch, but the UK government’s own published evaluation. (Source: AISI cyber range evaluation summary, April 2026)

Anchor the rest of the conversation on that fact. Mythos is a real capability advance. The trajectory matters. And the OT story is meaningfully different from the IT story being told.

What the Headlines Are Stripping Away

Anthropic claims Mythos has identified thousands of zero-day vulnerabilities across major operating systems and web browsers. They have committed $100 million in usage credits and $4 million in donations to open-source security organizations through Project Glasswing, the controlled-access program that lets ~50 large software vendors and security partners use Mythos defensively. (Source: Project Glasswing announcement, Anthropic)

The trajectory is also real. AISI’s Chief Technology Officer Jade Leung has stated that agentic AI autonomy is doubling roughly every couple of months. Whatever Mythos is today, the next class of model will be more capable. (Source: AISI commentary, April 22, 2026)

The headlines have stripped some important asterisks. Bruce Schneier, writing in IEEE Spectrum with Barath Raghavan of Fastly, called Mythos “a real but incremental step, one in a long line of incremental steps,” and warned of Shifting Baseline Syndrome: people overcorrect on individual announcements and undercorrect on the long-term trajectory. (Source: Schneier and Raghavan, IEEE Spectrum, April 2026)

The technical claims have asterisks too. The “thousands of zero-days” headline number extrapolates from a 198-report human validation sample. The Firefox exploitation testing was conducted against a content-process harness without the browser’s sandbox or other defense-in-depth layers. AISI itself is explicit that its evaluations were run against systems with weak security postures, and that public testing does not show Mythos can defeat hardened, well-defended networks with active monitoring and incident response. The model can attack vulnerable systems. Whether it can attack mature ones is unproven.

And then there is the unauthorized access. Within days of the announcement, a group accessed Mythos through a third-party contractor’s credentials and a guessed URL pattern. Anthropic confirmed the breach. The “controlled access” pitch took a credibility hit at the worst possible time.

The capability is real. The OT-relevant version is more nuanced than the IT-flavored coverage suggests, and that nuance is where the rest of this piece lives.

Why Mythos Hits OT Differently

Mythos was trained on the open internet. OT software, by and large, is not on the open internet.

Schneier and David Lie of the University of Toronto made this point bluntly in The Globe and Mail: software outside the training distribution, including industrial control systems, medical device firmware, and older embedded systems, is exactly where Mythos is least likely to help defenders. Schneier specifically called out “industrial equipment that are rarely updated or can’t be easily modified” as a category for which the patching-driven model breaks down. The Cooling Tower failure is the operational evidence.

The Glasswing partner list reinforces the point. The ~50 organizations Anthropic has granted access to are large software vendors, browser makers, cloud providers, and IT-focused security companies. Schneider, ABB, Emerson, Honeywell, Yokogawa, GE Vernova, Mitsubishi, and the rest of the OT vendor ecosystem are not on the list. Glasswing v1 is built around code producers who can patch and push updates downstream. OT does not work that way. Most of the firmware in your plant, substation, or pipeline is not in the training set, not in the partner list, and not in the patch pipeline anyone is currently building.

Traditional OT and Modern OT Are Not the Same Conversation

Worth naming a distinction the broader industry tends to flatten. The Mythos story lands very differently across two segments of OT:

Traditional OT (oil and gas, energy, water, utilities, much of heavy industry). Limited-connectivity environments. Decades-old firmware not in any model’s training set. Patch cycles measured in years rather than weeks. For this segment, Mythos in the short term is largely irrelevant. The systems are not internet-reachable, the firmware is not in the training distribution, and the threat model that drives the Mythos coverage does not map cleanly onto the actual environment.

Modern OT and converged manufacturing. Cloud-managed control planes. IT/OT convergence at the edge. MES and ERP integration. Vendor remote access. Cloud historians. Edge computing platforms. Increasing agentic AI adoption inside operational workflows. For this segment, Mythos-class tooling is much more relevant, because the IT components in scope are in the training distribution and are reachable.

These are not the same security conversation, and conflating them produces bad advice in both directions. Telling a traditional utility to panic about Mythos is unhelpful. Telling a modern manufacturer that Mythos does not apply because “OT is not on the internet” is dangerous. The right answer depends on which segment you actually operate in, and most asset owners need to be honest about which side of this line they sit on.

Centralized AI in OT Is the Concern Almost Nobody Is Naming

This one deserves more space than it usually gets, because it is the most original part of the OT-specific argument and almost nobody is making it cleanly.

If a frontier model has trained on or modeled your environment, that model becomes a high-value target. A Mythos-class system that knows your PLC topology, your protocol patterns, your normal baselines, and your detection logic is a system an adversary would very much like to access. The Glasswing access incident was a small preview of the larger problem. The more useful AI becomes for defenders, the more useful access to that AI becomes for attackers.

This is not an abstract concern. The architectural choice you make about where AI capability lives in your environment will determine the security of that environment for years.

There is a class of architecture, on-prem, edge-deployed, with environmental modeling that never leaves the customer’s network, that addresses this concern directly. This happens to be the architecture EmberOT is built on. OT organizations should be asking which side of this architectural line their vendors sit on, because the answers will shape the security of their environments for the next decade.

The supply chain for AI tooling, the access control around model environments, and the integrity of the training and operational data are all becoming security-relevant in ways the OT industry has not yet worked through. The community should be talking about this now, not after the first incident.

More Vulnerabilities Found Is Not the OT Bottleneck

A thing every vulnerability scanner has been accused of is true here too: more discovery is not always more security. The OT-specific version of this argument is sharper than the generic version, though.

In IT, “more vulnerabilities found” routes, at least theoretically, to a patch pipeline. In OT, it routes to a backlog with a 12-24 month service-window dependency. Patching a PLC is not patching a web server. Patch cycles for industrial controllers run on validation requirements, outage windows, safety recertification, and vendor coordination. ARC Advisory Group has framed it directly: Project Glasswing highlights how AI-driven vulnerability discovery could compress threat timelines and increase risk for industrial and OT environments. The discovery side gets faster. The mitigation side does not.

The bottleneck in OT security is not finding flaws. The bottleneck is doing something useful with the flaws once you find them. Mitigation in OT often takes the path of compensating controls, network segmentation, restricted communication, and continuous monitoring rather than direct patching, because the direct patch is months away or impossible.

This is also where the regulatory direction is moving. FERC’s CIP-015-1, which became effective in September 2025, mandates Internal Network Security Monitoring for North American utilities. The bet the regulator just made is that mitigation through monitoring matters more than discovery through scanning. We have written about CIP-015-1 in more detail elsewhere for readers who want to dig in.

The answer to the OT discovery firehose is not less discovery. It is better triage. Our OT Vulnerability Intelligence Report lays out a Five Lenses framework for contextual prioritization (Exploitability, Network Reachability, Asset Criticality, Operational Impact, Compensating Controls) and a Three Pillars framing for OT defense (segmentation, patching, content validation and monitoring). The frameworks exist. They are useful. And they are exactly the answer to the diagnosis Mythos-driven discovery sharpens: more findings without context is friction, not security.

On-Site AI in OT Is Hard for the Same Reasons Everything Else Is Hard

There is an emerging pitch around deploying agentic AI directly in OT environments to monitor, hunt, and respond. The pitch is appealing on a slide. The reality is harder.

The same constraints that limit traditional security tooling in OT apply to running a frontier model on or near operational equipment. Limited-connectivity sites cannot reach cloud-hosted inference. Hardware support for running large models locally is uneven. Vendor restrictions on what can be installed on production systems are real. Operational risk tolerance is low, and rightly so.

These problems are solvable, but they are the problems that have shaped OT security for two decades. AI does not exempt itself from the operational realities of the environment it is being asked to run in. Anyone pitching otherwise is selling a slide deck. This challenge deserves its own deeper conversation, because the solutions will be substantive when they arrive.

What This Sets Up

A few things are genuinely different than they were six months ago. The compression of vulnerability discovery timelines is real. The mitigation bottleneck is widening rather than narrowing. The architectural choices made in the next eighteen months will shape OT security for the decade after. The technology shifts are real, and they matter.

The most important shift, though, is about people, not technology. The skill set required to defend OT is changing, and the analysts who get this right will be the ones who outlast any specific AI capability claim, including this one. That is the subject of Part 2 of this series, so stay tuned for that article next week.

~Jori 🤘🔥